1. 28 12月, 2015 2 次提交
  2. 20 11月, 2015 1 次提交
  3. 06 11月, 2015 1 次提交
  4. 30 9月, 2015 1 次提交
  5. 01 6月, 2015 1 次提交
  6. 14 3月, 2015 1 次提交
    • K
      power_supply: Change ownership from driver to core · 297d716f
      Krzysztof Kozlowski 提交于
      Change the ownership of power_supply structure from each driver
      implementing the class to the power supply core.
      
      The patch changes power_supply_register() function thus all drivers
      implementing power supply class are adjusted.
      
      Each driver provides the implementation of power supply. However it
      should not be the owner of power supply class instance because it is
      exposed by core to other subsystems with power_supply_get_by_name().
      These other subsystems have no knowledge when the driver will unregister
      the power supply. This leads to several issues when driver is unbound -
      mostly because user of power supply accesses freed memory.
      
      Instead let the core own the instance of struct 'power_supply'.  Other
      users of this power supply will still access valid memory because it
      will be freed when device reference count reaches 0. Currently this
      means "it will leak" but power_supply_put() call in next patches will
      solve it.
      
      This solves invalid memory references in following race condition
      scenario:
      
      Thread 1: charger manager
      Thread 2: power supply driver, used by charger manager
      
      THREAD 1 (charger manager)         THREAD 2 (power supply driver)
      ==========================         ==============================
      psy = power_supply_get_by_name()
                                         Driver unbind, .remove
                                           power_supply_unregister()
                                           Device fully removed
      psy->get_property()
      
      The 'get_property' call is executed in invalid context because the driver was
      unbound and struct 'power_supply' memory was freed.
      
      This could be observed easily with charger manager driver (here compiled
      with max17040 fuel gauge):
      
      $ cat /sys/devices/virtual/power_supply/cm-battery/capacity &
      $ echo "1-0036" > /sys/bus/i2c/drivers/max17040/unbind
      [   55.725123] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [   55.732584] pgd = d98d4000
      [   55.734060] [00000000] *pgd=5afa2831, *pte=00000000, *ppte=00000000
      [   55.740318] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
      [   55.746210] Modules linked in:
      [   55.749259] CPU: 1 PID: 2936 Comm: cat Tainted: G        W       3.19.0-rc1-next-20141226-00048-gf79f475f3c44-dirty #1496
      [   55.760190] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
      [   55.766270] task: d9b76f00 ti: daf54000 task.ti: daf54000
      [   55.771647] PC is at 0x0
      [   55.774182] LR is at charger_get_property+0x2f4/0x36c
      [   55.779201] pc : [<00000000>]    lr : [<c034b0b4>]    psr: 60000013
      [   55.779201] sp : daf55e90  ip : 00000003  fp : 00000000
      [   55.790657] r10: 00000000  r9 : c06e2878  r8 : d9b26c68
      [   55.795865] r7 : dad81610  r6 : daec7410  r5 : daf55ebc  r4 : 00000000
      [   55.802367] r3 : 00000000  r2 : daf55ebc  r1 : 0000002a  r0 : d9b26c68
      [   55.808879] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      [   55.815994] Control: 10c5387d  Table: 598d406a  DAC: 00000015
      [   55.821723] Process cat (pid: 2936, stack limit = 0xdaf54210)
      [   55.827451] Stack: (0xdaf55e90 to 0xdaf56000)
      [   55.831795] 5e80:                                     60000013 c01459c4 0000002a c06f8ef8
      [   55.839956] 5ea0: db651000 c06f8ef8 daebac00 c04cb668 daebac08 c0346864 00000000 c01459c4
      [   55.848115] 5ec0: d99eaa80 c06f8ef8 00000fff 00001000 db651000 c027f25c c027f240 d99eaa80
      [   55.856274] 5ee0: d9a06c00 c0146218 daf55f18 00001000 d99eaa80 db4c18c0 00000001 00000001
      [   55.864468] 5f00: daf55f80 c0144c78 c0144c54 c0107f90 00015000 d99eaab0 00000000 00000000
      [   55.872603] 5f20: 000051c7 00000000 db4c18c0 c04a9370 00015000 00001000 daf55f80 00001000
      [   55.880763] 5f40: daf54000 00015000 00000000 c00e53dc db4c18c0 c00e548c 0000000d 00008124
      [   55.888937] 5f60: 00000001 00000000 00000000 db4c18c0 db4c18c0 00001000 00015000 c00e5550
      [   55.897099] 5f80: 00000000 00000000 00001000 00001000 00015000 00000003 00000003 c000f364
      [   55.905239] 5fa0: 00000000 c000f1a0 00001000 00015000 00000003 00015000 00001000 0001333c
      [   55.913399] 5fc0: 00001000 00015000 00000003 00000003 00000002 00000000 00000000 00000000
      [   55.921560] 5fe0: 7fffe000 be999850 0000a225 b6f3c19c 60000010 00000003 00000000 00000000
      [   55.929744] [<c034b0b4>] (charger_get_property) from [<c0346864>] (power_supply_show_property+0x48/0x20c)
      [   55.939286] [<c0346864>] (power_supply_show_property) from [<c027f25c>] (dev_attr_show+0x1c/0x48)
      [   55.948130] [<c027f25c>] (dev_attr_show) from [<c0146218>] (sysfs_kf_seq_show+0x84/0x104)
      [   55.956298] [<c0146218>] (sysfs_kf_seq_show) from [<c0144c78>] (kernfs_seq_show+0x24/0x28)
      [   55.964536] [<c0144c78>] (kernfs_seq_show) from [<c0107f90>] (seq_read+0x1b0/0x484)
      [   55.972172] [<c0107f90>] (seq_read) from [<c00e53dc>] (__vfs_read+0x18/0x4c)
      [   55.979188] [<c00e53dc>] (__vfs_read) from [<c00e548c>] (vfs_read+0x7c/0x100)
      [   55.986304] [<c00e548c>] (vfs_read) from [<c00e5550>] (SyS_read+0x40/0x8c)
      [   55.993164] [<c00e5550>] (SyS_read) from [<c000f1a0>] (ret_fast_syscall+0x0/0x48)
      [   56.000626] Code: bad PC value
      [   56.011652] ---[ end trace 7b64343fbdae8ef1 ]---
      Signed-off-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Reviewed-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      
      [for the nvec part]
      Reviewed-by: NMarc Dietrich <marvin24@gmx.de>
      
