uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
indirectly controlled by user-space, hence leading to a potential exploitation
of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
Fix this by sanitizing such structure fields before using them to index
report->field, field->usage and hid->collection
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Commit ac75a04104 ("HID: i2c-hid: fix size check and type usage") started
writing messages when the ret_size is <= 2 from i2c_master_recv. However, my
device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
moving the pointing stick or touchpad. It varies, but you get ~50 messages
each time which spams the log hard.
[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
This has also been observed with a i2c-ALP0017.
[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
Only print the message when ret_size is totally invalid and less than 2 to cut
down on the log spam.
Fixes: ac75a04104 ("HID: i2c-hid: fix size check and type usage")
Reported-by: John Smith <john-s-84@gmx.net>
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Recent kernels support asynchronous probing; most hyperv drivers
can be probed async easily so set the required flag for this.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096
sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.).
The incorrect maximum XY values don't normally affect userspace since
touch input from these devices is typically relative rather than
absolute. It does, however, cause problems when absolute distances
need to be measured, e.g. for gesture recognition. Since the resolution
of the touch sensor on these devices is 10 units / mm (versus 100 for
the pen sensor), the proper maximum values can be calculated by simply
dividing by 10.
Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices")
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
We want to keep device-specific quirks as contained as possible so that the
the code remains maintainable. Our 'wacom_setup_device_quirks' function is
the usual place for this, but some quirks need to be applied to the HID
descriptor as it is parsed. This commit introduces a new function which is
called for each usage so that any HID-specific quirks can be applied. The
function now houses quirks that were being done in 'wacom_feature_mapping'
and 'wacom_usage_mapping'.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Detecting the number of supported touches for a particular device used
to be tricky, both because early forms of the driver didn't have a very
good HID parser and because early hardware didn't always advertise the
actual number. At the time, we added a block of code which would ensure
that touch_max would always be equal to at least 1 on any touch device,
and relied on setting touch_max to e.g. 2 only for the multitouch-capable
exceptions.
The common case has since flipped, and the driver and descriptors can
reliably detect the number of touches supported by modern sensors.
Because of this, it makes sense to remove the fixup code and instead
place static declarations of "touch_max = 1" for these old devices. It
isn't entirely clear if all 2-finger devices actually report a maximum
number of touches so we leave these declarations still in place.
For the eagle-eyed, the "> BAMBOO_PT" condition was originally equivalent
to ">= TABLETPC", which is what the intent was. This commit doesn't have
to consider the types introduced in the interim since they shouldn't be
affected, hence why only the tablet PC definitions have been modified.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Detected on the Dell XPS 9365.
The laptop has 2 devices that benefit from the hid-generic auto-unbinding.
When those 2 devices are presented to the userspace, udev loads both wacom and
hid-multitouch. When this happens, the code in __hid_bus_reprobe_drivers() is
called concurrently and the second device gets reprobed twice.
An other bug in the power_supply subsystem prevent to remove the wacom driver
if it just finished its initialization, which basically kills the wacom node.
[jkosina@suse.cz: reformat changelog a bit]
Fixes c17a7476e4 ("HID: core: rewrite the hid-generic automatic unbind")
Cc: stable@vger.kernel.org # v4.17
Tested-by: Mario Limonciello <mario.limonciello@dell.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This adds the drums and guitar extensions for Wiimote devices.
Devices are reported as "Nintendo Wii Remote Guitar/Drums". If I ever
get my hands on "RockBand" guitars, I will try to report them via the
same interface so user-space does not have to bother which device it
deals with.
This is a rebase of the original commits 8e22ecb603 and 73f8645db1.
They were reverted several years ago, since they were dependent on the
ABS_* rework of the input core. Sadly, this never worked out so these
commits were never pushed into a release. This rebase now uses the
ABS_HAT* event codes to report all pressure information.
Signed-off-by: Nicolas.Adenis-Lamarre <nicolas.adenis.lamarre@gmail.com>
(Original commits by Nicolas, adapted to v4.18 by David)
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The USB completion callback does not disable interrupts while acquiring
the ->lock. We want to remove the local_irq_disable() invocation from
__usb_hcd_giveback_urb() and therefore it is required for the callback
handler to disable the interrupts while acquiring the lock.
The callback may be invoked either in IRQ or BH context depending on the
USB host controller.
Use the _irqsave() variant of the locking primitives.
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The redragon asura keyboard registers two input devices. The initial commit
85455dd906 ("HID: redragon: Fix modifier keys for Redragon Asura Keyboard")
considered this an error and prevented one of the devices from registering.
However, once this is done the num lock and caps lock leds no longer toggle on
and off, although the key functionality is not affected.
This commit removes the code that prevents the input device
registration and restores the num lock and caps lock LEDs.
Fixes: 85455dd906 ("HID: redragon: Fix modifier keys for Redragon Asura Keyboard")
Signed-off-by: Robert Munteanu <rombert@apache.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When sysfs_create_group fails, the lack of error-handling code may
cause unexpected results.
This patch adds error-handling code after calling sysfs_create_group.
Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Pull HID fixes from Jiri Kosina:
- Wacom 2nd-gen Intuos Pro large Y axis handling fix from Jason Gerecke
- fix for hibernation in Intel ISH driver, from Even Xu
- crash fix for hid-steam driver, from Rodrigo Rivas Costa
- new device ID addition to google-hammer driver
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large
HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation
HID: steam: use hid_device.driver_data instead of hid_set_drvdata()
HID: google: Add support for whiskers
The HID descriptor for the 2nd-gen Intuos Pro large (PTH-860) contains
a typo which defines an incorrect logical maximum Y value. This causes
a small portion of the bottom of the tablet to become unusable (both
because the area is below the "bottom" of the tablet and because
'wacom_wac_event' ignores out-of-range values). It also results in a
skewed aspect ratio.
