Better forwarding the device name, manufacturer and serial to upower.
Note that serial is still empty, it will be filled in a later patch
in this series.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Battery events are reported through HID++, so we need to be sure
the report ID is the HID++ one.
Without this, we might receive keyboard events that looks just like
battery events with wrong data and which will confuse user space.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Looks like all users don't care about a disconnect.
Simplify the various variant_connect() and put the connect state check
at the beginning.
For delayed input devices, make sure we go through all other connect
values (protocol, battery) before bailing out.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
hidpp->name can't be null.
Only HID++ 2.0 and above device supports the query.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Unifying devices are different from others because they can probed
while not connected. So we need to talk to the receiver to get some
extra information like the device name and the serial.
Instead of having conditionals while attempting to read the device name
from HID++ 2.0, have a special init path for them.
Store the retrieved serial in hdev->uniq.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Do not pollute the quirks bits field which is public API
with elements that are queried from the device.
Move the 2 battery capabilities into the new field.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Unless they are connected through unifying, they don't support it,
so remove one error in the logs.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Without a scope defined, UPower assumes that the battery provides
power to the computer it's connected to, like a laptop battery or a UPS.
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Register 0xB5 should be handled specially no matter what function is
used. This allows to retrieve the serial and the Quad ID from
hid-logitech-hidpp directly.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
A recent commit added barry support to this driver, but that causes
a link failure when CONFIG_POWER_SUPPLY is not set:
drivers/hid/built-in.o: In function `hidpp_battery_get_property':
:(.text+0x1a834): undefined reference to `power_supply_get_drvdata'
drivers/hid/built-in.o: In function `hidpp_raw_event':
:(.text+0x1b10c): undefined reference to `power_supply_changed'
drivers/hid/built-in.o: In function `hidpp_connect_event':
:(.text+0x1bd88): undefined reference to `devm_power_supply_register'
:(.text+0x1be30): undefined reference to `power_supply_powers'
This adds a dependency, identically to the other HID drivers that need this.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Fixes: 5a2b190cdd ("HID: logitech-hidpp: add battery support for HID++ 2.0 devices")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Now that we can create battery power_supply sources, it's better to enable
the connect_event callback unconditionally.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
If the 0x1000 Unified Battery Level Status feature exists, expose the battery
level.
The main drawback is that while a device is plugged in its battery level is 0.
To avoid exposing that as 0% charge we make up a number based on the charging
status.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The usage Confidence is mandary to Windows Precision Touchpad devices. If
it is examined in input_mapping on a WIndows Precision Touchpad, a new add
quirk MT_QUIRK_CONFIDENCE desgned for such devices will be applied to the
device. A touch with the confidence bit is not set is determined as
invalid.
Tested on Dell XPS13 9343
Cc: stable@vger.kernel.org # v4.5+
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Andy Lutomirski <luto@kernel.org> # XPS 13 9350, BIOS 1.4.3
Signed-off-by: Allen Hung <allen_hung@dell.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This reverts commit 25a84db15b ("HID: multitouch: enable palm rejection
if device implements confidence usage")
The commit enables palm rejection for Win8 Precision Touchpad devices but
the quirk MT_QUIRK_VALID_IS_CONFIDENCE it is using is not working very
properly. This quirk is originally designed for some WIn7 touchscreens. Use
of this for a Win8 Precision Touchpad will cause unexpected pointer jumping
problem.
Cc: stable@vger.kernel.org # v4.5+
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Andy Lutomirski <luto@kernel.org> # XPS 13 9350, BIOS 1.4.3
Signed-off-by: Allen Hung <allen_hung@dell.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.
Cc: stable@vger.kernel.org
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The firmware found in the touch screen of an SP3 is buggy and may miss
to send lift off reports for contacts. Try to work around that issue by
using MT_QUIRK_NOT_SEEN_MEANS_UP.
based on a patch from: Daniel Martin <consume.noise@gmail.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Flushing a work that reschedules itself is not a sensible operation. It needs
to be killed. Failure to do so leads to a kernel panic in the timer code.
