From 27ce405039bfe6d3f4143415c638f56a3df77dca Mon Sep 17 00:00:00 2001 From: Jiri Kosina Date: Wed, 10 Jul 2013 19:56:27 +0200 Subject: HID: fix data access in implement() implement() is setting bytes in LE data stream. In case the data is not aligned to 64bits, it reads past the allocated buffer. It doesn't really change any value there (it's properly bitmasked), but in case that this read past the boundary hits a page boundary, pagefault happens when accessing 64bits of 'x' in implement(), and kernel oopses. This happens much more often when numbered reports are in use, as the initial 8bit skip in the buffer makes the whole process work on values which are not aligned to 64bits. This problem dates back to attempts in 2005 and 2006 to make implement() and extract() as generic as possible, and even back then the problem was realized by Adam Kroperlin, but falsely assumed to be impossible to cause any harm: http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html I have made several attempts at fixing it "on the spot" directly in implement(), but the results were horrible; the special casing for processing last 64bit chunk and switching to different math makes it unreadable mess. I therefore took a path to allocate a few bytes more which will never make it into final report, but are there as a cushion for all the 64bit math operations happening in implement() and extract(). All callers of hid_output_report() are converted at the same time to allocate the buffer by newly introduced hid_alloc_report_buf() helper. Bruno noticed that the whole raw_size test can be dropped as well, as hid_alloc_report_buf() makes sure that the buffer is always of a proper size. Reviewed-by: Benjamin Tissoires Acked-by: Gustavo Padovan Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..acccdf4eb485 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -744,6 +744,7 @@ struct hid_field *hidinput_get_led_field(struct hid_device *hid); unsigned int hidinput_count_leds(struct hid_device *hid); __s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code); void hid_output_report(struct hid_report *report, __u8 *data); +u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags); struct hid_device *hid_allocate_device(void); struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -- cgit v1.2.2 From ddf64a3c03d4d68431146a0f1622844cc6cb6c22 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 15 Jul 2013 19:10:10 +0200 Subject: HID: usbhid: make usbhid_set_leds() static usbhid_set_leds() is only used inside of usbhid/hid-core.c so no need to export it. Signed-off-by: David Herrmann Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 - 1 file changed, 1 deletion(-) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..b8058c5c5594 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -989,7 +989,6 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, u32 usbhid_lookup_quirk(const u16 idVendor, const u16 idProduct); int usbhid_quirks_init(char **quirks_param); void usbhid_quirks_exit(void); -void usbhid_set_leds(struct hid_device *hid); #ifdef CONFIG_HID_PID int hid_pidff_init(struct hid_device *hid); -- cgit v1.2.2 From bdb829e1dd710029a075b5f86d4053e7715beb06 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 15 Jul 2013 19:10:15 +0200 Subject: HID: uhid: use generic hidinput_input_event() HID core provides the same functionality and can convert the input event to a raw output report. We can thus drop UHID_OUTPUT_EV and rely on the mandatory UHID_OUTPUT. User-space wasn't able to do anything with UHID_OUTPUT_EV, anyway. They don't have access to the report fields. Signed-off-by: David Herrmann Acked-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- include/uapi/linux/uhid.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/uapi/linux/uhid.h b/include/uapi/linux/uhid.h index e9ed951e2b09..414b74be4da1 100644 --- a/include/uapi/linux/uhid.h +++ b/include/uapi/linux/uhid.h @@ -30,7 +30,7 @@ enum uhid_event_type { UHID_OPEN, UHID_CLOSE, UHID_OUTPUT, - UHID_OUTPUT_EV, + UHID_OUTPUT_EV, /* obsolete! */ UHID_INPUT, UHID_FEATURE, UHID_FEATURE_ANSWER, @@ -69,6 +69,8 @@ struct uhid_output_req { __u8 rtype; } __attribute__((__packed__)); +/* Obsolete! Newer kernels will no longer send these events but instead convert + * it into raw output reports via UHID_OUTPUT. */ struct uhid_output_ev_req { __u16 type; __u16 code; -- cgit v1.2.2 From 50c9d75b6f01a337aab728511bc1d2a0a3d7b800 