      [for compal-laptop.c]
      Acked-by: NDarren Hart <dvhart@linux.intel.com>
      
      [for the mfd part]
      Acked-by: NLee Jones <lee.jones@linaro.org>
      
      [for the hid part]
      Acked-by: NJiri Kosina <jkosina@suse.cz>
      
      [for the acpi part]
      Acked-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: NSebastian Reichel <sre@kernel.org>
      297d716f
  7. 12 3月, 2015 1 次提交
  8. 05 3月, 2015 1 次提交
    • D
      HID: map telephony usage page · f3dddf24
      Dmitry Torokhov 提交于
      Currently HID code maps usages from telephony page into BTN_0, BTN_1, etc
      keys which get interpreted by mousedev and userspace as left/right/middle
      button clicks, which is not really helpful.
      
      This change adds mappings for usages that have corresponding input event
      definitions, and leaves the rest unmapped. This can be changed when
      there are userspace consumers for more telephony usages.
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      f3dddf24
  9. 17 12月, 2014 1 次提交
  10. 02 12月, 2014 1 次提交
  11. 03 11月, 2014 2 次提交
  12. 29 10月, 2014 2 次提交
  13. 01 10月, 2014 1 次提交
    • B
      HID: wacom: implement generic HID handling for pen generic devices · 7704ac93
      Benjamin Tissoires 提交于
      ISDv4 and v5 are plain HID devices. We can directly implement a generic
      HID parsing/handling and remove the need to manually add those PID in
      the list of supported devices.
      
      This patch implements the pen support only. The finger part will come in
      a later patch.
      
      To be properly notified of an .event() and a .report(), we need to force
      hid-core to go through the HID parsing. By default, wacom.ko binds only
      hidraw, so the hid parsing is not done by hid-core. When a true HID device
      is there, we add the flag HID_CLAIMED_DRIVER to hid->claimed which will
      force hid-core to parse the incoming reports.
      (Note that this can be easily backported by directly setting the .claimed
      flag to HID_CLAIMED_DRIVER even if hid-core does not support
      HID_CONNECT_DRIVER)
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Acked-by: NJason Gerecke <killertofu@gmail.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      7704ac93
  14. 08 9月, 2014 1 次提交
  15. 29 7月, 2014 1 次提交
  16. 26 7月, 2014 1 次提交
    • B
      Input: wacom - switch from an USB driver to a HID driver · 29b47391
      Benjamin Tissoires 提交于
      All USB Wacom tablets are actually HID devices.
      For historical reasons, they are handled as plain USB devices.
      The current code makes more and more reference to the HID subsystem
      like implementing its own HID report descriptor parser to handle new
      devices.
      
      From the user point of view, we can transparently switch from this state
      to a driver handled in the HID subsystem and clean up a lot of USB specific
      code in the wacom.ko driver.
      
      The other benefit once the USB dependecies have been removed is that we can
      use a tool like uhid to make regression tests and allow further cleanup or
      new implementations without risking breaking current behaviors.
      
      To match the current handling of devices in wacom_wac.c, we rely on the
      hid_type set by usbhid. usbhid sets the hid_type to HID_TYPE_USBMOUSE when
      it sees a USB boot mouse protocol declared and HID_TYPE_USBNONE when the
      device is plain HID. There is thus a one to one matching between the list
      of supported devices before and after the switch from USB to HID.
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Reviewed-by: NJason Gerecke <killertofu@gmail.com>
      Tested-by: NJason Gerecke <killertofu@gmail.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      29b47391
  17. 03 6月, 2014 1 次提交
  18. 22 5月, 2014 1 次提交
  19. 09 4月, 2014 1 次提交
  20. 14 3月, 2014 2 次提交
  21. 05 3月, 2014 1 次提交
  22. 25 2月, 2014 1 次提交
  23. 17 2月, 2014 6 次提交
  24. 29 1月, 2014 1 次提交
  25. 13 9月, 2013 1 次提交
  26. 04 9月, 2013 1 次提交
  27. 29 8月, 2013 1 次提交
    • K
      HID: validate HID report id size · 43622021
      Kees Cook 提交于
      The "Report ID" field of a HID report is used to build indexes of
      reports. The kernel's index of these is limited to 256 entries, so any
      malicious device that sets a Report ID greater than 255 will trigger
      memory corruption on the host:
      
      [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
      [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
      
      CVE-2013-2888
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: stable@kernel.org
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      43622021
  28. 27 8月, 2013 2 次提交
  29. 31 7月, 2013 2 次提交