CC: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Commit 7e12978 ("HID: wacom: break out wacom_intuos_get_tool_type") by accident
removed stylus_in_proximity flag for Intuos series while shuffling the code
around.
Fix that by reintroducing that flag setting in wacom_intuos_inout(), where
it originally was.
Fixes: 7e12978 ("HID: wacom: break out wacom_intuos_get_tool_type")
Signed-off-by: Ping Cheng <pingc@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The fuzz present on the distance and tilt axes is noticable when a puck is
present, and userspace (specifically libinput) would like the ability to
filter out the noise. To facilitate this, we assign a fuzz value of '1'
for the distance and tilt axes. This is large enough to cover most of the
natural variation in distance value as the puck is moved around, and
enough to cover the jitter in rotation (reported through tilt axes) when
the puck is left alone.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
These devices feature multiple interfaces/endpoints: a legacy BIOS/boot
interface (endpoint 0x81), as well as 2 corsair-specific keyboard interfaces
(endpoint 0x82, 0x83 IN/0x03 OUT) and an RGB LED control interface (endpoint
0x84 IN/0x04 OUT)
Because the extra 3 interfaces are not of subclass USB_INTERFACE_SUBCLASS_BOOT,
HID_QUIRK_NOGET is not automatically set on them and a 10s timeout per-endpoint
(30s per device) occurs initialising reports on boot. We configure
HID_QUIRK_NO_INIT_REPORTS for these devices.
Additionally the left-side G1-G18 macro keys on the K95RGB generate output on
the un-opened 0x82/0x83 endpoints which causes the keyboard to stop responding
waiting for this event to be collected. We enable HID_QUIRK_ALWAYS_POLL to
prevent this situation from occurring.
Signed-off-by: Trent Lloyd <trent@lloyd.id.au>
Tested-by: SUGNIAUX Wilfried <wsu@ppharm2k20.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Needed for v2 of the device firmware, otherwise kernel will stuck for few
seconds and throw "usb_submit_urb(ctrl) failed: -1" early on system boot.
Signed-off-by: Nazar Mokrynskyi <nazar@mokrynskyi.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
LED core takes care of handling failed calls to thingm_let_set.
- print error message in set_brightness_delayed or
- pass error to caller in led_set_brightness_sync
Also the error message here doesn't provide any hint what actually
went wrong. Therefore remove it.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@rehat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Use recently introduced flag LED_HW_PLUGGABLE to avoid warnings when
the device is unplugged.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Pull HID fixes from Jiri Kosina:
- fix for how scaling linearization is computed in wiimote driver, by
Cyan Ogilvie
- endless retry loop fix in generic USB HID core reset-resume handling,
by Alan Stern
- two functional fixes affecting particular devices, and oops fix for
wacom driver, by Jason Gerecke
- multitouch slot numbering fix from Gabriele Mazzotta
- a couple more small fixes on top
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: wacom: Support switching from vendor-defined device mode on G9 and G11
HID: wacom: Initialize hid_data.inputmode to -1
HID: microsoft: add support for 3 more devices
HID: multitouch: Synchronize MT frame on reset_resume
HID: wacom: fix Bamboo ONE oops
HID: lenovo: Don't use stack variables for DMA buffers
HID: usbhid: fix inconsistent reset/resume/reset-resume behavior
HID: wiimote: Fix wiimote mp scale linearization
The 'size' variable is not really needed, and we can also shift constant
in the loop body when masking off existing bits.
Also we do not have to use 64 bit calculations if we take an extra
branch.
[jkosina@suse.cz: fix a small error in changelog]
Suggested-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
A tablet PC booted into Windows may have its pen/touch hardware switched
into "Wacom mode" similar to what we do with explicitly-supported hardware.