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 15 Jul 2013 19:10:12 +0200 Subject: HID: input: generic hidinput_input_event handler The hidinput_input_event() callback converts input events written from userspace into HID reports and sends them to the device. We currently implement this in every HID transport driver, even though most of them do the same. This provides a generic hidinput_input_event() implementation which is mostly copied from usbhid. It uses a delayed worker to allow multiple LED events to be collected into a single output event. We use the custom ->request() transport driver callback to allow drivers to adjust the outgoing report and handle the request asynchronously. If no custom ->request() callback is available, we fall back to the generic raw output report handler (which is synchronous). Drivers can still provide custom hidinput_input_event() handlers (see logitech-dj) if the generic implementation doesn't fit their needs. Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index b8058c5c5594..ea4b828cb9cd 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -456,6 +456,7 @@ struct hid_device { /* device report descriptor */ enum hid_type type; /* device type (mouse, kbd, ...) */ unsigned country; /* HID country */ struct hid_report_enum report_enum[HID_REPORT_TYPES]; + struct work_struct led_work; /* delayed LED worker */ struct semaphore driver_lock; /* protects the current driver, except during input */ struct semaphore driver_input_lock; /* protects the current driver */ -- cgit v1.2.2 From 3d7d248cf484fe37595698e0ca31a9bcecc85a42 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Thu, 13 Jun 2013 09:50:35 +0200 Subject: HID: i2c-hid: add DT bindings Add device tree based support for HID over I2C devices. Tested on an Odroid-X board with a Synaptics touchpad. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- include/linux/i2c/i2c-hid.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/i2c/i2c-hid.h b/include/linux/i2c/i2c-hid.h index 60e411d764d4..7aa901d92058 100644 --- a/include/linux/i2c/i2c-hid.h +++ b/include/linux/i2c/i2c-hid.h @@ -19,7 +19,8 @@ * @hid_descriptor_address: i2c register where the HID descriptor is stored. * * Note that it is the responsibility of the platform driver (or the acpi 5.0 - * driver) to setup the irq related to the gpio in the struct i2c_board_info. + * driver, or the flattened device tree) to setup the irq related to the gpio in + * the struct i2c_board_info. * The platform driver should also setup the gpio according to the device: * * A typical example is the following: -- cgit v1.2.2 From 15261f6d8d032b30f6eb7dbf1dbb9e4095df84c0 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Wed, 14 Aug 2013 11:07:08 +0300 Subject: HID: hid-sensor-hub: fix style of comments This patch fixes the style of the comments to be like following /* The commentary */ There is no functional change. Signed-off-by: Andy Shevchenko Signed-off-by: Jiri Kosina --- include/linux/hid-sensor-hub.h | 2 +- include/linux/hid-sensor-ids.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/hid-sensor-hub.h b/include/linux/hid-sensor-hub.h index ecefb7311dd6..32ba45158d39 100644 --- a/include/linux/hid-sensor-hub.h +++ b/include/linux/hid-sensor-hub.h @@ -172,7 +172,7 @@ struct hid_sensor_common { struct hid_sensor_hub_attribute_info sensitivity; }; -/*Convert from hid unit expo to regular exponent*/ +/* Convert from hid unit expo to regular exponent */ static inline int hid_sensor_convert_exponent(int unit_expo) { if (unit_expo < 0x08) diff --git a/include/linux/hid-sensor-ids.h b/include/linux/hid-sensor-ids.h index 6f24446e7669..4f945d3ed49f 100644 --- a/include/linux/hid-sensor-ids.h +++ b/include/linux/hid-sensor-ids.h @@ -37,7 +37,7 @@ #define HID_USAGE_SENSOR_ANGL_VELOCITY_Y_AXIS 0x200458 #define HID_USAGE_SENSOR_ANGL_VELOCITY_Z_AXIS 0x200459 -/*ORIENTATION: Compass 3D: (200083) */ +/* ORIENTATION: Compass 3D: (200083) */ #define HID_USAGE_SENSOR_COMPASS_3D 0x200083 #define HID_USAGE_SENSOR_ORIENT_MAGN_HEADING 0x200471 #define HID_USAGE_SENSOR_ORIENT_MAGN_HEADING_X 0x200472 -- cgit v1.2.2 From 277fe44dd862412ee034470ad1c13a79d24e533b Mon Sep 17 00:00:00 2001 From: Yonghua Zheng Date: Mon, 26 Aug 2013 23:38:35 +0800 Subject: HID: hidraw: Add spinlock in struct hidraw to protect list It is unsafe to call list_for_each_entry in hidraw_report_event to traverse each hidraw_list node without a lock protection, the list could be modified if someone calls hidraw_release and list_del to remove itself from the list, this can cause hidraw_report_event to touch a deleted list struct and panic. To prevent this, introduce a spinlock in struct hidraw to protect list from concurrent access. Signed-off-by: Yonghua Zheng Signed-off-by: Jiri Kosina --- include/linux/hidraw.