From: Greg Kroah-Hartman Date: Tue, 24 Sep 2013 15:06:14 +0000 (-0700) Subject: 3.11-stable patches X-Git-Tag: v3.0.97~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7d2e52b3092c674453d59f22886509c1ee03150;p=thirdparty%2Fkernel%2Fstable-queue.git 3.11-stable patches added patches: hid-battery-don-t-do-dma-from-stack.patch hid-check-for-null-field-when-setting-values.patch hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch hid-ntrig-validate-feature-report-details.patch hid-picolcd_core-validate-output-report-details.patch hid-picolcd-prevent-null-pointer-dereference-on-_remove.patch hid-sensor-hub-validate-feature-report-details.patch hid-uhid-add-devname-module-alias.patch hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch hid-validate-hid-report-id-size.patch --- diff --git a/queue-3.11/hid-battery-don-t-do-dma-from-stack.patch b/queue-3.11/hid-battery-don-t-do-dma-from-stack.patch new file mode 100644 index 00000000000..12da098727a --- /dev/null +++ b/queue-3.11/hid-battery-don-t-do-dma-from-stack.patch @@ -0,0 +1,61 @@ +From 6c2794a2984f4c17a58117a68703cc7640f01c5a Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Mon, 2 Sep 2013 13:43:00 +0200 +Subject: HID: battery: don't do DMA from stack + +From: Jiri Kosina + +commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream. + +Instead of using data from stack for DMA in hidinput_get_battery_property(), +allocate the buffer dynamically. + +Reported-by: Richard Ryniker +Reported-by: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -340,7 +340,7 @@ static int hidinput_get_battery_property + { + struct hid_device *dev = container_of(psy, struct hid_device, battery); + int ret = 0; +- __u8 buf[2] = {}; ++ __u8 *buf; + + switch (prop) { + case POWER_SUPPLY_PROP_PRESENT: +@@ -349,12 +349,19 @@ static int hidinput_get_battery_property + break; + + case POWER_SUPPLY_PROP_CAPACITY: ++ ++ buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL); ++ if (!buf) { ++ ret = -ENOMEM; ++ break; ++ } + ret = dev->hid_get_raw_report(dev, dev->battery_report_id, +- buf, sizeof(buf), ++ buf, 2, + dev->battery_report_type); + + if (ret != 2) { + ret = -ENODATA; ++ kfree(buf); + break; + } + ret = 0; +@@ -364,6 +371,7 @@ static int hidinput_get_battery_property + buf[1] <= dev->battery_max) + val->intval = (100 * (buf[1] - dev->battery_min)) / + (dev->battery_max - dev->battery_min); ++ kfree(buf); + break; + + case POWER_SUPPLY_PROP_MODEL_NAME: diff --git a/queue-3.11/hid-check-for-null-field-when-setting-values.patch b/queue-3.11/hid-check-for-null-field-when-setting-values.patch new file mode 100644 index 00000000000..2067e115891 --- /dev/null +++ b/queue-3.11/hid-check-for-null-field-when-setting-values.patch @@ -0,0 +1,35 @@ +From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:32:01 +0200 +Subject: HID: check for NULL field when setting values + +From: Kees Cook + +commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream. + +Defensively check that the field to be worked on is not NULL. + +Signed-off-by: Kees Cook +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + diff --git a/queue-3.11/hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch b/queue-3.11/hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch new file mode 100644 index 00000000000..2bb546b59a5 --- /dev/null +++ b/queue-3.11/hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch @@ -0,0 +1,134 @@ +From 212a871a3934beccf43431608c27ed2e05a476ec Mon Sep 17 00:00:00 2001 +From: Manoj Chourasia +Date: Mon, 22 Jul 2013 15:33:13 +0530 +Subject: HID: hidraw: correctly deallocate memory on device disconnect + +From: Manoj Chourasia + +commit 212a871a3934beccf43431608c27ed2e05a476ec upstream. + +This changes puts the commit 4fe9f8e203f back in place +with the fixes for slab corruption because of the commit. + +When a device is unplugged, wait for all processes that +have opened the device to close before deallocating the device. + +This commit was solving kernel crash because of the corruption in +rb tree of vmalloc. The rootcause was the device data pointer was +geting excessed after the memory associated with hidraw was freed. + +The commit 4fe9f8e203f was buggy as it was also freeing the hidraw +first and then calling delete operation on the list associated with +that hidraw leading to slab corruption. + +Signed-off-by: Manoj Chourasia +Tested-by: Peter Wu +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 60 +++++++++++++++++++++------------------------------ + 1 file changed, 25 insertions(+), 35 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -113,7 +113,7 @@ static ssize_t hidraw_send_report(struct + __u8 *buf; + int ret = 0; + +- if (!hidraw_table[minor]) { ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + ret = -ENODEV; + goto out; + } +@@ -261,7 +261,7 @@ static int hidraw_open(struct inode *ino + } + + mutex_lock(&minors_lock); +- if (!hidraw_table[minor]) { ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + err = -ENODEV; + goto out_unlock; + } +@@ -302,39 +302,38 @@ static int hidraw_fasync(int fd, struct + return fasync_helper(fd, file, on, &list->fasync); + } + ++static void drop_ref(struct hidraw *hidraw, int exists_bit) ++{ ++ if (exists_bit) { ++ hid_hw_close(hidraw->hid); ++ hidraw->exist = 0; ++ if (hidraw->open) ++ wake_up_interruptible(&hidraw->wait); ++ } else { ++ --hidraw->open; ++ } ++ ++ if (!hidraw->open && !hidraw->exist) { ++ device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor)); ++ hidraw_table[hidraw->minor] = NULL; ++ kfree(hidraw); ++ } ++} ++ + static int hidraw_release(struct inode * inode, struct file * file) + { + unsigned int minor = iminor(inode); +- struct hidraw *dev; + struct hidraw_list *list = file->private_data; +- int ret; +- int i; + + mutex_lock(&minors_lock); +- if (!hidraw_table[minor]) { +- ret = -ENODEV; +- goto unlock; +- } + + list_del(&list->node); +- dev = hidraw_table[minor]; +- if (!--dev->open) { +- if (list->hidraw->exist) { +- hid_hw_power(dev->hid, PM_HINT_NORMAL); +- hid_hw_close(dev->hid); +- } else { +- kfree(list->hidraw); +- } +- } +- +- for (i = 0; i < HIDRAW_BUFFER_SIZE; ++i) +- kfree(list->buffer[i].value); + kfree(list); +- ret = 0; +-unlock: +- mutex_unlock(&minors_lock); + +- return ret; ++ drop_ref(hidraw_table[minor], 0); ++ ++ mutex_unlock(&minors_lock); ++ return 0; + } + + static long hidraw_ioctl(struct file *file, unsigned int cmd, +@@ -539,18 +538,9 @@ void hidraw_disconnect(struct hid_device + struct hidraw *hidraw = hid->hidraw; + + mutex_lock(&minors_lock); +- hidraw->exist = 0; +- +- device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor)); + +- hidraw_table[hidraw->minor] = NULL; ++ drop_ref(hidraw, 1); + +- if (hidraw->open) { +- hid_hw_close(hid); +- wake_up_interruptible(&hidraw->wait); +- } else { +- kfree(hidraw); +- } + mutex_unlock(&minors_lock); + } + EXPORT_SYMBOL_GPL(hidraw_disconnect); diff --git a/queue-3.11/hid-ntrig-validate-feature-report-details.patch b/queue-3.11/hid-ntrig-validate-feature-report-details.patch new file mode 100644 index 00000000000..7971139e38f --- /dev/null +++ b/queue-3.11/hid-ntrig-validate-feature-report-details.patch @@ -0,0 +1,40 @@ +From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:28 +0200 +Subject: HID: ntrig: validate feature report details + +From: Kees Cook + +commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream. + +A HID device could send a malicious feature report that would cause the +ntrig HID driver to trigger a NULL dereference during initialization: + +[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 +... +[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + +CVE-2013-2896 + +Signed-off-by: Kees Cook +Signed-off-by: Rafi Rubin +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ntrig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); diff --git a/queue-3.11/hid-picolcd-prevent-null-pointer-dereference-on-_remove.patch b/queue-3.11/hid-picolcd-prevent-null-pointer-dereference-on-_remove.patch new file mode 100644 index 00000000000..342811205d8 --- /dev/null +++ b/queue-3.11/hid-picolcd-prevent-null-pointer-dereference-on-_remove.patch @@ -0,0 +1,71 @@ +From 1cde501bb4655e98fb832194beb88ac73be5a05d Mon Sep 17 00:00:00 2001 +From: Bruno Prémont +Date: Sat, 31 Aug 2013 14:07:48 +0200 +Subject: HID: picolcd: Prevent NULL pointer dereference on _remove() + +From: Bruno Prémont + +commit 1cde501bb4655e98fb832194beb88ac73be5a05d