Some devices appear to maintain this state across reboots, preventing their
use with the generic HID driver. This patch adds support for detecting the
presence of the mode switch feature report used by devices based on the G9
and G11 chips and has the HID codepath always attempt to reset the device
back to sending standard HID reports.
Fixes: https://sourceforge.net/p/linuxwacom/bugs/307/
Fixes: https://sourceforge.net/p/linuxwacom/bugs/310/
Fixes: https://github.com/linuxwacom/input-wacom/issues/15
Co-authored-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Commit 5ae6e89 introduced hid_data.inputmode with a comment that it
would have the value -1 if undefined, but then forgot to actually
perform the initialization. Although this doesn't appear to have
caused any problems in practice, it should still be remedied.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Adds support for the Micrsift Digital 4K, Media 600 and Media 3000 V1 Keyboards,
which have the same quirks as the already existing hardware MS_NE4K.
Fixes https://bugzilla.kernel.org/show_bug.cgi?id=52841
[jkosina@suse.cz: rephrase changelog]
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair@hotmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Asus X205TA and E200HA built-in keyboard contain wrong logical maximum value in
report descriptor.
This patch correct wrong logical maximum in report descriptor.
Signed-off-by: Yusuke Fujimaki <usk.fujimaki@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
My static checker complains that "devid" can be uninitialized if
alloc_chrdev_region() fails. Fix this by moving the error hanling
forward a couple lines.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
My static checker complains because we use "dev_id" before we check for
errors so it could be uninitialized. Fix this by moving the error
handling forward a couple lines.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
input_mt_get_slot_by_key() requires input_mt_sync_frame() to be called
at each frame. Do it when releasing the touches, or else we won't get
a proper slot number after mt_reset_resume().
Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Benjamin TIssoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Looks like recent changes in the Wacom driver made the Bamboo ONE crashes.
The tablet behaves as if it was a regular Bamboo device with pen, touch
and pad, but there is no physical pad connected to it.
The weird part is that the pad is still sending events and given that
there is no input node connected to it, we get anull pointer exception.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317116
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Ping Cheng <pingc@wacom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The lenovo_send_cmd_cptkbd function uses a stack variable to submit
commands via hid_hw_raw_request. Eventually this gets to the
usb_hcd_map_urb_for_dma function, which causes a warning to be thrown
if the CONFIG_DMA_API_DEBUG option is enabled.
Fix this by allocating a temporary buffer instead.
[jkosina@suse.cz: no need to NULL-initialize buf, spotted by Benjamin]
Reported-by: lejeczek <peljasz@yahoo.co.uk>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The usbhid driver has inconsistently duplicated code in its post-reset,
resume, and reset-resume pathways.
reset-resume doesn't check HID_STARTED before trying to
restart the I/O queues.
resume fails to clear the HID_SUSPENDED flag if HID_STARTED
isn't set.
resume calls usbhid_restart_queues() with usbhid->lock held
and the others call it without holding the lock.
The first item in particular causes a problem following a reset-resume
if the driver hasn't started up its I/O. URB submission fails because
usbhid->urbin is NULL, and this triggers an unending reset-retry loop.
This patch fixes the problem by creating a new subroutine,
hid_restart_io(), to carry out all the common activities. It also
adds some checks that were missing in the original code:
After a reset, there's no need to clear any halted endpoints.
After a resume, if a reset is pending there's no need to
restart any I/O until the reset is finished.
After a resume, if the interrupt-IN endpoint is halted there's
no need to submit the input URB until the halt has been
cleared.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Daniel Fraga <fragabr@gmail.com>
Tested-by: Daniel Fraga <fragabr@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Instead of open-coding memory allocation and copying form user memory
sequence let's use memdup_user().
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
uhid changes the format expected in write() depending on bitness. It
should check the syscall bitness directly.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The wiimote motion plus gyros use two scales to report fast and slow
rotation - below 440 deg/s uses 8192/440 units / deg/s, and above uses
8192/2000 units / deg/s.
