linux-stable.git/drivers/hid, branch v5.4.239 Linux kernel stable tree HID: uhid: Over-ride the default maximum data buffer value with our own 2023-03-22T12:28:10+00:00 Lee Jones lee@kernel.org 2023-03-20T13:06:32+00:00 eb7716a054a6ce96cd9264fbd246e92bc985af86 commit 1c5d4221240a233df2440fe75c881465cdf8da07 upstream. The default maximum data buffer size for this interface is UHID_DATA_MAX (4k). When data buffers are being processed, ensure this value is used when ensuring the sanity, rather than a value between the user provided value and HID_MAX_BUFFER_SIZE (16k). Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 1c5d4221240a233df2440fe75c881465cdf8da07 upstream.

The default maximum data buffer size for this interface is UHID_DATA_MAX
(4k).  When data buffers are being processed, ensure this value is used
when ensuring the sanity, rather than a value between the user provided
value and HID_MAX_BUFFER_SIZE (16k).

Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: core: Provide new max_buffer_size attribute to over-ride the default 2023-03-22T12:28:10+00:00 Lee Jones lee@kernel.org 2023-03-20T13:06:31+00:00 b687ac70e66a1bad377864b30bf24c98017bac33 commit b1a37ed00d7908a991c1d0f18a8cba3c2aa99bdc upstream. Presently, when a report is processed, its proposed size, provided by the user of the API (as Report Size * Report Count) is compared against the subsystem default HID_MAX_BUFFER_SIZE (16k). However, some low-level HID drivers allocate a reduced amount of memory to their buffers (e.g. UHID only allocates UHID_DATA_MAX (4k) buffers), rending this check inadequate in some cases. In these circumstances, if the received report ends up being smaller than the proposed report size, the remainder of the buffer is zeroed. That is, the space between sizeof(csize) (size of the current report) and the rsize (size proposed i.e. Report Size * Report Count), which can be handled up to HID_MAX_BUFFER_SIZE (16k). Meaning that memset() shoots straight past the end of the buffer boundary and starts zeroing out in-use values, often resulting in calamity. This patch introduces a new variable into 'struct hid_ll_driver' where individual low-level drivers can over-ride the default maximum value of HID_MAX_BUFFER_SIZE (16k) with something more sympathetic to the interface. Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> [Lee: Backported to v5.10.y] Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit b1a37ed00d7908a991c1d0f18a8cba3c2aa99bdc upstream.

Presently, when a report is processed, its proposed size, provided by
the user of the API (as Report Size * Report Count) is compared against
the subsystem default HID_MAX_BUFFER_SIZE (16k).  However, some
low-level HID drivers allocate a reduced amount of memory to their
buffers (e.g. UHID only allocates UHID_DATA_MAX (4k) buffers), rending
this check inadequate in some cases.

In these circumstances, if the received report ends up being smaller
than the proposed report size, the remainder of the buffer is zeroed.
That is, the space between sizeof(csize) (size of the current report)
and the rsize (size proposed i.e. Report Size * Report Count), which can
be handled up to HID_MAX_BUFFER_SIZE (16k).  Meaning that memset()
shoots straight past the end of the buffer boundary and starts zeroing
out in-use values, often resulting in calamity.

This patch introduces a new variable into 'struct hid_ll_driver' where
individual low-level drivers can over-ride the default maximum value of
HID_MAX_BUFFER_SIZE (16k) with something more sympathetic to the
interface.

Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[Lee: Backported to v5.10.y]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: Add Mapping for System Microphone Mute 2023-03-11T15:43:56+00:00 Jingyuan Liang jingyliang@chromium.org 2022-12-13T22:53:30+00:00 5ccd8d09fee5f6a6acc292b523f059e93c6b0a9c [ Upstream commit 2d60f9f4f26785a00273cb81fe60eff129ebd449 ] HUTRR110 added a new usage code for a key that is supposed to mute/unmute microphone system-wide. Map the new usage code(0x01 0xa9) to keycode KEY_MICMUTE. Additionally hid-debug is adjusted to recognize this keycode as well. Signed-off-by: Jingyuan Liang <jingyliang@chromium.org> Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 2d60f9f4f26785a00273cb81fe60eff129ebd449 ]

HUTRR110 added a new usage code for a key that is supposed to
mute/unmute microphone system-wide.

Map the new usage code(0x01 0xa9) to keycode KEY_MICMUTE.
Additionally hid-debug is adjusted to recognize this keycode as well.