upstream. + +When picolcd is switched into bootloader mode (for FW flashing) make +sure not to try to dereference NULL-pointers of feature-devices during +unplug/unbind. + +This fixes following BUG: + BUG: unable to handle kernel NULL pointer dereference at 00000298 + IP: [] picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] + *pde = 00000000 + Oops: 0000 [#1] + Modules linked in: hid_picolcd syscopyarea sysfillrect sysimgblt fb_sys_fops + CPU: 0 PID: 15 Comm: khubd Not tainted 3.11.0-rc7-00002-g50d62d4 #2 + EIP: 0060:[] EFLAGS: 00010292 CPU: 0 + EIP is at picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] + Call Trace: + [] picolcd_remove+0xcb/0x120 [hid_picolcd] + [] hid_device_remove+0x59/0xc0 + [] __device_release_driver+0x5a/0xb0 + [] device_release_driver+0x1f/0x30 + [] bus_remove_device+0x9d/0xd0 + [] device_del+0xd5/0x150 + [] hid_destroy_device+0x24/0x60 + [] usbhid_disconnect+0x1b/0x40 + ... + +Signed-off-by: Bruno Prémont +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-picolcd_cir.c | 3 ++- + drivers/hid/hid-picolcd_fb.c | 6 +++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-picolcd_cir.c ++++ b/drivers/hid/hid-picolcd_cir.c +@@ -145,6 +145,7 @@ void picolcd_exit_cir(struct picolcd_dat + struct rc_dev *rdev = data->rc_dev; + + data->rc_dev = NULL; +- rc_unregister_device(rdev); ++ if (rdev) ++ rc_unregister_device(rdev); + } + +--- a/drivers/hid/hid-picolcd_fb.c ++++ b/drivers/hid/hid-picolcd_fb.c +@@ -593,10 +593,14 @@ err_nomem: + void picolcd_exit_framebuffer(struct picolcd_data *data) + { + struct fb_info *info = data->fb_info; +- struct picolcd_fb_data *fbdata = info->par; ++ struct picolcd_fb_data *fbdata; + unsigned long flags; + ++ if (!info) ++ return; ++ + device_remove_file(&data->hdev->dev, &dev_attr_fb_update_rate); ++ fbdata = info->par; + + /* disconnect framebuffer from HID dev */ + spin_lock_irqsave(&fbdata->lock, flags); diff --git a/queue-3.11/hid-picolcd_core-validate-output-report-details.patch b/queue-3.11/hid-picolcd_core-validate-output-report-details.patch new file mode 100644 index 00000000000..dcdfb418587 --- /dev/null +++ b/queue-3.11/hid-picolcd_core-validate-output-report-details.patch @@ -0,0 +1,45 @@ +From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:52 +0200 +Subject: HID: picolcd_core: validate output report details + +From: Kees Cook + +commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream. + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +[jkosina@suse.cz: changed + + report->maxfield < 1 + +to + + report->maxfield != 1 + +as suggested by Bruno]. + +CVE-2013-2899 + +Signed-off-by: Kees Cook +Reviewed-by: Bruno Prémont +Acked-by: Bruno Prémont +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-picolcd_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_st + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield != 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) diff --git a/queue-3.11/hid-sensor-hub-validate-feature-report-details.patch b/queue-3.11/hid-sensor-hub-validate-feature-report-details.patch new file mode 100644 index 00000000000..e043bbac5e1 --- /dev/null +++ b/queue-3.11/hid-sensor-hub-validate-feature-report-details.patch @@ -0,0 +1,36 @@ +From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:44 +0200 +Subject: HID: sensor-hub: validate feature report details + +From: Kees Cook + +commit 9e8910257397372633e74b333ef891f20c800ee4 upstream. + +A HID device could send a malicious feature report that would cause the +sensor-hub HID driver to read past the end of heap allocation, leaking +kernel memory contents to the caller. + +CVE-2013-2898 + +Signed-off-by: Kees Cook +Reviewed-by: Mika Westerberg +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_se + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } diff --git a/queue-3.11/hid-uhid-add-devname-module-alias.patch b/queue-3.11/hid-uhid-add-devname-module-alias.patch new file mode 100644 index 00000000000..841ad9a824b --- /dev/null +++ b/queue-3.11/hid-uhid-add-devname-module-alias.patch @@ -0,0 +1,27 @@ +From 60cbd53e4bf623fe978e6f23a6da642e730fde3a Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Sun, 1 Sep 2013 11:02:46 -0700 +Subject: HID: uhid: add devname