1. 13 9月, 2013 2 次提交
  2. 04 9月, 2013 1 次提交
  3. 02 9月, 2013 1 次提交
  4. 29 8月, 2013 1 次提交
    • K
      HID: validate HID report id size · 43622021
      Kees Cook 提交于
      The "Report ID" field of a HID report is used to build indexes of
      reports. The kernel's index of these is limited to 256 entries, so any
      malicious device that sets a Report ID greater than 255 will trigger
      memory corruption on the host:
      
      [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
      [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
      
      CVE-2013-2888
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: stable@kernel.org
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      43622021
  5. 27 8月, 2013 2 次提交
  6. 26 8月, 2013 1 次提交
  7. 29 7月, 2013 1 次提交
  8. 22 7月, 2013 1 次提交
    • J
      HID: fix data access in implement() · 27ce4050
      Jiri Kosina 提交于
      implement() is setting bytes in LE data stream. In case the data is not
      aligned to 64bits, it reads past the allocated buffer. It doesn't really
      change any value there (it's properly bitmasked), but in case that this
      read past the boundary hits a page boundary, pagefault happens when
      accessing 64bits of 'x' in implement(), and kernel oopses.
      
      This happens much more often when numbered reports are in use, as the
      initial 8bit skip in the buffer makes the whole process work on values
      which are not aligned to 64bits.
      
      This problem dates back to attempts in 2005 and 2006 to make implement()
      and extract() as generic as possible, and even back then the problem
      was realized by Adam Kroperlin, but falsely assumed to be impossible
      to cause any harm:
      
        http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html
      
      I have made several attempts at fixing it "on the spot" directly in
      implement(), but the results were horrible; the special casing for processing
      last 64bit chunk and switching to different math makes it unreadable mess.
      
      I therefore took a path to allocate a few bytes more which will never make
      it into final report, but are there as a cushion for all the 64bit math
      operations happening in implement() and extract().
      
      All callers of hid_output_report() are converted at the same time to allocate
      the buffer by newly introduced hid_alloc_report_buf() helper.
      
      Bruno noticed that the whole raw_size test can be dropped as well, as
      hid_alloc_report_buf() makes sure that the buffer is always of a proper
      size.
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Acked-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      27ce4050
  9. 15 7月, 2013 1 次提交
  10. 13 7月, 2013 1 次提交
  11. 04 7月, 2013 1 次提交
    • B
      HID: kye: Add report fixup for Genius Gila Gaming mouse · 3685c18e
      Benjamin Tissoires 提交于
      Genius Gila Gaming Mouse presents an obviously wrong report descriptor.
      the Consumer control (report ID 3) is the following:
      0x05, 0x0c,                    // Usage Page (Consumer Devices)       105
      0x09, 0x01,                    // Usage (Consumer Control)            107
      0xa1, 0x01,                    // Collection (Application)            109
      0x85, 0x03,                    //   Report ID (3)                     111
      0x19, 0x00,                    //   Usage Minimum (0)                 113
      0x2a, 0xff, 0x7f,              //   Usage Maximum (32767)             115
      0x15, 0x00,                    //   Logical Minimum (0)               118
      0x26, 0xff, 0x7f,              //   Logical Maximum (32767)           120
      0x75, 0x10,                    //   Report Size (16)                  123
      0x95, 0x03,                    //   Report Count (3)                  125
      0x81, 0x00,                    //   Input (Data,Arr,Abs)              127
      0x75, 0x08,                    //   Report Size (8)                   129
      0x95, 0x01,                    //   Report Count (1)                  131
      0x81, 0x01,                    //   Input (Cnst,Arr,Abs)              133
      0xc0,                          // End Collection                      135
      
      So the first input whithin this report has a count of 3 but a usage range
      of 32768. So this value is obviously wrong as it should not be greater than
      the report count.
      
      Fixes:
      https://bugzilla.redhat.com/show_bug.cgi?id=959721Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      3685c18e
  12. 03 7月, 2013 1 次提交
  13. 03 6月, 2013 1 次提交
  14. 29 5月, 2013 1 次提交
    • J
      HID: add driver for ELO 4000/4500 · d23efc19
      Jiri Slaby 提交于
      This is a driver for ELO 4000/4500 devices which report themselves as
      HID devices, but do not really send HID events on touch. So we
      introduce a new HID 'quirk' driver with a raw_event handler where we
      take care of those events.
      
      What we need additionally is an input_configured hook, because the
      device does not mention anything about PRESSURE and TOUCH in its
      report descriptor, but it actually generate those. So we set the bits
      in the corresponding input_dev in that hook.
      
