- 13 Dec, 2022 11 commits
-
-
Jiri Kosina authored
- PS DualShock 4 controller support (Roderick Colenbrander)
-
Jiri Kosina authored
- support for more than one hinge sensor in hid-sensor-custom (Yauhen Kharuzhy)
-
Jiri Kosina authored
- wakeup event handling fix for RMI driver (Dmitry Torokhov)
-
Jiri Kosina authored
- iio support for the MCP2221 HID driver (Matt Ranostay)
-
Jiri Kosina authored
- always send SwID in GetProtocolVersion for Logitech HID++ (Andreas Bergmeier)
-
Jiri Kosina authored
-
Jiri Kosina authored
- conversion of I2C HID drivers to use new simplified I2C probing (Stephen Kitt)
-
Jiri Kosina authored
- functionally equivalent code cleanups for hyperv driver (Paulo Miguel Almeida)
-
Jiri Kosina authored
- fixes and performance improvements to the hid-ft260 driver (Michael Zaidman)
-
Jiri Kosina authored
- removal of superfluous hid_hw_stop() calls for drivers with default .remove callback (Marcus Folkesson)
-
Jiri Kosina authored
- new quirks for select Apple keyboards (Kerem Karabay, Aditya Garg)
-
- 08 Dec, 2022 2 commits
-
-
Benjamin Tissoires authored
This reverts commit 532223c8. As reported in [0], hid-logitech-hidpp now binds on all bluetooth mice, but there are corner cases where hid-logitech-hidpp just gives up on the mouse. This leads the end user with a dead mouse. Given that we are at -rc8, we are definitively too late to find a proper fix. We already identified 2 issues less than 24 hours after the bug report. One in that ->match() was never designed to be used anywhere else than in hid-generic, and the other that hid-logitech-hidpp has corner cases where it gives up on devices it is not supposed to. So we have no choice but postpone this patch to the next kernel release. [0] https://lore.kernel.org/linux-input/CAJZ5v0g-_o4AqMgNwihCb0jrwrcJZfRrX=jv8aH54WNKO7QB8A@mail.gmail.com/Reported-by:
Rafael J . Wysocki <rjw@rjwysocki.net> Signed-off-by:
Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by:
Jiri Kosina <jkosina@suse.cz>
-
Benjamin Tissoires authored
This reverts commit 8544c812. We need to revert commit 532223c8 ("HID: logitech-hidpp: Enable HID++ for all the Logitech Bluetooth devices") because that commit might make hid-logitech-hidpp bind on mice that are not well enough supported by hid-logitech-hidpp, and the end result is that the probe of those mice is now returning -ENODEV, leaving the end user with a dead mouse. Given that commit 8544c812 ("HID: logitech-hidpp: Remove special-casing of Bluetooth devices") is a direct dependency of 532223c8, revert it too. Note that this also adapt according to commit 908d325e ("HID: logitech-hidpp: Detect hi-res scrolling support") to re-add support of the devices that were removed from that commit too. I have locally an MX Master and I tested this device with that revert, ensuring we still have high-res scrolling. Reported-by:
-
- 22 Nov, 2022 1 commit
-
-
Ankit Patel authored
Some additional USB mouse devices are needing ALWAYS_POLL quirk without which they disconnect and reconnect every 60s. Add below devices to the known quirk list. CHERRY VID 0x046a, PID 0x000c MICROSOFT VID 0x045e, PID 0x0783 PRIMAX VID 0x0461, PID 0x4e2a Signed-off-by:
Ankit Patel <anpatel@nvidia.com> Signed-off-by:
Haotien Hsu <haotienh@nvidia.com> Signed-off-by:
-
- 21 Nov, 2022 7 commits
-
-
Andreas Bergmeier authored
According to docs a SwID should be sent for GetProtocolVersion. > 0x10.DeviceIndex.0x00.0x1n where n is SwID. Signed-off-by:
Andreas Bergmeier <abergmeier@gmx.net> Reviewed-by:
Bastien Nocera <hadess@hadess.net> Signed-off-by:
-
Marcus Folkesson authored
hid_device_remove() will call hid_hw_stop() as default .remove function if no function is specified. Signed-off-by:
Marcus Folkesson <marcus.folkesson@gmail.com> Signed-off-by:
-
Marcus Folkesson authored
hid_device_remove() will call hid_hw_stop() as default .remove function if no function is specified. Signed-off-by:
-
Marcus Folkesson authored
