Skip to content

Commit dab6e4f

Browse files
author
Jiri Kosina
committed
Merge branch 'for-5.15/core' into for-linus
- Regression fix for an issue in HID core that got uncovered by recent USB core cleanup leading to issues when transfer_buffer_length is not in line with wLength - Memory leak fix in USB HID core - Improvement of stylus battery reporting
2 parents e4ee509 + d2f311e commit dab6e4f

2 files changed

Lines changed: 18 additions & 13 deletions

File tree

drivers/hid/hid-input.c

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -419,8 +419,6 @@ static int hidinput_get_battery_property(struct power_supply *psy,
419419

420420
if (dev->battery_status == HID_BATTERY_UNKNOWN)
421421
val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
422-
else if (dev->battery_capacity == 100)
423-
val->intval = POWER_SUPPLY_STATUS_FULL;
424422
else
425423
val->intval = POWER_SUPPLY_STATUS_DISCHARGING;
426424
break;

drivers/hid/usbhid/hid-core.c

Lines changed: 18 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -377,27 +377,23 @@ static int hid_submit_ctrl(struct hid_device *hid)
377377
len = hid_report_len(report);
378378
if (dir == USB_DIR_OUT) {
379379
usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
380-
usbhid->urbctrl->transfer_buffer_length = len;
381380
if (raw_report) {
382381
memcpy(usbhid->ctrlbuf, raw_report, len);
383382
kfree(raw_report);
384383
usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
385384
}
386385
} else {
387-
int maxpacket, padlen;
386+
int maxpacket;
388387

389388
usbhid->urbctrl->pipe = usb_rcvctrlpipe(hid_to_usb_dev(hid), 0);
390389
maxpacket = usb_maxpacket(hid_to_usb_dev(hid),
391390
usbhid->urbctrl->pipe, 0);
392-
if (maxpacket > 0) {
393-
padlen = DIV_ROUND_UP(len, maxpacket);
394-
padlen *= maxpacket;
395-
if (padlen > usbhid->bufsize)
396-
padlen = usbhid->bufsize;
397-
} else
398-
padlen = 0;
399-
usbhid->urbctrl->transfer_buffer_length = padlen;
391+
len += (len == 0); /* Don't allow 0-length reports */
392+
len = round_up(len, maxpacket);
393+
if (len > usbhid->bufsize)
394+
len = usbhid->bufsize;
400395
}
396+
usbhid->urbctrl->transfer_buffer_length = len;
401397
usbhid->urbctrl->dev = hid_to_usb_dev(hid);
402398

403399
usbhid->cr->bRequestType = USB_TYPE_CLASS | USB_RECIP_INTERFACE | dir;
@@ -505,7 +501,7 @@ static void hid_ctrl(struct urb *urb)
505501

506502
if (unplug) {
507503
usbhid->ctrltail = usbhid->ctrlhead;
508-
} else {
504+
} else if (usbhid->ctrlhead != usbhid->ctrltail) {
509505
usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1);
510506

511507
if (usbhid->ctrlhead != usbhid->ctrltail &&
@@ -1223,9 +1219,20 @@ static void usbhid_stop(struct hid_device *hid)
12231219
mutex_lock(&usbhid->mutex);
12241220

12251221
clear_bit(HID_STARTED, &usbhid->iofl);
1222+
12261223
spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
12271224
set_bit(HID_DISCONNECTED, &usbhid->iofl);
1225+
while (usbhid->ctrltail != usbhid->ctrlhead) {
1226+
if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) {
1227+
kfree(usbhid->ctrl[usbhid->ctrltail].raw_report);
1228+
usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
1229+
}
1230+
1231+
usbhid->ctrltail = (usbhid->ctrltail + 1) &
1232+
(HID_CONTROL_FIFO_SIZE - 1);
1233+
}
12281234
spin_unlock_irq(&usbhid->lock);
1235+
12291236
usb_kill_urb(usbhid->urbin);
12301237
usb_kill_urb(usbhid->urbout);
12311238
usb_kill_urb(usbhid->urbctrl);

0 commit comments

Comments
 (0)