This patch (as1592) fixes an obscure problem in the usbhid driver.
Under some circumstances, a control or interrupt-OUT URB can be
submitted twice.  This will happen if the first submission fails; the
queue pointers aren't updated, so the next time the queue is restarted
the same URB will be submitted again.

The problem is that raw_report gets deallocated during the first
submission.  The second submission will then dereference and try to
free an already-freed region of memory.  The patch fixes the problem
by setting raw_report to NULL when it is deallocated and checking for
NULL before dereferencing it.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oliver@neukum.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

dbg() was a very old USB-specific macro that should no longer
be used. This patch removes it from being used in the driver
and uses dev_dbg() instead.

CC: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

On some HCDs usb_unlink_urb() can directly call the
completion handler. That limits the spinlocks that can
be taken in the handler to locks not held while calling
usb_unlink_urb()
To prevent a race with resubmission, this patch exposes
usbcore's infrastructure for blocking submission, uses it
and so drops the lock without causing a race in usbhid.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Acked-by: NJiri Kosina <jkosina@suse.cz>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Move the hid drivers of the bus drivers to a common generic hid
driver, and make it a proper module. This ought to simplify device
handling moving forward.

Cc: Gustavo Padovan <gustavo@padovan.org>
Signed-off-by: NHenrik Rydberg <rydberg@euromail.se>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Devices that do not have a special driver are handled by the generic
driver. This patch does the same thing using device groups; Instead of
forcing a particular driver, the appropriate driver is picked up by
udev. As a consequence, one can now move a device from generic to
specific handling by a simple rebind. By adding a new device id to the
generic driver, the same thing can be done in reverse.
Signed-off-by: NHenrik Rydberg <rydberg@euromail.se>
Acked-by: NBenjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

When a USB device reset occurs, usbcore will refetch the device and configuration
descriptors and compare them with those retrieved before the reset to ensure
that they have not changed. For USB HID devices, this implicitly includes the
HID class descriptor (as this is fetched with the configuration descriptor).
However, the HID report descriptor is not checked again.

Whilst a change in the size of the HID report descriptor will be detected (as
this is held in the class descriptor), content changes to the report descriptor
which do not result in a change in its size will be missed. If a firmware update
were applied to a USB HID device which resulted in such a change to the report
descriptor after device reset, then this would not be picked up by usbhid.

This patch fixes this issue by allowing usbhid to check the contents of the
report descriptor after the device reset, and trigger a rebind of the device
if there is a mismatch.
Reviewed-by: NToby Gray <toby.gray@realvnc.com>
Signed-off-by: NSimon Haggett <simon.haggett@realvnc.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

In case IO cannot be started because there is a lack of bandwidth
on the bus, it makes no sense to reset the device. If IO is requested
because the device is opened, user space should be notified with
an error right away. If the lack of bandwidth arises later, for
example after resume, there's no other choice but to retry in the
hope that bandwidth will be freed.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Defer LED setting action to a workqueue.
This is more likely to send all LED change events in a single URB.
Signed-off-by: NDaniel Kurtz <djkurtz@chromium.org>
Acked-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

If any userspace program has opened a keyboard device, the input core
de-activates the keyboard's LEDs upon suspend().  It does this by sending
individual EV_LED[LED_X]=0 events to the underlying device driver by
directly calling the driver's registered event() handler.

The usb-hid driver event() handler processes each request by immediately
attempting to submit a CTRL URB to turn off the LED.  USB URB submission
is asynchronous.  First the URB is added to the head of the ctrl queue.
Then, if the CTRL_RUNNING flag is false, the URB is submitted immediately
(and CTRL_RUNNING is set).  If the CTRL_RUNNING flag was already true,
then the newly queued URB is submitted in the ctrl completion handler when
all previously submitted URBs have completed.  When all queued URBs have
been submitted, the completion handler clears the CTRL_RUNNING flag.