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/hidraw.h b/include/linux/hidraw.h index 2451662c728a..ddf52612eed8 100644 --- a/include/linux/hidraw.h +++ b/include/linux/hidraw.h @@ -23,6 +23,7 @@ struct hidraw { wait_queue_head_t wait; struct hid_device *hid; struct device *dev; + spinlock_t list_lock; struct list_head list; }; -- cgit v1.2.2 From f961bd3516e4f699bbacff5d7f5247d6d87c59f0 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Thu, 22 Aug 2013 14:51:08 +0200 Subject: HID: detect Win 8 multitouch devices in core Detecting Win 8 multitouch devices in core allows us to set quirks before the device is parsed through hid_hw_start(). It also simplifies the detection of those devices in hid-multitouch and makes the handling of those devices cleaner. As Win 8 multitouch panels are in the group multitouch and rely on a special feature to be detected, this patch adds a bitfield in the parser. Signed-off-by: Benjamin Tissoires Reviewed-by: Henrik Rydberg Tested-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..cef1e9b86cc4 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -295,6 +295,7 @@ struct hid_item { #define HID_GROUP_GENERIC 0x0001 #define HID_GROUP_MULTITOUCH 0x0002 #define HID_GROUP_SENSOR_HUB 0x0003 +#define HID_GROUP_MULTITOUCH_WIN_8 0x0004 /* * This is the global environment of the parser. This information is @@ -532,6 +533,8 @@ static inline void hid_set_drvdata(struct hid_device *hdev, void *data) #define HID_GLOBAL_STACK_SIZE 4 #define HID_COLLECTION_STACK_SIZE 4 +#define HID_SCAN_FLAG_MT_WIN_8 0x00000001 + struct hid_parser { struct hid_global global; struct hid_global global_stack[HID_GLOBAL_STACK_SIZE]; @@ -540,6 +543,7 @@ struct hid_parser { unsigned collection_stack[HID_COLLECTION_STACK_SIZE]; unsigned collection_stack_ptr; struct hid_device *device; + unsigned scan_flags; }; struct hid_class_descriptor { -- cgit v1.2.2 From 595e9276ce68791317484ec7f0f9f2e0457c3b34 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Thu, 22 Aug 2013 14:51:09 +0200 Subject: HID: do not init input reports for Win 8 multitouch devices Some multitouch screens do not like to be polled for input reports. However, the Win8 spec says that all touches should be sent during each report, making the initialization of reports unnecessary. The Win7 spec is less precise, so do not use this for those devices. Add the quirk HID_QUIRK_NO_INIT_INPUT_REPORTS so that we do not have to introduce a quirk for each problematic device. This quirk makes the driver behave the same way the Win 8 does. It actually retrieves the features, but not the inputs. Signed-off-by: Benjamin Tissoires Reviewed-by: Henrik Rydberg Tested-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina --- include/linux/hid.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index cef1e9b86cc4..bc132d2a20aa 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -283,6 +283,7 @@ struct hid_item { #define HID_QUIRK_MULTI_INPUT 0x00000040 #define HID_QUIRK_HIDINPUT_FORCE 0x00000080 #define HID_QUIRK_NO_EMPTY_INPUT 0x00000100 +#define HID_QUIRK_NO_INIT_INPUT_REPORTS 0x00000200 #define HID_QUIRK_SKIP_OUTPUT_REPORTS 0x00010000 #define HID_QUIRK_FULLSPEED_INTERVAL 0x10000000 #define HID_QUIRK_NO_INIT_REPORTS 0x20000000 -- cgit v1.2.2 From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 28 Aug 2013 22:29:55 +0200 Subject: HID: validate HID report id size The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index 0c48991b0402..ff545cc33c3a 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -393,10 +393,12 @@ struct hid_report { struct hid_device *device; /* associated device */ }; +#define HID_MAX_IDS 256 + struct hid_report_enum { unsigned numbered; struct list_head report_list; - struct hid_report *report_id_hash[256]; + struct hid_report *report_id_hash[HID_MAX_IDS]; }; #define HID_REPORT_TYPES 3 -- cgit v1.2.2 From 61e00655e9cb82e034eb72b95a51072e718d14a7 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 26 Aug 2013 19:14:46 +0200 Subject: Input: introduce BTN/ABS bits for drums and guitars There are a bunch of guitar and drums devices out there that all report similar data. To