This is no bugfix (so no Fixes: tag is necessary) as it is taken care of in hid_sensor_custom_add_attributes(). The motivation for this patch is that: hid_sensor_custom_field.attr_name and hid_sensor_custom_field.attrs has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context. We compare against HID_CUSTOM_TOTAL_ATTRS when looping through hid_custom_attrs. We will silent the smatch error: hid_sensor_custom_add_attributes() error: buffer overflow 'hid_custom_attrs' 8 <= 10 Signed-off-by:
Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by:
-
ZhangPeng authored
Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32. Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com Fixes: dde5845a ("[PATCH] Generic HID layer - code split") Signed-off-by:
ZhangPeng <zhangpeng362@huawei.com> Signed-off-by:
-
Dmitry Torokhov authored
HID-RMI is special in the sense that it does not carry HID events directly, but rather uses HID protocol as a wrapper/transport for RMI protocol. Therefore we should not assume that all data coming from the device via interrupt is associated with user activity and report wakeup event indiscriminately, but rather let HID-RMI do that when appropriate. HID-RMI devices tag responses to the commands issued by the host as RMI_READ_DATA_REPORT_ID whereas motion and other input events from the device are tagged as RMI_ATTN_REPORT_ID. Change hid-rmi to report wakeup events when receiving the latter packets. This allows ChromeOS to accurately identify wakeup source and make correct decision on the mode of the resume the system should take ("dark" where the display stays off vs normal one). Fixes: d951ae1c ("HID: i2c-hid: Report wakeup events") Signed-off-by:Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by:
-
José Expósito authored
Commit f7d8e387 ("HID: uclogic: Switch to Digitizer usage for styluses") changed the usage used in UCLogic from "Pen" to "Digitizer". However, the IS_INPUT_APPLICATION() macro evaluates to false for HID_DG_DIGITIZER causing issues with the XP-Pen Star G640 tablet. Add the HID_QUIRK_HIDINPUT_FORCE quirk to bypass the IS_INPUT_APPLICATION() check. Reported-by:
Torge Matthies <openglfreak@googlemail.com> Reported-by:
Alexander Zhang <alex@alexyzhang.dev> Tested-by:
José Expósito <jose.exposito89@gmail.com> Signed-off-by:
-
- 16 Nov, 2022 2 commits
-
-
Roderick Colenbrander authored
The driver was by accident reading the CRC directly from a hardware structure instead of using get_unaligned_le32. Fixes: 2d77474a ("HID: playstation: add DualShock4 bluetooth support.") Reported-by:
kernel test robot <lkp@intel.com> Signed-off-by:
Roderick Colenbrander <roderick.colenbrander@sony.com> Signed-off-by:
-
Roderick Colenbrander authored
The size of the output buffer used for output reports was not updated to the larger size needed for Bluetooth. This ultimately resulted in memory corruption of surrounding structures e.g. due to memsets. Fixes: 2d77474a ("HID: playstation: add DualShock4 bluetooth support.") Reported-by:
-
- 15 Nov, 2022 1 commit
-
-
Benjamin Tissoires authored
When I2C_HID_OF_ELAN is set, we need to turn on I2C_HID_CORE to ensure we get all the HID requirements. Fixes: bd3cba00 ("HID: i2c-hid: elan: Add support for Elan eKTH6915 i2c-hid touchscreens") Reported-by:
-
- 14 Nov, 2022 6 commits
-
-
Anastasia Belova authored
If an empty buf is received, lbuf is also empty. So lbuf is accessed by index -1. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: f31a2de3 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") Signed-off-by:
Anastasia Belova <abelova@astralinux.ru> Signed-off-by:
-
Hans de Goede authored
The Acer Aspire Switch V 10 (SW5-017)'s keyboard-dock uses the same ITE controller setup as other Acer Switch 2-in-1's. This needs special handling for the wifi on/off toggle hotkey as well as to properly report touchpad on/off keypresses. Add the USB-ids for the SW5-017's keyboard-dock with a quirk setting of QUIRK_TOUCHPAD_ON_OFF_REPORT to fix both issues. Cc: Rudolf Polzer <rpolzer@google.com> Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
