1. 29 5月, 2017 1 次提交
  2. 21 3月, 2017 1 次提交
    • B
      HID: remove initial reading of reports at connect · 9143059f
      Benjamin Tissoires 提交于
      It looks like a bunch of devices do not like to be polled
      for their reports at init time. When you look into the details,
      it seems that for those that are requiring the quirk
      HID_QUIRK_NO_INIT_REPORTS, the driver fails to retrieve part
      of the features/inputs while others (more generic) work.
      
      IMO, it should be acceptable to remove the need for the quirk
      in the general case. On the small amount of cases where
      we actually need to read the current values, the driver
      in charge (hid-mt or wacom) already retrieves the features
      manually.
      
      There are 2 cases where we might need to retrieve the reports at
      init:
      1. hiddev devices with specific use-space tool
      2. a device that would require the driver to fetch a specific
         feature/input at plug
      
      For case 2, I have seen this a few time on hid-multitouch. It
      is solved in hid-multitouch directly by fetching the feature.
      I hope it won't be too common and this can be solved on a per-case
      basis (crossing fingers).
      
      For case 1, we moved the implementation of HID_QUIRK_NO_INIT_REPORTS
      in hiddev. When somebody starts calling ioctls that needs an initial
      update, the hiddev device will fetch the initial state of the reports
      to mimic the current behavior. This adds a small amount of time during
      the first HIDIOCGUSAGE(S), but it should be acceptable in
      most cases. To keep the currently known broken devices, we have to
      keep around HID_QUIRK_NO_INIT_REPORTS, but the scope will only be
      for hiddev.
      
      Note that I don't think hidraw would be affected and I checked that
      the FF drivers that need to interact with the report fields are all
      using output reports, which are not initialized by
      usbhid_init_reports().
      
      NO_INIT_INPUT_REPORTS is then replaced by HID_QUIRK_NO_INIT_REPORTS:
      there is no point keeping it for just one device.
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      9143059f
  3. 06 3月, 2017 2 次提交
  4. 12 1月, 2017 1 次提交
  5. 12 12月, 2016 3 次提交
    • B
      HID: fix missing irq field · 8cd16166
      Benjamin Tissoires 提交于
      commit ba18a931 ("Revert "HID: i2c-hid: Add support for ACPI GPIO
      interrupts"") removed the need for storing the irq in struct i2c_hid.
      
      But then commit de3c99488609 ("HID: i2c-hid: Disable IRQ before freeing
      buffers") forgot to update the location of the irq.
      
      Fix this by using the actual I2C client irq.
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      8cd16166
    • J
      HID: i2c-hid: fix build · ba1660f1
      Jiri Kosina 提交于
      Add a forgotten include that I've by mistake omitted when resolving
      merge conflict in ead0687fe30 ("HID: i2c-hid: support regulator power
      on/off").
      
      Fixes: ead0687fe30 ("HID: i2c-hid: support regulator power on/off")
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      ba1660f1
    • J
      HID: i2c-hid: Disable IRQ before freeing buffers · d46ddc59
      João Paulo Rechi Vita 提交于
      The HID report buffers that are initially allocated on i2c_hid_probe()
      might not be big enough to hold the HID reports from a specific device,
      in which case they will be freed and new ones will be allocated in
      i2c_hid_start(), at point which the device's report size is known. But
      at this point ihid->irq is already running, and may call
      i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since
      this handler runs in a separate thread, ihid->inbuf may be freed at this
      very moment, and i2c_master_recv() will write on memory which may be
      already owned by a different part of the kernel, corrupting its data.
      
      This problem has been observed on an Asus UX360UA laptop which has an
      I2C touchpad, and results in a complete system freeze or an unusable
      slowness with a lof of "BUG: unable to handle kernel paging request at
      <address>" warnings. Enabling SLUB debugging shows a use-after-free
      warning on memory allocated in i2c_hid_alloc_buffers() and freed in
      i2c_hid_free_buffers():
      
