--- /dev/null
+From 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Fri, 22 Aug 2014 16:16:05 -0400
+Subject: HID: logitech-dj: prevent false errors to be shown
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 upstream.
+
+Commit "HID: logitech: perform bounds checking on device_id early
+enough" unfortunately leaks some errors to dmesg which are not real
+ones:
+- if the report is not a DJ one, then there is not point in checking
+ the device_id
+- the receiver (index 0) can also receive some notifications which
+ can be safely ignored given the current implementation
+
+Move out the test regarding the report_id and also discards
+printing errors when the receiver got notified.
+
+Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36
+
+Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-logitech-dj.c | 43 ++++++++++++++++++++++++------------------
+ drivers/hid/hid-logitech-dj.h | 1
+ 2 files changed, 26 insertions(+), 18 deletions(-)
+
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -656,7 +656,6 @@ static int logi_dj_raw_event(struct hid_
+ struct dj_receiver_dev *djrcv_dev = hid_get_drvdata(hdev);
+ struct dj_report *dj_report = (struct dj_report *) data;
+ unsigned long flags;
+- bool report_processed = false;
+
+ dbg_hid("%s, size:%d\n", __func__, size);
+
+@@ -683,34 +682,42 @@ static int logi_dj_raw_event(struct hid_
+ * device (via hid_input_report() ) and return 1 so hid-core does not do
+ * anything else with it.
+ */
++
++ /* case 1) */
++ if (data[0] != REPORT_ID_DJ_SHORT)
++ return false;
++
+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+- dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++ /*
++ * Device index is wrong, bail out.
++ * This driver can ignore safely the receiver notifications,
++ * so ignore those reports too.
++ */
++ if (dj_report->device_index != DJ_RECEIVER_INDEX)
++ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
+ __func__, dj_report->device_index);
+ return false;
+ }
+
+ spin_lock_irqsave(&djrcv_dev->lock, flags);
+- if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
+- switch (dj_report->report_type) {
+- case REPORT_TYPE_NOTIF_DEVICE_PAIRED:
+- case REPORT_TYPE_NOTIF_DEVICE_UNPAIRED:
+- logi_dj_recv_queue_notification(djrcv_dev, dj_report);
+- break;
+- case REPORT_TYPE_NOTIF_CONNECTION_STATUS:
+- if (dj_report->report_params[CONNECTION_STATUS_PARAM_STATUS] ==
+- STATUS_LINKLOSS) {
+- logi_dj_recv_forward_null_report(djrcv_dev, dj_report);
+- }
+- break;
+- default:
+- logi_dj_recv_forward_report(djrcv_dev, dj_report);
++ switch (dj_report->report_type) {
++ case REPORT_TYPE_NOTIF_DEVICE_PAIRED:
++ case REPORT_TYPE_NOTIF_DEVICE_UNPAIRED:
++ logi_dj_recv_queue_notification(djrcv_dev, dj_report);
++ break;
++ case REPORT_TYPE_NOTIF_CONNECTION_STATUS:
++ if (dj_report->report_params[CONNECTION_STATUS_PARAM_STATUS] ==
++ STATUS_LINKLOSS) {
++ logi_dj_recv_forward_null_report(djrcv_dev, dj_report);
+ }
+- report_processed = true;
++ break;
++ default:
++ logi_dj_recv_forward_report(djrcv_dev, dj_report);
+ }
+ spin_unlock_irqrestore(&djrcv_dev->lock, flags);
+
+- return report_processed;
++ return true;
+ }
+
+ static int logi_dj_probe(struct hid_device *hdev,
+--- a/drivers/hid/hid-logitech-dj.h
++++ b/drivers/hid/hid-logitech-dj.h
+@@ -27,6 +27,7 @@
+
+ #define DJ_MAX_PAIRED_DEVICES 6
+ #define DJ_MAX_NUMBER_NOTIFICATIONS 8
++#define DJ_RECEIVER_INDEX 0
+ #define DJ_DEVICE_INDEX_MIN 1
+ #define DJ_DEVICE_INDEX_MAX 6
+
--- /dev/null
+From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:12:24 +0200
+Subject: HID: magicmouse: sanity check report size in raw_event() callback
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit c54def7bd64d7c0b6993336abcffb8444795bf38 upstream.
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that
+magicmouse_emit_touch() gets only valid values of raw_id.
