Fix null pointer dereference when a USB device detached (rhbz 1462175)
This commit is contained in:
Jeremy Cline
parent
3f119951a0
commit
cf68d0e49a
|
|
@ -0,0 +1,54 @@
|
|||
From ef14a4bf0910d06c7e202552914028d4956809cb Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Duggan <aduggan@synaptics.com>
|
||||
Date: Tue, 17 Oct 2017 18:37:36 -0700
|
||||
Subject: [PATCH] HID: rmi: Check that a device is a RMI device before calling
|
||||
RMI functions
|
||||
|
||||
The hid-rmi driver may handle non rmi devices on composite USB devices.
|
||||
Callbacks need to make sure that the current device is a RMI device before
|
||||
calling RMI specific functions. Most callbacks already have this check, but
|
||||
this patch adds checks to the remaining callbacks.
|
||||
|
||||
Reported-by: Hendrik Langer <hendrik.langer@gmx.de>
|
||||
Tested-by: Hendrik Langer <hendrik.langer@gmx.de>
|
||||
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-rmi.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
|
||||
index ef241d66562e..0f43c4292685 100644
|
||||
--- a/drivers/hid/hid-rmi.c
|
||||
+++ b/drivers/hid/hid-rmi.c
|
||||
@@ -368,6 +368,11 @@ static int rmi_check_sanity(struct hid_device *hdev, u8 *data, int size)
|
||||
static int rmi_raw_event(struct hid_device *hdev,
|
||||
struct hid_report *report, u8 *data, int size)
|
||||
{
|
||||
+ struct rmi_data *hdata = hid_get_drvdata(hdev);
|
||||
+
|
||||
+ if (!(hdata->device_flags & RMI_DEVICE))
|
||||
+ return 0;
|
||||
+
|
||||
size = rmi_check_sanity(hdev, data, size);
|
||||
if (size < 2)
|
||||
return 0;
|
||||
@@ -713,9 +718,11 @@ static void rmi_remove(struct hid_device *hdev)
|
||||
{
|
||||
struct rmi_data *hdata = hid_get_drvdata(hdev);
|
||||
|
||||
- clear_bit(RMI_STARTED, &hdata->flags);
|
||||
- cancel_work_sync(&hdata->reset_work);
|
||||
- rmi_unregister_transport_device(&hdata->xport);
|
||||
+ if (hdata->device_flags & RMI_DEVICE) {
|
||||
+ clear_bit(RMI_STARTED, &hdata->flags);
|
||||
+ cancel_work_sync(&hdata->reset_work);
|
||||
+ rmi_unregister_transport_device(&hdata->xport);
|
||||
+ }
|
||||
|
||||
hid_hw_stop(hdev);
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
||||
|
|
@ -723,6 +723,9 @@ Patch639: CVE-2017-16538.patch
|
|||
# rhbz 1507931
|
||||
Patch640: qxl_cursor_fix.patch
|
||||
|
||||
# rhbz 1462175
|
||||
Patch641: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2277,6 +2280,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Nov 29 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix USB null pointer dereference on ThinkPad X1 (rhbz 1462175)
|
||||
|
||||
* Mon Nov 27 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.16-300
|
||||
- Linux v4.13.16
|
||||
- Fix CVE-2017-16649 (rhbz 1516267 1516274)
|
||||
|
|
|
|||
Loading…
Reference in New Issue