-
Aditya Garg authored
This patch allows users to swap the control and command keys. This can be useful for the Mac users who are used to using Command instead of Control in macOS for various commonly used shortcuts. Signed-off-by:
Aditya Garg <gargaditya08@live.com> Signed-off-by:
-
Colin Ian King authored
The variable rb_count is being incremented but it is never referenced, it is redundant and can be removed. Signed-off-by:
Colin Ian King <colin.i.king@gmail.com> Acked-by:
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Signed-off-by:
-
José Expósito authored
When parsing a frame template with a placeholder indicating the number of buttons present on the frame its value was incorrectly set on big endian architectures due to double little endian conversion. In order to reproduce the issue and verify the fix, run the HID KUnit tests on the PowerPC architecture: $ ./tools/testing/kunit/kunit.py run --kunitconfig=drivers/hid \ --arch=powerpc --cross_compile=powerpc64-linux-gnu- Fixes: 867c8925 ("HID: uclogic: Allow to generate frame templates") Signed-off-by: -
Yauhen Kharuzhy authored
Some devices has two sets of accelerometers and the sensor hub exports two hinge angle 'sensors' based on accelerometer values. To allow more than one sensor of the same type, use PLATFORM_DEVID_AUTO instead of PLATFORM_DEVID_NONE when registering platform device for it. Checked on the Lenovo Yoga Book YB1-X91L tablet. Signed-off-by:
Yauhen Kharuzhy <jekhor@gmail.com> Reviewed-by:
-
- 11 Nov, 2022 10 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/hid/hidLinus Torvalds authored
Pull HID fixes from Jiri Kosina: - fix for memory leak (on error path) in Hyper-V driver (Yang Yingliang) - regression fix for handling 3rd barrel switch emulation in Wacom driver (Jason Gerecke) * tag 'for-linus-2022111101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: wacom: Fix logic used for 3rd barrel switch emulation HID: hyperv: fix possible memory leak in mousevsc_probe() HID: asus: Remove unused variable in asus_report_tool_width()
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "Things look calming down, as this contains only a few small fixes: - Fix for a corner-case bug with SG-buffer page allocation helper - A regression fix for Roland USB-audio device probe - A potential memory leak fix at the error path - Handful quirks and device-specific fixes for HD- and USB-audio" * tag 'sound-6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda: fix potential memleak in 'add_widget_node' ALSA: memalloc: Don't fall back for SG-buffer with IOMMU ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue ALSA: hda/realtek: Add Positivo C6300 model quirk ALSA: usb-audio: Add DSD support for Accuphase DAC-60 ALSA: usb-audio: Add quirk entry for M-Audio Micro ALSA: hda/hdmi - enable runtime pm for more AMD display audio ALSA: usb-audio: Remove redundant workaround for Roland quirk ALSA: usb-audio: Yet more regression for for the delayed card registration ALSA: hda/ca0132: add quirk for EVGA Z390 DARK ALSA: hda: clarify comments on SCF changes ALSA: arm: pxa: pxa2xx-ac97-lib: fix return value check of platform_get_irq() ALSA: hda/realtek: Add quirk for ASUS Zenbook using CS35L41
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Dave Airlie: "Weekly pull request for graphics, mostly amdgpu and i915, with a couple of fixes for vc4 and panfrost, panel quirks and a kconfig change for rcar-du. Nothing seems to be too strange at this stage. amdgpu: - Fix s/r in amdgpu_vram_mgr_new - SMU 13.0.4 update - GPUVM TLB race fix - DCN 3.1.4 fixes - DCN 3.2.x fixes - Vega10 fan fix - BACO fix for Beige Goby board - PSR fix - GPU VM PT locking fixes amdkfd: - CRIU fixes vc4: - HDMI fixes to vc4. panfrost: - Make panfrost's uapi header compile with C++. - Handle 1 gb boundary correctly in panfrost mmu code. panel: - Add rotation quirks for 2 panels. rcar-du: - DSI Kconfig fix i915: - Fix sg_table handling in map_dma_buf - Send PSR update also on invalidate - Do not set cache_dirty for DGFX - Restore userptr probe_range behaviour" * tag 'drm-fixes-2022-11-11' of git://anongit.freedesktop.org/drm/drm: (29 commits) drm/amd/display: only fill dirty rectangles when PSR is enabled drm/amdgpu: disable BACO on special BEIGE_GOBY card drm/amdgpu: Drop eviction lock when allocating PT BO drm/amdgpu: Unlock bo_list_mutex after error handling Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly"" drm/amd/display: Enforce minimum prefetch time for low memclk on DCN32 drm/amd/display: Fix gpio port mapping issue drm/amd/display: Fix reg timeout in enc314_enable_fifo drm/amd/display: Fix FCLK deviation and tool compile issues drm/amd/display: Zeromem mypipe heap struct before using it drm/amd/display: Update SR watermarks for DCN314 drm/amdgpu: workaround for TLB seq race drm/amdkfd: Fix error handling in criu_checkpoint drm/amdkfd: Fix error handling in kfd_criu_restore_events drm/amd/pm: update SMU IP v13.0.4 msg interface header drm: rcar-du: Fix Kconfig dependency between RCAR_DU and RCAR_MIPI_DSI drm/panfrost: Split io-pgtable requests properly drm/amdgpu: Fix the lpfn checking condition in drm buddy drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017) drm: panel-orientation-quirks: Add quirk for Nanote UMPC-01 ...
-
Michael Zaidman authored
Fix 'cast to restricted' sparse warnings reported by kernel test robot in https://lore.kernel.org/all/202211021607.ssjymlKi-lkp@intel.com/Reported-by:
Michael Zaidman <michael.zaidman@gmail.com> Signed-off-by:
-
Michael Zaidman authored
When writing into a slow device like an EEPROM chip, the controller may exit the busy state before the device releases the bus. In this case, the ft260_xfer_status returns success before the data transfer completion. The patch fixes it by returning from the ft260_xfer_status() with the "-EAGAIN" on both controller and bus busy status when appropriate. It does not apply to the i2c combined transactions when after the write IO, the controller keeps the bus busy until the read IO and then between reading IOs to ensure an atomic operation. Co-developed-by:
Germain Hebert <germain.hebert@ca.abb.com> Signed-off-by:
-
Michael Zaidman authored
The zero-length passed into the ft260_i2c_write() triggered the NULL pointer dereference in the debug message on data[0] access. Since the controller does not support a write of zero length, let's not allow it. Before: $ sudo i2ctransfer -y 13 w0@0x51 Killed After: $ sudo i2ctransfer -y 13 w0@0x51 Error: Sending messages failed: Invalid argument Reported-by:
Enrik Berkhan <Enrik.Berkhan@inka.de> Signed-off-by:
-
Michael Zaidman authored
The FT260 can enter a power saving mode after being idle for longer than 5 seconds. When being woken up from power saving mode by an I2C write request, a possible NACK is not correctly reported by the controller. As a workaround, the driver will issue an I2C status report two times in ft260_xfer_status() after the chip has been idle for more than 5s. Co-developed-by:
-
Michael Zaidman authored
The FT260 controller does not return NACK when performing a big read (of multiple hid reports size) from a non-existing device or from the device responding with NACK when it is not ready to serve the request. However, it responds correctly with NACK to a read of up to a single hid report size. To overcome this issue, we split the muli-report read request into a read of a single HID report of 60 bytes size and a multi-report read. Big read of 256 bytes with first read of 60 bytes: $ sudo ./i2cperf -d 2 -o 2 -s 256 -r 0-0xff 1 0x50 -S [ +5.633280] ft260_i2c_write_read: off 0x0 rlen 255 wlen 2 [ +0.000006] ft260_i2c_write: rep 0xd0 addr 0x50 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0 [ +0.013205] ft260_xfer_status: bus_status 0x20, clock 100 [ +0.000007] ft260_i2c_read: rep 0xc2 addr 0x50 len 255 rlen 60 flag 0x3 [ +0.010932] ft260_raw_event: i2c resp: rep 0xde len 60 [ +0.004733] ft260_xfer_status: bus_status 0x40, clock 100 [ +0.000006] ft260_i2c_read: rep 0xc2 addr 0x50 len 195 rlen 128 flag 0x0 [ +0.012572] ft260_raw_event: i2c resp: rep 0xde len 60 [ +0.005789] ft260_raw_event: i2c resp: rep 0xde len 60 [ +0.003189] ft260_raw_event: i2c resp: rep 0xd1 len 8 [ +0.004092] ft260_xfer_status: bus_status 0x40, clock 100 [ +0.000010] ft260_i2c_read: rep 0xc2 addr 0x50 len 67 rlen 67 flag 0x4 [ +0.011688] ft260_raw_event: i2c resp: rep 0xde len 60 [ +0.004700] ft260_raw_event: i2c resp: rep 0xd1 len 7 [ +0.004858] ft260_xfer_status: bus_status 0x20, clock 100 Read from non-existing device at address 8. The first 60 read responded with NACK. $ sudo ./i2cperf -d 2 -o 2 -s 256 -r 0-0xff 1 0x8 -S [Oct19 15:37] ft260_i2c_write_read: off 0x0 rlen 255 wlen 2 [ +0.000007] ft260_i2c_write: rep 0xd0 addr 0x8 off 0 len 2 wlen 2 flag 0x2 d[0] 0x0 [ +0.022820] ft260_xfer_status: bus_status 0x20, clock 100 [ +0.000007] ft260_i2c_read: rep 0xc2 addr 0x8 len 255 rlen 60 flag 0x3 [ +0.010658] ft260_raw_event: i2c resp: rep 0xde len 60 [ +0.005965] ft260_xfer_status: bus_status 0x46, clock 100 <-- NACK [ +0.000009] ft260 0003:0403:6030.0004: i2c bus error: 0x46 [ +0.007784] ft260_i2c_reset: done Co-developed-by:
-
Michael Zaidman authored
The i2cdetect uses the SMBus Quick command by default to scan devices on the I2C bus. The FT260 implements an I2C bus controller. The SMBus is derived from I2C, but there are several differences between the specifications of the two buses in the areas of timing, protocols, operation modes, and electrical characteristics. One of the differences is that the I2C devices allow the slave not to ACK its slave address, but SMBus requires it to always ACK it as a mechanism to detect a detachable device’s presence on the bus. Since FT260 is the I2C bus controller, it does not acknowledge the SMBus Quick write command, which sends a single bit to the device at the place of the RD/WR bit. The ft260 driver attempted to mimic the SMBus Quick Write functionality by writing a single byte as the SMBus Byte Write command does. Usually, one byte in the SMBus Quick Write will be fine. However, it may cause problems with devices with a control register at offset 0, like i2c muxes, for example, when scanned with the i2cdetect utility. The i2cdetect with the "-r" option uses the SMBus Read Byte command, which is a reasonable workaround. To prevent the I2C bus from locking at write-only devices (most notably clock chips at address 0x69), use the "-r" option in conjunction with scanning range parameters. This patch removes the SMBus Quick command support. $ sudo i2cdetect -y 13 Warning: Can't use SMBus Quick Write command, will skip some addresses 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: 10: 20: 30: -- -- -- -- -- -- -- -- 40: 50: 50 51 -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60: 70: $ sudo i2cdetect -y -r 13 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: -- -- -- -- -- -- -- -- 10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 50: 50 51 -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70: -- -- -- -- -- -- -- -- Reported-by:Vince Asbridge <VAsbridge@sanblaze.com> Reported-by:
Stephen Shirron <SShirron@sanblaze.com> Reported-by:
-
Michael Zaidman authored
The FT260 is not supposed to generate unexpected HID reports. However, in theory, the unsolicited HID Input reports can be issued by a specially crafted malicious USB device masquerading as FT260 when the attacker has physical access to the USB port. In this case, the read_buf pointer points to the final data portion of the previous I2C Read transfer, and the memcpy invoked in the ft260_raw_event() will try copying the content of the unexpected report into the wrong location. This commit sets the Read buffer pointer to NULL on the I2C Read transaction completion and checks it in the ft260_raw_event() to detect and skip the unsolicited Input report. Reported-by:
-