      Thanks to Petr Ostadal who was willing to test the driver. The rest of
      Cc's listed below had something to do with that driver over the years
      in our enterprise tree.
      Signed-off-by: NJiri Slaby <jslaby@suse.cz>
      Tested-by: NPetr Ostadal <postadal@suse.cz>
      Cc: Oliver Neukum <oliver@neukum.org>
      Cc: Vojtech Pavlik <vojtech@suse.cz>
      Cc: Egbert Eich <eich@suse.com>
      Cc: Libor Pechacek <lpechacek@suse.cz>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      d23efc19
  15. 28 5月, 2013 3 次提交
  16. 23 5月, 2013 1 次提交
    • V
      HID: ignore Jabra speakerphones HID interface · 31b9779c
      Vincent Palatin 提交于
      Add a quirk to ignore Jabra speakerphone 410 and 510 devices HID
      interface.
      On those devices, the USB audio interface is working nicely,
      but the HID interface is not working with the kernel usbhid driver,
      and it requires a specific userspace program.
      We could unbind it from userspace but just attaching the usbhid driver has
      sometimes nasty effects:
      either confusing the device state machine or triggering a storm of volume key
      events making eventual sound UI blinking like crazy.
      Signed-off-by: NVincent Palatin <vpalatin@chromium.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      31b9779c
  17. 06 5月, 2013 1 次提交
    • J
      HID: debug: fix RCU preemption issue · 1deb9d34
      Jiri Kosina 提交于
      Commit 2353f2be ("HID: protect hid_debug_list") introduced mutex
      locking around debug_list access to prevent SMP races when debugfs
      nodes are being operated upon by multiple userspace processess.
      
      mutex is not a proper synchronization primitive though, as the hid-debug
      callbacks are being called from atomic contexts.
      
      We also have to be careful about disabling IRQs when taking the lock
      to prevent deadlock against IRQ handlers.
      
      Benjamin reports this has also been reported in RH bugzilla as bug #958935.
      
       ===============================
       [ INFO: suspicious RCU usage. ]
       3.9.0+ #94 Not tainted
       -------------------------------
       include/linux/rcupdate.h:476 Illegal context switch in RCU read-side critical section!
      
       other info that might help us debug this:
      
       rcu_scheduler_active = 1, debug_locks = 0
       4 locks held by Xorg/5502:
        #0:  (&evdev->mutex){+.+...}, at: [<ffffffff81512c3d>] evdev_write+0x6d/0x160
        #1:  (&(&dev->event_lock)->rlock#2){-.-...}, at: [<ffffffff8150dd9b>] input_inject_event+0x5b/0x230
        #2:  (rcu_read_lock){.+.+..}, at: [<ffffffff8150dd82>] input_inject_event+0x42/0x230
        #3:  (&(&usbhid->lock)->rlock){-.....}, at: [<ffffffff81565289>] usb_hidinput_input_event+0x89/0x120
      