avoid reporting this as BTN_MISC or ABS_MISC, we allocate some proper namespace for them. Note that most of these devices are toys and we cannot report any sophisticated physics via this API. I did some google-images research and tried to provide definitions that work with all common devices. That's why I went with 4 toms, 4 cymbals, one bass, one hi-hat. I haven't seen other drums and I doubt that we need any additions to that. Anyway, the naming-scheme is intentionally done in an extensible way. For guitars, we support 5 frets (normally aligned vertically, compared to the real horizontal layouts), a single strum-bar with up/down directions, an optional fret-board and a whammy-bar. Most of the devices provide pressure values so I went with ABS_* bits. If we ever support devices which only provide digital input, we have to decide whether to emulate pressure data or add additional BTN_* bits. If someone is not familiar with these devices, here are two pictures which provide almost all introduced interfaces (or try the given keywords with a google-image search): Guitar: ("guitar hero world tour guitar") http://images1.wikia.nocookie.net/__cb20120911023442/applezone/es/images/f/f9/Wii_Guitar.jpg Drums: ("guitar hero drums") http://oyster.ignimgs.com/franchises/images/03/55/35526_band-hero-drum-set-hands-on-20090929040735768.jpg Signed-off-by: David Herrmann Acked-by: Dmitry Torokhov Signed-off-by: Jiri Kosina --- include/linux/mod_devicetable.h | 2 +- include/uapi/linux/input.h | 25 +++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h index b62d4af6c667..65f8a8c4ebbc 100644 --- a/include/linux/mod_devicetable.h +++ b/include/linux/mod_devicetable.h @@ -277,7 +277,7 @@ struct pcmcia_device_id { #define INPUT_DEVICE_ID_KEY_MIN_INTERESTING 0x71 #define INPUT_DEVICE_ID_KEY_MAX 0x2ff #define INPUT_DEVICE_ID_REL_MAX 0x0f -#define INPUT_DEVICE_ID_ABS_MAX 0x3f +#define INPUT_DEVICE_ID_ABS_MAX 0x4f #define INPUT_DEVICE_ID_MSC_MAX 0x07 #define INPUT_DEVICE_ID_LED_MAX 0x0f #define INPUT_DEVICE_ID_SND_MAX 0x07 diff --git a/include/uapi/linux/input.h b/include/uapi/linux/input.h index d584047b072b..76457eef172a 100644 --- a/include/uapi/linux/input.h +++ b/include/uapi/linux/input.h @@ -716,6 +716,14 @@ struct input_keymap_entry { #define BTN_DPAD_LEFT 0x222 #define BTN_DPAD_RIGHT 0x223 +#define BTN_FRET_FAR_UP 0x224 +#define BTN_FRET_UP 0x225 +#define BTN_FRET_MID 0x226 +#define BTN_FRET_LOW 0x227 +#define BTN_FRET_FAR_LOW 0x228 +#define BTN_STRUM_BAR_UP 0x229 +#define BTN_STRUM_BAR_DOWN 0x22a + #define BTN_TRIGGER_HAPPY 0x2c0 #define BTN_TRIGGER_HAPPY1 0x2c0 #define BTN_TRIGGER_HAPPY2 0x2c1 @@ -829,8 +837,21 @@ struct input_keymap_entry { #define ABS_MT_TOOL_X 0x3c /* Center X tool position */ #define ABS_MT_TOOL_Y 0x3d /* Center Y tool position */ - -#define ABS_MAX 0x3f +/* Drums and guitars (mostly toys) */ +#define ABS_TOM_FAR_LEFT 0x40 +#define ABS_TOM_LEFT 0x41 +#define ABS_TOM_RIGHT 0x42 +#define ABS_TOM_FAR_RIGHT 0x43 +#define ABS_CYMBAL_FAR_LEFT 0x44 +#define ABS_CYMBAL_LEFT 0x45 +#define ABS_CYMBAL_RIGHT 0x46 +#define ABS_CYMBAL_FAR_RIGHT 0x47 +#define ABS_BASS 0x48 +#define ABS_HI_HAT 0x49 +#define ABS_FRET_BOARD 0x4a /* Guitar fret board, vertical pos */ +#define ABS_WHAMMY_BAR 0x4b /* Guitar whammy bar (or vibrato) */ + +#define ABS_MAX 0x4f #define ABS_CNT (ABS_MAX+1) /* -- cgit v1.2.2 From 39054a5afbb05f83aaa26f6cf55027e269744ba3 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Mon, 2 Sep 2013 14:00:05 +0200 Subject: HID: move HID_REPORT_TYPES closer to the report-definitions HID_REPORT_TYPES defines the number of available report-types. Move it closer to the actualy definition of the report-types so we can see the relation more clearly (and hopefully will never forget to update it). Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina --- include/linux/hid.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/hid.h b/include/linux/hid.h index d50137691a78..729bf27aac8f 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -252,6 +252,8 @@ struct hid_item { #define HID_OUTPUT_REPORT 1 #define HID_FEATURE_REPORT 2 +#define HID_REPORT_TYPES 3 + /* * HID connect requests */ @@ -401,8 +403,6 @@ struct hid_report_enum { struct hid_report *report_id_hash[HID_MAX_IDS]; }; -#define HID_REPORT_TYPES 3 - #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */ #define HID_MAX_BUFFER_SIZE 4096 /* 4kb */ #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */ -- cgit v1.2.2