In the 2-LED suspend case, at input suspend(), 2 LED event CTRL URBs get
queued, with only the first actually submitted.  Soon after input
suspend() handler finishes, the usb-hid suspend() handler gets called.
Since this is NOT a PM_EVENT_AUTO suspend, the handler sets
REPORTED_IDLE, then waits for io to complete.

Unfortunately, this usually happens while the first LED request is
actually still being processed.  Thus when the completion handler tries
to submit the second LED request it fails, since REPORTED_IDLE is
already set!  This REPORTED_IDLE check failure causes the completion
handler to complete, however without clearing the CTRL_RUNNING flag.
This, in turn, means that the suspend() handler's wait_io() condition
is never satisfied, and instead it times out after 10 seconds, aborting
the original system suspend.

This patch changes the behavior to the following:
  (1) allow completion handler to finish submitting all queued URBs, even if
      REPORTED_IDLE is set.  This guarantees that all URBs queued before the
      hid-core suspend() call will be submitted before the system is
      suspended.
  (2) if REPORTED_IDLE is set and the URB queue is empty, queue, but
      don't submit, new URB submission requests.  These queued requests get
      submitted when resume() flushes the URB queue. This is similar to the
      existing behavior, however, any requests that arrive while the queue is
      not yet empty will still get submitted before suspend.
  (3) set the RUNNING flag when flushing the URB queue in resume().
      This keeps URBs that were queued in (2) from colliding with any new
      URBs that are being submitted during the resume process.  The new URB
      submission requests upon resume get properly queued behind the ones
      being flushed instead of the current situation where they collide,
      causing memory corruption and oopses.
Signed-off-by: NDaniel Kurtz <djkurtz@chromium.org>
Acked-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

LED_ON was defined in the original version of the hid-core autosuspend patch.
However, during review, the setting and clearing of it was redone
using ledcount.  The test was left in accidentally.
Signed-off-by: NDaniel Kurtz <djkurtz@chromium.org>
Acked-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This makes sure IO is never restarted while a reset is going on

In particular there seems to be no protection from hid_retry_timeout() calling
hid_start_in() which would start IO after hid_pre_reset() has already called
hid_cease_io() because that uses del_timer(), not del_timer_sync()
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This patch (as1482) adds a macro for testing whether or not a
pm_message value represents an autosuspend or autoresume (i.e., a
runtime PM) event.  Encapsulating this notion seems preferable to
open-coding the test all over the place.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Acked-by: NGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

Unfortunately, the device seems to have the same Vendor ID and Product ID
as YUREX leg-shakes sensors, and the commit 6bc235a2 ("USB: add driver
for Meywa-Denki & Kayac YUREX") added the ID to hid_ignore_list.

I believe that we can distinguish YUREX and the Wireless Presenter by
device type.  The patch below makes the driver ignore only YUREX
(bInterfaceProtocol==0), and recognize Wireless Presenter
(bInterfaceProtocol is keyboard or mouse) as generic HID.  (I don't have
the Wireless Presenter, so not yet ested.)