       stack backtrace:
       CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
       Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
        0000000000000001 ffff8800689c7c38 ffffffff816f249f ffff8800689c7c68
        ffffffff810acb1d 0000000000000000 ffffffff81a03ac7 000000000000019d
        0000000000000000 ffff8800689c7c90 ffffffff8107cda7 0000000000000000
       Call Trace:
        [<ffffffff816f249f>] dump_stack+0x19/0x1b
        [<ffffffff810acb1d>] lockdep_rcu_suspicious+0xfd/0x130
        [<ffffffff8107cda7>] __might_sleep+0xc7/0x230
        [<ffffffff816f7770>] mutex_lock_nested+0x40/0x3a0
        [<ffffffff81312ac4>] ? vsnprintf+0x354/0x640
        [<ffffffff81553cc4>] hid_debug_event+0x34/0x100
        [<ffffffff81554197>] hid_dump_input+0x67/0xa0
        [<ffffffff81556430>] hid_set_field+0x50/0x120
        [<ffffffff8156529a>] usb_hidinput_input_event+0x9a/0x120
        [<ffffffff8150d89e>] input_handle_event+0x8e/0x530
        [<ffffffff8150df10>] input_inject_event+0x1d0/0x230
        [<ffffffff8150dd82>] ? input_inject_event+0x42/0x230
        [<ffffffff81512cae>] evdev_write+0xde/0x160
        [<ffffffff81185038>] vfs_write+0xc8/0x1f0
        [<ffffffff81185535>] SyS_write+0x55/0xa0
        [<ffffffff81704482>] system_call_fastpath+0x16/0x1b
       BUG: sleeping function called from invalid context at kernel/mutex.c:413
       in_atomic(): 1, irqs_disabled(): 1, pid: 5502, name: Xorg
       INFO: lockdep is turned off.
       irq event stamp: 1098574
       hardirqs last  enabled at (1098573): [<ffffffff816fb53f>] _raw_spin_unlock_irqrestore+0x3f/0x70
       hardirqs last disabled at (1098574): [<ffffffff816faaf5>] _raw_spin_lock_irqsave+0x25/0xa0
       softirqs last  enabled at (1098306): [<ffffffff8104971f>] __do_softirq+0x18f/0x3c0
       softirqs last disabled at (1097867): [<ffffffff81049ad5>] irq_exit+0xa5/0xb0
       CPU: 0 PID: 5502 Comm: Xorg Not tainted 3.9.0+ #94
       Hardware name: Dell Inc. OptiPlex 390/0M5DCD, BIOS A09 07/24/2012
        ffffffff81a03ac7 ffff8800689c7c68 ffffffff816f249f ffff8800689c7c90
        ffffffff8107ce60 0000000000000000 ffff8800689c7fd8 ffff88006a62c800
        ffff8800689c7d10 ffffffff816f7770 ffff8800689c7d00 ffffffff81312ac4
       Call Trace:
        [<ffffffff816f249f>] dump_stack+0x19/0x1b
        [<ffffffff8107ce60>] __might_sleep+0x180/0x230
        [<ffffffff816f7770>] mutex_lock_nested+0x40/0x3a0
        [<ffffffff81312ac4>] ? vsnprintf+0x354/0x640
        [<ffffffff81553cc4>] hid_debug_event+0x34/0x100
        [<ffffffff81554197>] hid_dump_input+0x67/0xa0
        [<ffffffff81556430>] hid_set_field+0x50/0x120
        [<ffffffff8156529a>] usb_hidinput_input_event+0x9a/0x120
        [<ffffffff8150d89e>] input_handle_event+0x8e/0x530
        [<ffffffff8150df10>] input_inject_event+0x1d0/0x230
        [<ffffffff8150dd82>] ? input_inject_event+0x42/0x230
        [<ffffffff81512cae>] evdev_write+0xde/0x160
        [<ffffffff81185038>] vfs_write+0xc8/0x1f0
        [<ffffffff81185535>] SyS_write+0x55/0xa0
        [<ffffffff81704482>] system_call_fastpath+0x16/0x1b
      Reported-by: Nmajianpeng <majianpeng@gmail.com>
      Reported-by: NBenjamin Tissoires <benjamin.tissoires@gmail.com>
      Reviewed-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      1deb9d34
  18. 01 5月, 2013 1 次提交
  19. 30 4月, 2013 2 次提交
  20. 29 4月, 2013 1 次提交
  21. 19 4月, 2013 1 次提交
  22. 04 4月, 2013 1 次提交
  23. 29 3月, 2013 1 次提交
  24. 14 3月, 2013 1 次提交
  25. 01 3月, 2013 1 次提交
    • A
      HID: Separate struct hid_device's driver_lock into two locks. · c849a614
      Andrew de los Reyes 提交于
      This patch separates struct hid_device's driver_lock into two. The
      goal is to allow hid device drivers to receive input during their
      probe() or remove() function calls. This is necessary because some
      drivers need to communicate with the device to determine parameters
      needed during probe (e.g., size of a multi-touch surface), and if
      possible, may perfer to communicate with a device on host-initiated
      disconnect (e.g., to put it into a low-power state).
      
      Historically, three functions used driver_lock:
      
      - hid_device_probe: blocks to acquire lock
      - hid_device_remove: blocks to acquire lock
      - hid_input_report: if locked returns -EBUSY, else acquires lock
      
      This patch adds another lock (driver_input_lock) which is used to
      block input from occurring. The lock behavior is now:
      
      - hid_device_probe: blocks to acq. driver_lock, then driver_input_lock
      - hid_device_remove: blocks to acq. driver_lock, then driver_input_lock
      - hid_input_report: if driver_input_lock locked returns -EBUSY, else
        acquires driver_input_lock
      
      This patch also adds two helper functions to be called during probe()
      or remove(): hid_device_io_start() and hid_device_io_stop(). These
      functions lock and unlock, respectively, driver_input_lock; they also
      make a note of whether they did so that hid-core knows if a driver has
      changed the lock state.
      