      =============================================================================
      BUG kmalloc-64 (Not tainted): Poison overwritten
      -----------------------------------------------------------------------------
      Disabling lock debugging due to kernel taint
      INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b
      INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430
      	___slab_alloc+0x41e/0x460
      	__slab_alloc+0x20/0x40
      	__kmalloc+0x210/0x280
      	i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid]
      	i2c_hid_probe+0x12f/0x5e0 [i2c_hid]
      	i2c_device_probe+0x10a/0x1b0
      	driver_probe_device+0x220/0x4a0
      	__device_attach_driver+0x71/0xa0
      	bus_for_each_drv+0x67/0xb0
      	__device_attach+0xdc/0x170
      	device_initial_probe+0x13/0x20
      	bus_probe_device+0x92/0xa0
      	device_add+0x4aa/0x670
      	device_register+0x1a/0x20
      	i2c_new_device+0x18e/0x230
      	acpi_i2c_add_device+0x1a0/0x210
      INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473
      	__slab_free+0x221/0x330
      	kfree+0x139/0x160
      	i2c_hid_free_buffers+0x16/0x60 [i2c_hid]
      	i2c_hid_start+0x2a9/0x2df [i2c_hid]
      	mt_probe+0x160/0x22e [hid_multitouch]
      	hid_device_probe+0xd7/0x150 [hid]
      	driver_probe_device+0x220/0x4a0
      	__driver_attach+0x84/0x90
      	bus_for_each_dev+0x6c/0xc0
      	driver_attach+0x1e/0x20
      	bus_add_driver+0x1c3/0x280
      	driver_register+0x60/0xe0
      	__hid_register_driver+0x53/0x90 [hid]
      	0xffffffffc004f01e
      	do_one_initcall+0xb3/0x1f0
      	do_init_module+0x5f/0x1d0
      INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x          (null) flags=0x17fff8000004080
      INFO: Object 0xffff880264083260 @offset=4704 fp=0x          (null)
      Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
      Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00  kkk.............
      Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb                          ........
      Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      CPU: 1 PID: 1503 Comm: python3 Tainted: G    B           4.4.21+ #10
      Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016
       0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044
       ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab
       0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700
      Call Trace:
       [<ffffffff813f6044>] dump_stack+0x63/0x8f
       [<ffffffff811e8eab>] print_trailer+0x14b/0x1f0
       [<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100
       [<ffffffff811e96c4>] check_object+0x1c4/0x240
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180
       [<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60
       [<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190
       [<ffffffff811eb820>] __slab_alloc+0x20/0x40
       [<ffffffff811ed320>] __kmalloc+0x210/0x280
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0
       [<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0
       [<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0
       [<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220
       [<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0
       [<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0
       [<ffffffff81221c82>] iterate_dir+0x92/0x120
       [<ffffffff81222118>] SyS_getdents+0x98/0x110
       [<ffffffff81221d10>] ? iterate_dir+0x120/0x120
       [<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71
      FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b
      FIX kmalloc-64: Marking all objects used
      Signed-off-by: NJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      d46ddc59
  6. 28 11月, 2016 1 次提交
  7. 10 11月, 2016 1 次提交
  8. 14 10月, 2016 2 次提交
  9. 21 6月, 2016 1 次提交
    • G
      HID: i2c-hid: set power sleep before shutdown · d9f448e3
      Guohua Zhong 提交于
      Add i2c_hid_shutdown for i2c-hid driver to send suspend cmd & free
      irq before device shutdown.
      
      Some HW design (i.e. Umaro, a chromebook model) is that the power to
      i2c hid device won't down after device shutdown. Also the i2c-hid driver
      do not send suspend cmd to the hid i2c device and free its irq before
      shutdown.So if We touch the touchscreen or some other i2c hid device,
      the power consumtion will be go up even when the device is in shutdown
      state.
      
      Though the root cause maybe a HW issue. But it seems that it is a
      good pratice to set power sleep for i2c-hid device before shutdown.
      Signed-off-by: NGuohua Zhong <ghzhong@yifangdigital.com>
      Acked-By: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      d9f448e3
  10. 06 6月, 2016 1 次提交
  11. 15 3月, 2016 1 次提交
    • D
      HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() · 3b654288
      Dmitry Torokhov 提交于
      Even though hid_hw_* checks that passed in data_len is less than
      HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily
      allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device
      reports and select largest size. In-kernel users normally just send as much
      data as report needs, so there is no problem, but hidraw users can do
      whatever they please:
      
      BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80
      Write of size 4101 by task syz-executor/8747
      CPU: 2 PID: 8747 Comm: syz-executor Tainted: G    BU         3.18.0 #37
      Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
      Call trace:
      [<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83
      [<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172
      [<     inline     >] __dump_stack lib/dump_stack.c:15
      [<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50
      [<     inline     >] print_error_description mm/kasan/report.c:97
      [<     inline     >] kasan_report_error mm/kasan/report.c:278
      [<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305
      [<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718
      [<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299
      [<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178
      [<     inline     >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321
      [<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589
      [<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602
      [<     inline     >] hid_hw_output_report include/linux/hid.h:1039
      [<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154
      [<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177
      [<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534
      [<     inline     >] SYSC_pwrite64 fs/read_write.c:627
      [<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614
      Object at ffffffc07135ea80, in cache kmalloc-512
      Object allocated with size 268 bytes.
      
      Let's check data length against the buffer size before attempting to copy
      data over.
      