module alias + +From: Marcel Holtmann + +commit 60cbd53e4bf623fe978e6f23a6da642e730fde3a upstream. + +For simple device node creation, add the devname module alias. + +Signed-off-by: Marcel Holtmann +Reviewed-by: David Herrmann +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/uhid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -659,3 +659,4 @@ module_exit(uhid_exit); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("David Herrmann "); + MODULE_DESCRIPTION("User-space I/O driver support for HID subsystem"); ++MODULE_ALIAS("devname:" UHID_NAME); diff --git a/queue-3.11/hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch b/queue-3.11/hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch new file mode 100644 index 00000000000..681631292e2 --- /dev/null +++ b/queue-3.11/hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch @@ -0,0 +1,42 @@ +From 9e0bf92c223dabe0789714f8f85f6e26f8f9cda4 Mon Sep 17 00:00:00 2001 +From: Vasily Titskiy +Date: Fri, 30 Aug 2013 18:25:04 -0400 +Subject: HID: usbhid: quirk for N-Trig DuoSense Touch Screen + +From: Vasily Titskiy + +commit 9e0bf92c223dabe0789714f8f85f6e26f8f9cda4 upstream. + +The DuoSense touchscreen device causes a 10 second timeout. This fix +removes the delay. + +Signed-off-by: Vasily Titskiy +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -659,6 +659,7 @@ + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_16 0x0012 + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_17 0x0013 + #define USB_DEVICE_ID_NTRIG_TOUCH_SCREEN_18 0x0014 ++#define USB_DEVICE_ID_NTRIG_DUOSENSE 0x1500 + + #define USB_VENDOR_ID_ONTRAK 0x0a07 + #define USB_DEVICE_ID_ONTRAK_ADU100 0x0064 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -109,6 +109,8 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X, HID_QUIRK_MULTI_INPUT }, ++ { USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS }, ++ + { 0, 0 } + }; + diff --git a/queue-3.11/hid-validate-hid-report-id-size.patch b/queue-3.11/hid-validate-hid-report-id-size.patch new file mode 100644 index 00000000000..0a97c2bed65 --- /dev/null +++ b/queue-3.11/hid-validate-hid-report-id-size.patch @@ -0,0 +1,77 @@ +From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:29:55 +0200 +Subject: HID: validate HID report id size + +From: Kees Cook + +commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. + +The "Report ID" field of a HID report is used to build indexes of +reports. The kernel's index of these is limited to 256 entries, so any +malicious device that sets a Report ID greater than 255 will trigger +memory corruption on the host: + +[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 +[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + +CVE-2013-2888 + +Signed-off-by: Kees Cook +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(s + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_ + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_ + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -393,10 +393,12 @@ struct hid_report { + struct hid_device *device; /* associated device */ + }; + ++#define HID_MAX_IDS 256 ++ + struct hid_report_enum { + unsigned numbered; + struct list_head report_list; +- struct hid_report *report_id_hash[256]; ++ struct hid_report *report_id_hash[HID_MAX_IDS]; + }; + + #define HID_REPORT_TYPES 3 diff --git a/queue-3.11/series b/queue-3.11/series index 0e49a283cb2..b98fb25afdc 100644 --- a/queue-3.11/series +++ b/queue-3.11/series @@ -72,3 +72,13 @@ hid-pantherlord-validate-output-report-details.patch hid-kye-add-report-fixup-for-genius-gx-imperator-keyboard.patch hid-wiimote-work-around-broken-drm_kai-on-gen10.patch hid-fix-speedlink-vad-cezanne-support-for-some-devices.patch +hid-sensor-hub-validate-feature-report-details.patch +hid-validate-hid-report-id-size.patch +hid-picolcd_core-validate-output-report-details.patch +hid-ntrig-validate-feature-report-details.patch +hid-uhid-add-devname-module-alias.patch +hid-picolcd-prevent-null-pointer-dereference-on-_remove.patch +hid-battery-don-t-do-dma-from-stack.patch +hid-hidraw-correctly-deallocate-memory-on-device-disconnect.patch +hid-check-for-null-field-when-setting-values.patch +hid-usbhid-quirk-for-n-trig-duosense-touch-screen.patch