--- /dev/null
+From 2bacedada682d5485424f5227f27a3d5d6eb551c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+ <giedrius.statkevicius@gmail.com>
+Date: Sat, 27 Dec 2014 00:28:30 +0200
+Subject: HID: Add a new id 0x501a for Genius MousePen i608X
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+
+commit 2bacedada682d5485424f5227f27a3d5d6eb551c upstream.
+
+New Genius MousePen i608X devices have a new id 0x501a instead of the
+old 0x5011 so add a new #define with "_2" appended and change required
+places.
+
+The remaining two checkpatch warnings about line length
+being over 80 characters are present in the original files too and this
+patch was made in the same style (no line break).
+
+Just adding a new id and changing the required places should make the
+new device work without any issues according to the bug report in the
+following url.
+
+This patch was made according to and fixes:
+https://bugzilla.kernel.org/show_bug.cgi?id=67111
+
+Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-kye.c | 4 ++++
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ 4 files changed, 7 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1687,6 +1687,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LABTEC, USB_DEVICE_ID_LABTEC_WIRELESS_KEYBOARD) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LCPOWER, USB_DEVICE_ID_LCPOWER_LC1000 ) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -478,6 +478,7 @@
+ #define USB_DEVICE_ID_KYE_GPEN_560 0x5003
+ #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010
+ #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011
++#define USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2 0x501a
+ #define USB_DEVICE_ID_KYE_EASYPEN_M610X 0x5013
+
+ #define USB_VENDOR_ID_LABTEC 0x1020
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -303,6 +303,7 @@ static __u8 *kye_report_fixup(struct hid
+ }
+ break;
+ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X:
++ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2:
+ if (*rsize == MOUSEPEN_I608X_RDESC_ORIG_SIZE) {
+ rdesc = mousepen_i608x_rdesc_fixed;
+ *rsize = sizeof(mousepen_i608x_rdesc_fixed);
+@@ -383,6 +384,7 @@ static int kye_probe(struct hid_device *
+ switch (id->product) {
+ case USB_DEVICE_ID_KYE_EASYPEN_I405X:
+ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X:
++ case USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2:
+ case USB_DEVICE_ID_KYE_EASYPEN_M610X:
+ ret = kye_tablet_enable(hdev);
+ if (ret) {
+@@ -406,6 +408,8 @@ static const struct hid_device_id kye_de
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
++ USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ { }
+ };
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -110,6 +110,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT },
++ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X_2, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS1, HID_QUIRK_NO_INIT_REPORTS },
--- /dev/null
+From da940db41dcf8c04166f711646df2f35376010aa Mon Sep 17 00:00:00 2001
+From: Karl Relton <karllinuxtest.relton@ntlworld.com>
+Date: Tue, 16 Dec 2014 15:37:22 +0000
+Subject: HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard
+
+From: Karl Relton <karllinuxtest.relton@ntlworld.com>
+
+commit da940db41dcf8c04166f711646df2f35376010aa upstream.
+
+Apple bluetooth wireless keyboard (sold in UK) has always reported zero
+for battery strength no matter what condition the batteries are actually
+in. With this patch applied (applying same quirk as other Apple
+keyboards), the battery strength is now correctly reported.
+
+Signed-off-by: Karl Relton <karllinuxtest.relton@ntlworld.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -317,6 +317,9 @@ static const struct hid_device_id hid_ba
+ USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ANSI),
+ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
++ USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO),
++ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
+ USB_DEVICE_ID_APPLE_ALU_WIRELESS_ANSI),
+ HID_BATTERY_QUIRK_PERCENT | HID_BATTERY_QUIRK_FEATURE },
+ {}
--- /dev/null
+From 6296f4a8eb86f9abcc370fb7a1a116b8441c17fd Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Date: Thu, 20 Nov 2014 00:46:37 +0800
+Subject: HID: i2c-hid: fix race condition reading reports
+
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+
+commit 6296f4a8eb86f9abcc370fb7a1a116b8441c17fd upstream.
+
+Current driver uses a common buffer for reading reports either
+synchronously in i2c_hid_get_raw_report() and asynchronously in
+the interrupt handler.
+There is race condition if an interrupt arrives immediately after
+the report is received in i2c_hid_get_raw_report(); the common
+buffer is modified by the interrupt handler with the new report
+and then i2c_hid_get_raw_report() proceed using wrong data.
+
+Fix it by using a separate buffers for synchronous reports.
