Commit dcce5837 authored Apr 24, 2014 by Benjamin Tissoires Committed by Jiri Kosina May 13, 2014

HID: rmi: do not fetch more than 16 bytes in a query

A firmware bug is present on the XPS Haswell edition which silently
split the request in two responses when the caller ask for a read of
more than 16 bytes.
The FW sends the first 16 then the 4 next, but it says that it answered
the 20 bytes in the first report.

This occurs only on the retrieving of the min/max of X and Y of the F11
function.
We only use the first 10 bytes of the Ctrl register, so we can get only
those 10 bytes to prevent the bug from happening.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1090161



Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

parent f15475c3

drivers/hid/hid-rmi.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -641,10 +641,15 @@ static int rmi_populate_f11(struct hid_device *hdev)
		}
		}

		/* retrieve the ctrl registers */
		ret = rmi_read_block(hdev, data->f11.control_base_addr, buf, 20);
		/*
		* retrieve the ctrl registers
		* the ctrl register has a size of 20 but a fw bug split it into 16 + 4,
		* and there is no way to know if the first 20 bytes are here or not.
		* We use only the first 10 bytes, so get only them.
		*/
		ret = rmi_read_block(hdev, data->f11.control_base_addr, buf, 10);
		if (ret) {
		hid_err(hdev, "can not read ctrl block of size 20: %d.\n", ret);
		hid_err(hdev, "can not read ctrl block of size 10: %d.\n", ret);
		return ret;
		}