user/sven/linux.git/include/linux/hid.h, branch v3.2.78

HID: provide a helper for validating hid reports

2013-10-26T20:06:04Z

commit 331415ff16a12147d57d5c953f3a961b7ede348b upstream. Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report exisitng, the field existing, and the expected number of values within the field. Signed-off-by: Kees Cook Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings

HID: validate HID report id size

2013-10-26T20:06:00Z

commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Signed-off-by: Jiri Kosina [bwh: Backported to 3.2: use dbg_hid() not hid_err()] Signed-off-by: Ben Hutchings

HID: hidraw: add proper error handling to raw event reporting

2012-10-10T02:31:16Z

commit b6787242f32700377d3da3b8d788ab3928bab849 upstream. If kmemdup() in hidraw_report_event() fails, we are not propagating this fact properly. Let hidraw_report_event() and hid_report_raw_event() return an error value to the caller. Reported-by: Oliver Neukum Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings

include: convert various register fcns to macros to avoid include chaining

2011-10-31T23:32:32Z

The original implementations reference THIS_MODULE in an inline. We could include , but it is better to avoid chaining. Fortunately someone else already thought of this, and made a similar inline into a #define in for device_schedule_callback(), [see commit 523ded71de0] so follow that precedent here. Also bubble up any __must_check that were used on the prev. wrapper inline functions up one to the real __register functions, to preserve any prev. sanity checks that were used in those instances. Signed-off-by: Paul Gortmaker

Merge branch 'upstream' into for-linus

2011-10-25T07:59:04Z

Conflicts: drivers/hid/hid-core.c drivers/hid/hid-ids.h

HID: add autodetection of multitouch devices

2011-09-26T12:18:18Z

As mentioned by http://www.microsoft.com/whdc/device/input/DigitizerDrvs_touch.mspx multitouch devices are those that have the input report HID_CONTACTID. This patch detects this and unloads the generic-usb driver. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina

HID: Fix race condition between driver core and ll-driver

2011-08-10T12:02:07Z

HID low level drivers register new devices with the HID core which then adds the devices to the HID bus. The HID bus normally immediately probes an appropriate driver which then handles HID input for this device. The ll driver now uses the hid_input_report() function to report input events for a specific device. However, if the HID bus unloads the driver at the same time (for instance via a call to /sys/bus/hid/devices//unbind) then the hdev->driver pointer may be used by hid_input_report() and hid_device_remove() at the same time which may cause hdev->driver to point to invalid memory. This fix adds a semaphore to every hid device which protects hdev->driver from asynchronous access. This semaphore is locked during driver *_probe and *_remove and also inside hid_input_report(). The *_probe and *_remove functions may sleep so the semaphore is good here, however, hid_input_report() is in atomic context and hence only uses down_trylock(). If it cannot acquire the lock it simply drops the input package. The low-level drivers report input events synchronously so hid_input_report() should never be entered twice at the same time on the same device. Hence, the lock should always be available. But if the driver is currently probed/removed then the lock is not available and dropping the package should be safe because this is what would have happened if the package arrived some milliseconds earlier/later. This also fixes another race condition while probing drivers: First the *_probe function of the driver is called and only if that succeeds, the related input device of hidinput is registered. If the low level driver reports input events after the *_probe function returned but before the input device is registered, then a NULL pointer dereference will occur. (Equivalently on driver remove function). This is not possible anymore, since the semaphore lock drops all incoming packages until the driver/device is fully initialized. Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina

HID: yurex: recognize GeneralKeys wireless presenter as generic HID

2011-06-07T13:34:17Z

Unfortunately, the device seems to have the same Vendor ID and Product ID as YUREX leg-shakes sensors, and the commit 6bc235a2e2 ("USB: add driver for Meywa-Denki & Kayac YUREX") added the ID to hid_ignore_list. I believe that we can distinguish YUREX and the Wireless Presenter by device type. The patch below makes the driver ignore only YUREX (bInterfaceProtocol==0), and recognize Wireless Presenter (bInterfaceProtocol is keyboard or mouse) as generic HID. (I don't have the Wireless Presenter, so not yet ested.) ** YUREX lsusb information: Bus 002 Device 007: ID 0c45:1010 Microdia Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x0c45 Microdia idProduct 0x1010 bcdDevice 0.03 iManufacturer 1 JESS iProduct 2 YUREX iSerial 3 10000269 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 34 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 1 Boot Interface Subclass bInterfaceProtocol 0 None iInterface 0 HID Device Descriptor: bLength 9 bDescriptorType 33 bcdHID 1.10 bCountryCode 0 Not supported bNumDescriptors 1 bDescriptorType 34 Report wDescriptorLength 31 Report Descriptors: ** UNAVAILABLE ** Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 10 Device Status: 0x0002 (Bus Powered) Remote Wakeup Enabled Addresses https://bugzilla.kernel.org/show_bug.cgi?id=26922 Signed-off-by: Tomoki Sekiyama Cc: Greg KH Cc: "Rafael J. Wysocki" Cc: Maciej Rutecki Reported-by: Thomas B?chler Tested-by: Thomas B?chler Signed-off-by: Andrew Morton Signed-off-by: Jiri Kosina

Fix common misspellings

2011-03-31T14:26:23Z

Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi

Merge branches 'dragonrise', 'hidraw-feature', 'multitouch', 'ntrig', 'roccat', 'upstream' and 'upstream-fixes' into for-linus

2011-03-17T13:31:46Z