Previously this driver attempted to linearize the two by scaling the fast
rate by 18 and the slow by 9, but this results in a scale of
8192*9/440 = ~167.564 for slow and 8192*18/2000 = 73.728 for fast.
Correct the fast motion scale factor so that both report ~167.564
units / deg/s
Signed-off-by: Cyan Ogilvie <cyan.ogilvie@gmail.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Pull HID updates from Jiri Kosina:
- functionally equivalent cleanups for wacom driver, making the code
more readable, from Benjamin Tissoires
- a bunch of improvements and fixes for thingm driver from Heiner
Kallweit
- bugfixes to out-of-bound access for generic parsing functions (which
have been there since ever) extract() and implement(), from Dmitry
Torokhov
- a lot of added / improved device support in sony, wacom, microsoft,
multitouch and logitech driver, from various people
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: (44 commits)
HID: microsoft: Add ID for MS Wireless Comfort Keyboard
hid: thingm: reorder calls in thingm_probe
HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
HID: multitouch: Release all touch slots on reset_resume
HID: usbhid: enable NO_INIT_REPORTS quirk for Semico USB Keykoard2
HID: penmount: report only one button for PenMount 6000 USB touchscreen controller
HID: i2c-hid: Fix suspend/resume when already runtime suspended
HID: i2c-hid: Add hid-over-i2c name to i2c id table
HID: multitouch: force retrieving of Win8 signature blob
HID: Support for CMedia CM6533 HID audio jack controls
HID: thingm: improve locking
HID: thingm: switch to managed version of led_classdev_register
HID: thingm: remove workqueue
HID: corsair: fix mapping of non-keyboard usages
HID: wacom: close the wireless receiver on remove()
HID: wacom: cleanup input devices
HID: wacom: reuse wacom_parse_and_register() in wireless_work
HID: wacom: move down wireless_work()
HID: wacom: break out parsing of device and registering of input
HID: wacom: break out wacom_intuos_get_tool_type
...
Microsoft Wireless Comfort Keyboard has vendor specific My Favorites
1-5 keys. Linux already supports this buttons on other MS keyboards by
MS_ERGONOMY quirk. So apply MS_ERGONOMY quirk to USB PID 0x00e3
(Microsoft Wireless Optical Desktop Receiver 3.0A). After this
My Favorites 1..5 keys will be reported as KEY_F14..KEY_F15 events.
Signed-off-by: Slava Bacherikov <slava@bacher09.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When reviewing another thingm patch Benjamin Tissoires pointed out
the following: "The problem here is that hid_hw_start() is called
before thingm_version() which allows user space to briefly introduce
races between thingm_version() and any hidraw requests.
The mutex will not help here as it is initialized after hid_hw_start()
and only used for protecting the concurrent access of the rgb."
Avoid this possible issue by calling hid_hw_start() later in the
probe function.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Even though hid_hw_* checks that passed in data_len is less than
HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily
allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device
reports and select largest size. In-kernel users normally just send as much
data as report needs, so there is no problem, but hidraw users can do
whatever they please:
BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80
Write of size 4101 by task syz-executor/8747
CPU: 2 PID: 8747 Comm: syz-executor Tainted: G BU 3.18.0 #37
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83
[<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50
[< inline >] print_error_description mm/kasan/report.c:97
[< inline >] kasan_report_error mm/kasan/report.c:278
[<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305
[<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718
[<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299
[<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178
[< inline >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321
[<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589
[<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602
[< inline >] hid_hw_output_report include/linux/hid.h:1039
[<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154
[<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177
[<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534
[< inline >] SYSC_pwrite64 fs/read_write.c:627
[<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614
Object at ffffffc07135ea80, in cache kmalloc-512
Object allocated with size 268 bytes.
Let's check data length against the buffer size before attempting to copy
data over.
Cc: stable@vger.kernel.org
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
