HID descriptors contains 4 bytes of reserved field. The previous implementation was overriding the next fields in struct i2c_hid. Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxx> --- drivers/hid/i2c-hid/i2c-hid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index 7062df2..34cca42 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -69,6 +69,7 @@ struct i2c_hid_desc { __le16 wVendorID; __le16 wProductID; __le16 wVersionID; + __le32 reserved; } __packed; struct i2c_hid_cmd { @@ -776,7 +777,13 @@ static int __devinit i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid) } dsize = le16_to_cpu(hdesc->wHIDDescLength); - if (!dsize || dsize > HID_MAX_DESCRIPTOR_SIZE) { + /* + * the size of the HID descriptor should at least contain + * its size and the bcdVersion (4 bytes), and should not be greater + * than sizeof(struct i2c_hid_desc) as we directly fill this struct + * through i2c_hid_command. + */ + if (dsize < 4 || dsize > sizeof(struct i2c_hid_desc)) { dev_err(&client->dev, "weird size of HID descriptor (%u)\n", dsize); return -ENODEV; -- 1.8.0.1 -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html