      Cc: stable@vger.kernel.org
      Reported-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NDmitry Torokhov <dtor@chromium.org>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      3b654288
  12. 10 3月, 2016 2 次提交
  13. 31 12月, 2015 1 次提交
    • M
      HID: i2c-hid: Prevent sending reports from racing with device reset · 9a327405
      Mika Westerberg 提交于
      When an i2c-hid device is resumed from system sleep the driver resets
      the device to be sure it is in known state. The device is expected to
      issue an interrupt when reset is complete.
      
      This reset might take few milliseconds to complete so if the HID driver
      on top (hid-rmi) starts to set up the device by sending feature reports
      etc. the device might not issue the reset complete interrupt anymore.
      
      Below is what happens to touchpad on Lenovo Yoga 900 during resume from
      system sleep:
      
        [   24.790951] i2c_hid i2c-SYNA2B29:00: i2c_hid_hwreset
        [   24.790973] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_power
        [   24.790982] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 00 08
        [   24.793011] i2c_hid i2c-SYNA2B29:00: resetting...
        [   24.793016] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 00 01
      
      Here i2c-hid sends reset command to the touchpad.
      
        [   24.794012] i2c_hid i2c-SYNA2B29:00: input: 06 00 01 00 00 00
        [   24.794051] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_or_send_report
        [   24.794059] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command:
                       cmd=22 00 3f 03 0f 23 00 04 00 0f 01
      
      Now hid-rmi puts the touchpad to correct mode by sending it a feature
      report. This makes the touchpad not to issue reset complete interrupt.
      
        [   24.796092] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: waiting...
      
      i2c-hid starts to wait for the reset interrupt to trigger which never
      happens.
      
        [   24.798304] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_or_send_report
        [   24.798313] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command:
                       cmd=25 00 17 00 09 01 42 00 2e 00 19 19 00 10 cc 06 74 04 0f
                           19 00 00 00 00 00
      
      Yet another output report from hid-rmi driver.
      
        [   29.795630] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: finished.
        [   29.795637] i2c_hid i2c-SYNA2B29:00: failed to reset device.
      
      After 5 seconds i2c-hid driver times out.
      
        [   29.795642] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_power
        [   29.795649] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 01 08
        [   29.797576] dpm_run_callback(): i2c_hid_resume+0x0/0xb0 returns -61
        [   29.797584] PM: Device i2c-SYNA2B29:00 failed to resume: error -61
      
      After this the touchpad does not work anymore (and also resume itself
      gets slowed down because of the timeout).
      
      Prevent sending of feature/output reports while the device is being
      reset by adding a mutex which is held during that time.
      Reported-and-tested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: NNish Aravamudan <nish.aravamudan@gmail.com>
      Suggested-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      9a327405
  14. 19 11月, 2015 1 次提交
  15. 29 9月, 2015 1 次提交
  16. 18 8月, 2015 1 次提交
  17. 08 7月, 2015 1 次提交
  18. 03 6月, 2015 1 次提交
  19. 18 5月, 2015 1 次提交
  20. 23 4月, 2015 1 次提交
  21. 25 2月, 2015 1 次提交
  22. 23 2月, 2015 1 次提交
  23. 17 2月, 2015 1 次提交
  24. 17 12月, 2014 1 次提交
    • M
      HID: i2c-hid: Do not free buffers in i2c_hid_stop() · 5b44c53a
      Mika Westerberg 提交于
      When a hid driver that uses i2c-hid as transport is unloaded, the hid core
      will call i2c_hid_stop() which releases all the buffers associated with the
      device. This includes also the command buffer.
      
      Now, when the i2c-hid driver itself is unloaded it tries to power down the
      device by sending it PWR_SLEEP command. Since the command buffer is already
      released we get following crash:
      
       [   79.691459] BUG: unable to handle kernel NULL pointer dereference at           (null)
       [   79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
       ...
       [   79.693467] Call Trace:
       [   79.693494]  [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
       [   79.693537]  [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
       [   79.693581]  [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
       [   79.693632]  [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
       [   79.693689]  [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
       [   79.693733]  [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
       [   79.693776]  [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
       [   79.693820]  [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
       [   79.693868]  [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
       [   79.693917]  [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
       [   79.693959]  [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
       [   79.694006]  [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
       [   79.694054]  [<ffffffff8165f107>] ? int_signal+0x12/0x17
       [   79.694095]  [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
      
      Fix this so that we only free buffers when the i2c-hid driver itself is
      removed.
      
      Fixes: 34f439e4 ("HID: i2c-hid: add runtime PM support")
      Reported-by: NGabriele Mazzotta <gabriele.mzt@gmail.com>
      Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      5b44c53a
  25. 12 12月, 2014 1 次提交
  26. 04 12月, 2014 1 次提交
  27. 25 11月, 2014 1 次提交
  28. 19 11月, 2014 1 次提交
  29. 29 7月, 2014 1 次提交
  30. 13 5月, 2014 1 次提交
  31. 14 3月, 2014 1 次提交
  32. 17 2月, 2014 4 次提交