** YUREX lsusb information:
Bus 002 Device 007: ID 0c45:1010 Microdia
Device Descriptor:
   bLength                18
   bDescriptorType         1
   bcdUSB               1.10
   bDeviceClass            0 (Defined at Interface level)
   bDeviceSubClass         0
   bDeviceProtocol         0
   bMaxPacketSize0         8
   idVendor           0x0c45 Microdia
   idProduct          0x1010
   bcdDevice            0.03
   iManufacturer           1 JESS
   iProduct                2 YUREX
   iSerial                 3 10000269
   bNumConfigurations      1
   Configuration Descriptor:
     bLength                 9
     bDescriptorType         2
     wTotalLength           34
     bNumInterfaces          1
     bConfigurationValue     1
     iConfiguration          0
     bmAttributes         0xa0
       (Bus Powered)
       Remote Wakeup
     MaxPower              100mA
     Interface Descriptor:
       bLength                 9
       bDescriptorType         4
       bInterfaceNumber        0
       bAlternateSetting       0
       bNumEndpoints           1
       bInterfaceClass         3 Human Interface Device
       bInterfaceSubClass      1 Boot Interface Subclass
       bInterfaceProtocol      0 None
       iInterface              0
         HID Device Descriptor:
           bLength                 9
           bDescriptorType        33
           bcdHID               1.10
           bCountryCode            0 Not supported
           bNumDescriptors         1
           bDescriptorType        34 Report
           wDescriptorLength      31
          Report Descriptors:
            ** UNAVAILABLE **
       Endpoint Descriptor:
         bLength                 7
         bDescriptorType         5
         bEndpointAddress     0x81  EP 1 IN
         bmAttributes            3
           Transfer Type            Interrupt
           Synch Type               None
           Usage Type               Data
         wMaxPacketSize     0x0008  1x 8 bytes
         bInterval              10
Device Status:     0x0002
   (Bus Powered)
   Remote Wakeup Enabled

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=26922Signed-off-by: NTomoki Sekiyama <tomoki.sekiyama@gmail.com>
Cc: Greg KH <gregkh@suse.de>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Maciej Rutecki <maciej.rutecki@gmail.com>
Reported-by: NThomas B?chler <thomas@archlinux.org>
Tested-by: NThomas B?chler <thomas@archlinux.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Per the HID Specification, Feature reports must be sent and received on
the Configuration endpoint (EP 0) through the Set_Report/Get_Report
interfaces.  This patch adds two ioctls to hidraw to set and get feature
reports to and from the device.  Modifications were made to hidraw and
usbhid.

New hidraw ioctls:
  HIDIOCSFEATURE - Perform a Set_Report transfer of a Feature report.
  HIDIOCGFEATURE - Perform a Get_Report transfer of a Feature report.
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NAntonio Ospite <ospite@studenti.unina.it>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This patch doesn't alter functionality, but removes a dedicated kernel
thread.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Tested-by: NMaulik Mankad <x0082077@ti.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Neaten current uses of dev_<level> by adding and using
hid specific hid_<level> macros.

Convert existing uses of dev_<level> uses to hid_<level>.
Convert hid-pidff printk uses to hid_<level>.

Remove err_hid and use hid_err instead.

Add missing newlines to logging messages where necessary.
Coalesce format strings.

Add and use pr_fmt(fmt) KBUILD_MODNAME ": " fmt

Other miscellaneous changes:

Add const struct hid_device * argument to hid-core functions
extract() and implement() so hid_<level> can be used by them.
Fix bad indentation in hid-core hid_input_field function
that calls extract() function above.
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Now that hiddev_driver isn't being used for anything, there's no
reason to keep it around.  This patch (as1419) gets rid of it
entirely.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Added blank line after declarations.
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Feature reports should only be sent on the control endpoint.

The USB HID standard is unclear and confusing on this issue. It seems to
suggest that Feature reports can be sent on a HID device's Interrupt OUT
endpoint.  This cannot be the case because the report type is not encoded in
transfers sent out the Interrput OUT endpoint.  If Feature reports were sent on
the Interrupt OUT endpint, they would be indistinguishable from Output reports
in the case where Report IDs were not used.

Further, Windows and Mac OS X do not send Feature reports out the interrupt OUT
Endpoint.  They will only go out the Control Endpoint.

In addition, many devices simply do not hande Feature reports sent out the
Interrupt OUT endpoint.

Reported-by: simon@mungewell.org
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

My macbook infrared remote control was broken by commit
bd25f4dd ("HID: hiddev: use
usb_find_interface, get rid of BKL").

This device appears in dmesg as:
apple 0003:05AC:8242.0001: hiddev0,hidraw0: USB HID v1.11 Device
[Apple Computer, Inc. IR Receiver] on usb-0000:00:1d.2-1/input0

It stopped working as lircd was getting ENODEV when opening /dev/usb/hiddev0.