To fix this, we add a quirk to 'wacom_usage_mapping' which overwrites
the data with the correct value.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
CC: stable@vger.kernel.org # v4.10+
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Current ISH driver only registers suspend/resume PM callbacks which don't
support hibernation (suspend to disk). Basically after hiberation, the ISH
can't resume properly and user may not see sensor events (for example: screen
rotation may not work).
User will not see a crash or panic or anything except the following message
in log:
hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device
So this patch adds support for S4/hiberbation to ISH by using the
SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend
and resume functions will now be used for both suspend to RAM and hibernation.
If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend
and resume related functions won't be used, so mark them as __maybe_unused to
clarify that this is the intended behavior, and remove #ifdefs for power
management.
Cc: stable@vger.kernel.org
Signed-off-by: Even Xu <even.xu@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When creating the low-level hidraw device, the reference to steam_device
was stored using hid_set_drvdata(). But this value is not guaranteed to
be kept when set before calling probe. If this pointer is reset, it
crashes when opening the emulated hidraw device.
It looks like hid_set_drvdata() is for users "avobe" this hid_device,
while hid_device.driver_data it for users "below" this one.
In this case, we are creating a virtual hidraw device, so we must use
hid_device.driver_data.
Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Tested-by: Mariusz Ceier <mceier+kernel@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The script:
./scripts/documentation-file-ref-check --fix
Gives multiple hints for broken references on some files.
Manually use the one that applies for some files.
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Acked-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Jonathan Corbet <corbet@lwn.net>
- improvement of duplicate usage handling in hid-input from Benjamin Tissoires
- Win 8.1 precisioun touchpad spec implementation from Benjamin Tissoires
Delcom offers different types of products sharing the same USB VID/PID
as the Visual Signal Indicator. Other products need to be handled by
HID Generic what's not possible currently because USB VID/PID are
listed in hid_have_special_driver[].
After e04a0442d3 ("HID: core: remove the absolute need of
hid_have_special_driver[]") we can now remove the Delcom entry.
If a Visual Signal Indicator device is plugged-in, HID core
will start a reprobe if hid-led driver is available.
If another device with same USB VID/PID is plugged-in, then hid-led
can be blacklisted and HID Generic handles the device.
Thanks to Delcom for providing test devices.
Reported-by: Douglas Lovett <dlovett@delcomproducts.com>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Using the power supply APIs requires selecting the appropriate
Kconfig symbol, otherwise we get this build failure:
drivers/hid/hid-steam.o: In function `steam_unregister':
hid-steam.c:(.text+0x1cc): undefined reference to `power_supply_unregister'
drivers/hid/hid-steam.o: In function `steam_battery_get_property':
hid-steam.c:(.text+0x2d2): undefined reference to `power_supply_get_drvdata'
drivers/hid/hid-steam.o: In function `steam_raw_event':
hid-steam.c:(.text+0xcba): undefined reference to `power_supply_changed'
drivers/hid/hid-steam.o: In function `steam_register':
hid-steam.c:(.text+0x13e3): undefined reference to `power_supply_register'
hid-steam.c:(.text+0x13fe): undefined reference to `power_supply_powers'
Fixes: f827197907 ("HID: steam: add battery device.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Fix comment typo for hid_hw_open().
[jkosina@suse.cz: write at least some changelog]
Signed-off-by: Hisao Tanabe <xtanabe@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Add a mapping for Push-To-Talk joystick trigger button.
Tested on ChromeBox/ChromeBook with various Plantronics devices.
Signed-off-by: Terry Junge <terry.junge@plantronics.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Some exit paths from mt_need_to_apply_feature() returned int instead
of bool; fix that up.
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
On many Chromebooks touch devices are multi-sourced; the components are
electrically compatible and one can be freely swapped for another without
changing the OS image or firmware.
To avoid bunch of scary messages when device is not actually present in the
system let's try testing basic communication with it and if there is no
response terminate probe early with -ENXIO.
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
->product, ->version and ->type fields in the client struct were left out
unitialized from the hid device fields; fix that.
Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
There are two ways to connect the Steam Controller: directly to the USB
or with the USB wireless adapter. Both methods are similar, but the
wireless adapter can connect up to 4 devices at the same time.
The wired device will appear as 3 interfaces: a virtual mouse, a virtual
keyboard and a custom HID device.
The wireless device will appear as 5 interfaces: a virtual keyboard and
4 custom HID devices, that will remain silent until a device is actually
connected.
The custom HID device has a report descriptor with all vendor specific
usages, so the hid-generic is not very useful. In a PC/SteamBox Valve
Steam Client provices a software translation by using hidraw and a
creates a uinput virtual gamepad and XTest keyboard/mouse.
This driver intercepts the hidraw usage, so it can get out of the way
when the Steam Client is in use.
Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The 0457:10fb touchscreen found on the Toshiba Click Mini L9W-B needs
to have a report-decriptors command send to it on resume in order for
the touchscreen to start generating events again on resume.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Never directly free @dev after calling device_register(), even
if it returned an error. Always use put_device() to give up the
reference initialized.
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
If only the first 't4_read_write_register()' call fails, the error code
will be overwritten and lost.
Directly report the error instead.
While at it, log some errors if 't4_read_write_register()' fails, as done
in the rest of the driver.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