      This patch results in no behavior change for existing devices and
      drivers. However, during a probe() or remove() function call in a
      driver, that driver may now selectively call hid_device_io_start() to
      let input events come through, then optionally call
      hid_device_io_stop() to stop them.
      Signed-off-by: NAndrew de los Reyes <adlr@chromium.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      c849a614
  26. 25 2月, 2013 1 次提交
  27. 19 2月, 2013 1 次提交
    • V
      HID: add ThingM blink(1) USB RGB LED support · 30ba2fbd
      Vivien Didelot 提交于
      The ThingM blink(1) is an open source hardware USB RGB LED. It contains
      an internal EEPROM, allowing to configure up to 12 light patterns. A
      light pattern is a RGB color plus a fade time. This driver registers a
      LED class instance with additional sysfs attributes to support basic
      functions such as setting RGB colors, fade and playing. Other functions
      are still accessible through the hidraw interface.
      
      At this time, the only documentation for the device is the firmware
      source code from ThingM, plus a few schematics. They are available at:
      
      https://github.com/todbot/blink1
      
      This patch is version 3. It updates the name of the source file, the
      driver and the led sysfs entry, according to comments from Jiri Kosina
      and Simon Wood.
      Signed-off-by: NVivien Didelot <vivien.didelot@savoirfairelinux.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      30ba2fbd
  28. 18 2月, 2013 2 次提交
  29. 05 2月, 2013 1 次提交
  30. 31 1月, 2013 1 次提交
  31. 17 1月, 2013 1 次提交
  32. 16 1月, 2013 1 次提交
    • F
      HID: add support for Sony RF receiver with USB product id 0x0374 · a4649184
      Fernando Luis Vázquez Cao 提交于
      Some Vaio desktop computers, among them the VGC-LN51JGB multimedia PC, have
      a RF receiver, multi-interface USB device 054c:0374, that is used to connect
      a wireless keyboard and a wireless mouse.
      
      The keyboard works flawlessly, but the mouse (VGP-WMS3 in my case) does not
      seem to be generating any pointer events. The problem is that the mouse pointer
      is wrongly declared as a constant non-data variable in the report descriptor
      (see lsusb and usbhid-dump output below), with the consequence that it is
      ignored by the HID code.
      
      Add this device to the have-special-driver list and fix up the report
      descriptor in the Sony-specific driver which happens to already have a fixup
      for a similar firmware bug.
      
      # lsusb -vd 054C:0374
      Bus 003 Device 002: ID 054c:0374 Sony Corp.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0 (Defined at Interface level)
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0         8
        idVendor           0x054c Sony Corp.
        idProduct          0x0374
        iSerial                 0
      [...]
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        1
            bAlternateSetting       0
            bNumEndpoints           1
            bInterfaceClass         3 Human Interface Device
            bInterfaceSubClass      1 Boot Interface Subclass
            bInterfaceProtocol      2 Mouse
            iInterface              2 RF Receiver
      [...]
                Report Descriptor: (length is 100)
      [...]
                  Item(Global): Usage Page, data= [ 0x01 ] 1
                                  Generic Desktop Controls
                  Item(Local ): Usage, data= [ 0x30 ] 48
                                  Direction-X
                  Item(Local ): Usage, data= [ 0x31 ] 49
                                  Direction-Y
                  Item(Global): Report Count, data= [ 0x02 ] 2
                  Item(Global): Report Size, data= [ 0x08 ] 8
                  Item(Global): Logical Minimum, data= [ 0x81 ] 129
                  Item(Global): Logical Maximum, data= [ 0x7f ] 127
                  Item(Main  ): Input, data= [ 0x07 ] 7
                                  Constant Variable Relative No_Wrap Linear
                                  Preferred_State No_Null_Position Non_Volatile Bitfield
      
      # usbhid-dump
      003:002:001:DESCRIPTOR         1357910009.758544
       05 01 09 02 A1 01 05 01 09 02 A1 02 85 01 09 01
       A1 00 05 09 19 01 29 05 95 05 75 01 15 00 25 01
       81 02 75 03 95 01 81 01 05 01 09 30 09 31 95 02
       75 08 15 81 25 7F 81 07 A1 02 85 01 09 38 35 00
       45 00 15 81 25 7F 95 01 75 08 81 06 C0 A1 02 85
       01 05 0C 15 81 25 7F 95 01 75 08 0A 38 02 81 06
       C0 C0 C0 C0
      
      Cc: linux-input@vger.kernel.org
      Cc: linux-usb@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NFernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      a4649184
  33. 28 12月, 2012 1 次提交
  34. 12 12月, 2012 1 次提交