AFAICS hiddev_driver is a dummy driver so usb_find_interface(&hiddev_driver)
does not find anything.

The device is associated with the usbhid driver, so let's do
usb_find_interface(&hid_driver) instead.

$ ls -l /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver
lrwxrwxrwx 1 root root 0 2010-09-12 16:28 /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver -> ../../../../../../bus/usb/drivers/usbhid
Signed-off-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

When I made commit 29129a98 ("HID: Send Report ID when numbered
reports are sent over the control endpoint"), I didn't account for *buf
not being the report ID anymore, as buf is incremented.
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

The Report ID wasn't sent as part of the payload for reports which were sent
over the control endpoint. This is required by section 8.1 of the HID spec.
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

For more clearance what the functions actually do,

  usb_buffer_alloc() is renamed to usb_alloc_coherent()
  usb_buffer_free()  is renamed to usb_free_coherent()

They should only be used in code which really needs DMA coherency.

All call sites have been changed accordingly, except for staging
drivers.
Signed-off-by: NDaniel Mack <daniel@caiaq.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Pedro Ribeiro <pedrib@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch (as1350) removes all usages of coherent buffers for USB
control-request setup-packet buffers.  There's no good reason to
reserve coherent memory for these things; control requests are hardly
ever used in large quantity (the major exception is firmware
transfers, and they aren't time-critical).  Furthermore, only seven
drivers used it.  We might as well always use streaming DMA mappings
for setup-packet buffers, and remove some extra complexity from
usbcore.

The DMA-mapping portion of hcd.c is currently in flux.  A separate
patch will be submitted to remove support for URB_NO_SETUP_DMA_MAP
after everything else settles down.  The removal should go smoothly,
as by then nobody will be using it.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

This patch makes the hidraw driver use the first Interrupt OUT endpoint for
HID transfers to the device if such an endpoint exists. This is consistent
with the behavior of the hiddev driver, and the logic is similar.

From the USB HID specification:

   The Interrupt Out pipe is optional. If a device declares an Interrupt Out
   endpoint then Output reports are transmitted by the host to the device
   through the Interrupt Out endpoint. If no Interrupt Out endpoint is
   declared then Output reports are transmitted to a device through the
   Control endpoint, using Set_Report(Output) requests.
Signed-off-by: NAlan Ott <alan@signal11.us>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Although the usbhid driver allocates its usbhid structure in the probe
routine, several critical fields in that structure don't get
initialized until usbhid_start().  However if report descriptor
parsing fails then usbhid_start() is never called.  This leads to
problems during system suspend -- the system will freeze.

This patch (as1378) fixes the bug by moving the initialization
statements up into usbhid_probe().
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Reported-by: NBruno Prémont <bonbons@linux-vserver.org>
Tested-By: NBruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Add suspend/resume hooks for HID drivers so these can do some
additional state adjustment when device gets suspended/resumed.
Signed-off-by: NBruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Add two quirks to make it possible for usbhid module options to
override whether a device is ignored (HID_QUIRK_NO_IGNORE) and
whether to connect a hiddev device (HID_QUIRK_HIDDEV_FORCE).

Passing HID_QUIRK_NO_IGNORE for your device means that it will
not be ignored by the HID layer, even if present in a blacklist.

HID_QUIRK_HIDDEV_FORCE will force the creation of a hiddev for that
device, making it accessible from user-space.

Tested with an Apple IR Receiver, switching it from using appleir
to using lirc's macmini driver.
Signed-off-by: NBastien Nocera <hadess@hadess.net>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This patch (as1365) enables remote wakeup by default for USB keyboard
devices.  Keyboards in general are supposed to be wakeup devices, but
the correct place to enable it depends on the device's bus; no single
approach will work for all keyboard devices.  In particular, this
covers only USB keyboards (and then only those supporting the boot
protocol).
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Add framebuffer support to PicoLCD device with use of deferred-io.