+
+Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+[Antonio Borneo: cleanup, rebase to v3.17, submit mainline]
+Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -134,6 +134,7 @@ struct i2c_hid {
+ * descriptor. */
+ unsigned int bufsize; /* i2c buffer size */
+ char *inbuf; /* Input buffer */
++ char *rawbuf; /* Raw Input buffer */
+ char *cmdbuf; /* Command buffer */
+ char *argsbuf; /* Command arguments buffer */
+
+@@ -471,9 +472,11 @@ static void i2c_hid_find_max_report(stru
+ static void i2c_hid_free_buffers(struct i2c_hid *ihid)
+ {
+ kfree(ihid->inbuf);
++ kfree(ihid->rawbuf);
+ kfree(ihid->argsbuf);
+ kfree(ihid->cmdbuf);
+ ihid->inbuf = NULL;
++ ihid->rawbuf = NULL;
+ ihid->cmdbuf = NULL;
+ ihid->argsbuf = NULL;
+ ihid->bufsize = 0;
+@@ -489,10 +492,11 @@ static int i2c_hid_alloc_buffers(struct
+ report_size; /* report */
+
+ ihid->inbuf = kzalloc(report_size, GFP_KERNEL);
++ ihid->rawbuf = kzalloc(report_size, GFP_KERNEL);
+ ihid->argsbuf = kzalloc(args_len, GFP_KERNEL);
+ ihid->cmdbuf = kzalloc(sizeof(union command) + args_len, GFP_KERNEL);
+
+- if (!ihid->inbuf || !ihid->argsbuf || !ihid->cmdbuf) {
++ if (!ihid->inbuf || !ihid->rawbuf || !ihid->argsbuf || !ihid->cmdbuf) {
+ i2c_hid_free_buffers(ihid);
+ return -ENOMEM;
+ }
+@@ -519,12 +523,12 @@ static int i2c_hid_get_raw_report(struct
+
+ ret = i2c_hid_get_report(client,
+ report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
+- report_number, ihid->inbuf, ask_count);
++ report_number, ihid->rawbuf, ask_count);
+
+ if (ret < 0)
+ return ret;
+
+- ret_count = ihid->inbuf[0] | (ihid->inbuf[1] << 8);
++ ret_count = ihid->rawbuf[0] | (ihid->rawbuf[1] << 8);
+
+ if (ret_count <= 2)
+ return 0;
+@@ -533,7 +537,7 @@ static int i2c_hid_get_raw_report(struct
+
+ /* The query buffer contains the size, dropping it in the reply */
+ count = min(count, ret_count - 2);
+- memcpy(buf, ihid->inbuf + 2, count);
++ memcpy(buf, ihid->rawbuf + 2, count);
+
+ return count;
+ }
--- /dev/null
+From d1c7e29e8d276c669e8790bb8be9f505ddc48888 Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Thu, 11 Dec 2014 16:02:45 -0800
+Subject: HID: i2c-hid: prevent buffer overflow in early IRQ
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+commit d1c7e29e8d276c669e8790bb8be9f505ddc48888 upstream.
+
+Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
+64 bytes. While processing the IRQ, we were asking to receive up to
+wMaxInputLength bytes, which can be bigger than 64 bytes.
+
+Later, when ->start is run, a proper bufsize will be calculated.
+
+Given wMaxInputLength is said to be unreliable in other part of the
+code, set to receive only what we can even if it results in truncated
+reports.
+
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -341,7 +341,7 @@ static int i2c_hid_hwreset(struct i2c_cl
+ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ {
+ int ret, ret_size;
+- int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
++ int size = ihid->bufsize;
+
+ ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
+ if (ret != size) {
--- /dev/null
+From 606185b20caf4c57d7e41e5a5ea4aff460aef2ab Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 9 Jan 2015 15:32:31 +0300
+Subject: HID: roccat: potential out of bounds in pyra_sysfs_write_settings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 606185b20caf4c57d7e41e5a5ea4aff460aef2ab upstream.
+
+This is a static checker fix. We write some binary settings to the
+sysfs file. One of the settings is the "->startup_profile". There
+isn't any checking to make sure it fits into the
+pyra->profile_settings[] array in the profile_activated() function.
+
+I added a check to pyra_sysfs_write_settings() in both places because
+I wasn't positive that the other callers were correct.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-roccat-pyra.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-roccat-pyra.c
++++ b/drivers/hid/hid-roccat-pyra.c
+@@ -35,6 +35,8 @@ static struct class *pyra_class;
+ static void profile_activated(struct pyra_device *pyra,
+ unsigned int new_profile)
+ {
++ if (new_profile >= ARRAY_SIZE(pyra->profile_settings))
++ return;
+ pyra->actual_profile = new_profile;
+ pyra->actual_cpi = pyra->profile_settings[pyra->actual_profile].y_cpi;
+ }
+@@ -236,9 +238,11 @@ static ssize_t pyra_sysfs_write_settings
+ if (off != 0 || count != PYRA_SIZE_SETTINGS)
+ return -EINVAL;
+
+- mutex_lock(&pyra->pyra_lock);
+-
+ settings = (struct pyra_settings const *)buf;
++ if (settings->startup_profile >= ARRAY_SIZE(pyra->profile_settings))
++ return -EINVAL;
++
++ mutex_lock(&pyra->pyra_lock);
+
+ retval = pyra_set_settings(usb_dev, settings);
+ if (retval) {
ubi-fix-invalid-vfree.patch
ubi-fix-double-free-after-do_sync_erase.patch
iommu-vt-d-fix-an-off-by-one-bug-in-__domain_mapping.patch
+hid-i2c-hid-fix-race-condition-reading-reports.patch
+hid-i2c-hid-prevent-buffer-overflow-in-early-irq.patch
+hid-roccat-potential-out-of-bounds-in-pyra_sysfs_write_settings.patch
+hid-add-battery-quirk-for-usb_device_id_apple_alu_wireless_2011_iso-keyboard.patch
+hid-add-a-new-id-0x501a-for-genius-mousepen-i608x.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