+
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-magicmouse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct h
+ if (size < 4 || ((size - 4) % 9) != 0)
+ return 0;
+ npoints = (size - 4) / 9;
++ if (npoints > 15) {
++ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
++ size);
++ return 0;
++ }
+ msc->ntouches = 0;
+ for (ii = 0; ii < npoints; ii++)
+ magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
+@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct h
+ if (size < 6 || ((size - 6) % 8) != 0)
+ return 0;
+ npoints = (size - 6) / 8;
++ if (npoints > 15) {
++ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
++ size);
++ return 0;
++ }
+ msc->ntouches = 0;
+ for (ii = 0; ii < npoints; ii++)
+ magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
--- /dev/null
+From 844817e47eef14141cf59b8d5ac08dd11c0a9189 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 27 Aug 2014 09:13:15 +0200
+Subject: HID: picolcd: sanity check report size in raw_event() callback
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream.
+
+The report passed to us from transport driver could potentially be
+arbitrarily large, therefore we better sanity-check it so that raw_data
+that we hold in picolcd_pending structure are always kept within proper
+bounds.
+
+Reported-by: Steven Vittitoe <scvitti@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-picolcd_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-picolcd_core.c
++++ b/drivers/hid/hid-picolcd_core.c
+@@ -350,6 +350,12 @@ static int picolcd_raw_event(struct hid_
+ if (!data)
+ return 1;
+
++ if (size > 64) {
++ hid_warn(hdev, "invalid size value (%d) for picolcd raw event\n",
++ size);
++ return 0;
++ }
++
+ if (report->id == REPORT_KEY_STATE) {
+ if (data->input_keys)
+ ret = picolcd_raw_keypad(data, report, raw_data+1, size-1);
alsa-hda-add-fixup-model-name-lookup-for-lemote-a1205.patch
alsa-pcm-fix-fifo_size-frame-calculation.patch
cfq-iosched-fix-wrong-children_weight-calculation.patch
+hid-picolcd-sanity-check-report-size-in-raw_event-callback.patch
+hid-magicmouse-sanity-check-report-size-in-raw_event-callback.patch
+hid-logitech-dj-prevent-false-errors-to-be-shown.patch
+xattr-fix-check-for-simultaneous-glibc-header-inclusion.patch
--- /dev/null
+From bfcfd44cce2774f19daeb59fb4e43fc9aa80e7b8 Mon Sep 17 00:00:00 2001
+From: Filipe Brandenburger <filbranden@google.com>
+Date: Fri, 29 Aug 2014 15:18:51 -0700
+Subject: xattr: fix check for simultaneous glibc header inclusion
+
+From: Filipe Brandenburger <filbranden@google.com>
+
+commit bfcfd44cce2774f19daeb59fb4e43fc9aa80e7b8 upstream.
+
+The guard was introduced in commit ea1a8217b06b ("xattr: guard against
+simultaneous glibc header inclusion") but it is using #ifdef to check
+for a define that is either set to 1 or 0. Fix it to use #if instead.
+
+* Without this patch:
+
+ $ { echo "#include <sys/xattr.h>"; echo "#include <linux/xattr.h>"; } | gcc -E -Iinclude/uapi - >/dev/null
+ include/uapi/linux/xattr.h:19:0: warning: "XATTR_CREATE" redefined [enabled by default]
+ #define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
+ ^
+ /usr/include/x86_64-linux-gnu/sys/xattr.h:32:0: note: this is the location of the previous definition
+ #define XATTR_CREATE XATTR_CREATE
+ ^
+
+* With this patch:
+
+ $ { echo "#include <sys/xattr.h>"; echo "#include <linux/xattr.h>"; } | gcc -E -Iinclude/uapi - >/dev/null
+ (no warnings)
+
+Signed-off-by: Filipe Brandenburger <filbranden@google.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Cc: Allan McRae <allan@archlinux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/xattr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/xattr.h
++++ b/include/uapi/linux/xattr.h
+@@ -13,7 +13,7 @@
+ #ifndef _UAPI_LINUX_XATTR_H
+ #define _UAPI_LINUX_XATTR_H
+
+-#ifdef __UAPI_DEF_XATTR
++#if __UAPI_DEF_XATTR
+ #define __USE_KERNEL_XATTR_DEFS
+
+ #define XATTR_CREATE 0x1 /* set value, fail if attr already exists */
projects / thirdparty / kernel / stable-queue.git / commitdiff