Only changed areas of framebuffer get sent to device in order to
save USB bandwidth and especially resources on PicoLCD device or
allow higher refresh rate for a small area. Changed tiles are
determined while updating shadow framebuffer.
Signed-off-by: NBruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Move the initialization of USB interface pointers from _start()
over to _probe() callback, which is where it belongs.

This fixes case where interface is NULL when parsing of report
descriptor fails.

LKML-Reference: <20100213135720.603e5f64@neptune.home>
Reported-by: NAlan Stern <stern@rowland.harvard.edu>
Tested-by: NBruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Some devices do not react to a control request (seen on APC UPS's) resulting in
a slow stream of messages, "generic-usb ... control queue full".  Therefore
request needs a timeout.

Cc: stable@kernel.org
Signed-off-by: NOliver Neukum <oliver@neukum.org>
Signed-off-by: NDavid Fries <david@fries.net>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

In commit 2da31939 ("Bluetooth: Implement raw output support for HIDP
layer"), support for Bluetooth hid_output_raw_report was added, but it
pushes the data to the intr socket instead of the ctrl one. This has been
fixed by 6bf8268f ("Bluetooth: Use the control channel for raw HID reports")

Still, it is necessary to distinguish whether the report in question should be
either FEATURE or OUTPUT. For this, we have to extend the generic HID API,
so that hid_output_raw_report() callback provides means to specify this
value so that it can be passed down to lower level hardware drivers (currently
Bluetooth and USB).

Based on original patch by Bastien Nocera <hadess@hadess.net>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Signed-off-by: NJiri Kosina <jkosina@suse.cz>

The id_table field of the struct usb_device_id is constant in <linux/usb.h>
so it is worth to make the initialization data also constant.

The semantic match that finds this kind of pattern is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
disable decl_init,const_decl_init;
identifier I1, I2, x;
@@
	struct I1 {
	  ...
	  const struct I2 *x;
	  ...
	};
@s@
identifier r.I1, y;
identifier r.x, E;
@@
	struct I1 y = {
	  .x = E,
	};
@c@
identifier r.I2;
identifier s.E;
@@
	const struct I2 E[] = ... ;
@depends on !c@
identifier r.I2;
identifier s.E;
@@
+	const
	struct I2 E[] = ...;
// </smpl>
Signed-off-by: NMárton Németh <nm127@freemail.hu>
Cc: Julia Lawall <julia@diku.dk>
Cc: cocci@diku.dk
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This patch (as1302) removes the auto_pm flag from struct usb_device.
The flag's only purpose was to distinguish between autosuspends and
external suspends, but that information is now available in the
pm_message_t argument passed to suspend methods.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

NCR devices are terminally broken by design -- they claim themselves to contain
proper input applications in their HID report descriptor, but behave very badly
if treated in standard way.

According to NCR developers, the devices get confused when queried for reports
in a standard way, rendering them unusable.

NCR is shipping application called "RPSL" that can be used to drive these
devices through hiddev, under the assumption that in-kernel driver doesn't
perform initial report query.
If it does, neither in-kernel nor hiddev-based driver can operate with these
devices any more.

Introduce a quirk that skips the report query for all NCR devices. The previous
NOGET quirk was wrong and had been introduced because I misunderstood the nature
of brokenness of these devices.
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

DRIVER_VERSION has no use whatosoever, it has been set to "2.6"
for ages. Remove it.
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

Remove unused (in usbhid module) DRIVER_AUTHOR macrco and properly
use multiple MODULE_AUTHOR() instances in both modules.
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

HID core registers input, hidraw and hiddev devices, but leaves
unregistering it up to the individual driver, which is not really nice.
Let's move all the logic to the core.
Reported-by: NMarcel Holtmann <marcel@holtmann.org>
Reported-by: NBrian Rogers <brian@xyzw.org>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>