Signed-off-by: Jingyuan Liang <jingyliang@chromium.org>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
hid: bigben_probe(): validate report count 2023-03-11T15:43:49+00:00 Pietro Borrello borrello@diag.uniroma1.it 2023-02-12T00:01:44+00:00 5a195fa41d0147adfd7ae8cd78388f9d2bfc0334 [ Upstream commit b94335f899542a0da5fafc38af8edcaf90195843 ] bigben_probe() does not validate that the output report has the needed report values in the first field. A malicious device registering a report with one field and a single value causes an head OOB write in bigben_worker() when accessing report_field->value[1] to report_field->value[7]. Use hid_validate_values() which takes care of all the needed checks. Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> Link: https://lore.kernel.org/r/20230211-bigben-oob-v1-1-d2849688594c@diag.uniroma1.it Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit b94335f899542a0da5fafc38af8edcaf90195843 ]

bigben_probe() does not validate that the output report has the
needed report values in the first field.
A malicious device registering a report with one field and a single
value causes an head OOB write in bigben_worker() when
accessing report_field->value[1] to report_field->value[7].
Use hid_validate_values() which takes care of all the needed checks.

Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230211-bigben-oob-v1-1-d2849688594c@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T 2023-03-11T15:43:49+00:00 Hans de Goede hdegoede@redhat.com 2020-04-28T14:22:54+00:00 9f525559ea3998f9a3e82b78e3f11ace54e6b39e [ Upstream commit 350bd245fc180032b442633d40ab37ff8e60e8eb ] The mute key, is broken. All the consumer keys on the keyboard USB interface work normally, except for mute which only sends press events and never sends release events. The touchpad key sends the otherwise unused input report with a report-id of 5 on the touchpad interface. It too only sends press events. This also requires extra special handling since the multi-touch touchpad events and the KEY_F21 events for the touchpad toggle must not be send from the same input_dev (userspace cannot handle this). This commit adds special handlig for both, fixing these keys not working. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 350bd245fc180032b442633d40ab37ff8e60e8eb ]

The mute key, is broken. All the consumer keys on the keyboard USB
interface work normally, except for mute which only sends press events
and never sends release events.

The touchpad key sends the otherwise unused input report with a report-id
of 5 on the touchpad interface. It too only sends press events. This also
requires extra special handling since the multi-touch touchpad events and
the KEY_F21 events for the touchpad toggle must not be send from the same
input_dev (userspace cannot handle this).

This commit adds special handlig for both, fixing these keys not working.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: asus: Add support for multi-touch touchpad on Medion Akoya E1239T 2023-03-11T15:43:48+00:00 Hans de Goede hdegoede@redhat.com 2020-04-28T14:22:53+00:00 bc786dfeb79231e20189411de51abee2f916750b [ Upstream commit e271f6c2df78d60dd4873c790a51dba40e6dfb72 ] The multi-touch touchpad found on the Medion Akoya E1239T's keyboard-dock, uses the same custom multi-touch protocol as the Asus keyboard-docks (same chipset vendor, Integrated Technology Express / ITE). Add support for this using the existing multi-touch touchpad support in the hid-asus driver. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit e271f6c2df78d60dd4873c790a51dba40e6dfb72 ]

The multi-touch touchpad found on the Medion Akoya E1239T's keyboard-dock,
uses the same custom multi-touch protocol as the Asus keyboard-docks
(same chipset vendor, Integrated Technology Express / ITE).

Add support for this using the existing multi-touch touchpad support in
the hid-asus driver.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: asus: Add report_size to struct asus_touchpad_info 2023-03-11T15:43:48+00:00 Hans de Goede hdegoede@redhat.com 2020-04-28T14:22:52+00:00 bad4a822a1185c78b6d29c1deeab8aa4d8fb9259 [ Upstream commit a61f9e428bf092349fdfebeee37ddefedd3f0fd1 ] Add the report_size to struct asus_touchpad_info instead of calculating it. This is a preparation patch for adding support for the multi-touch touchpad found on the Medion Akoya E1239T's keyboard-dock, which uses the same custom multi-touch protocol as the Asus keyboard-docks (same chipset vendor, Integrated Technology Express / ITE). The only difference in that the Akoya E1239T keyboard-dock's input-reports have a 5 byte footer instead of a 1 byte footer, which requires the report_size to be configurable per touchpad-model. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit a61f9e428bf092349fdfebeee37ddefedd3f0fd1 ]

Add the report_size to struct asus_touchpad_info instead of calculating it.

This is a preparation patch for adding support for the multi-touch touchpad
found on the Medion Akoya E1239T's keyboard-dock, which uses the same
custom multi-touch protocol as the Asus keyboard-docks (same chipset
vendor, Integrated Technology Express / ITE).

The only difference in that the Akoya E1239T keyboard-dock's input-reports
have a 5 byte footer instead of a 1 byte footer, which requires the
report_size to be configurable per touchpad-model.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: asus: Only set EV_REP if we are adding a mapping 2023-03-11T15:43:48+00:00 Hans de Goede hdegoede@redhat.com 2020-04-28T14:22:49+00:00 63792d0ae94ea02ac74c82ee6f04e24826d3c4c4 [ Upstream commit 4e4c60f826772dfeaacdf718f64afa38f46b6875 ] Make asus_input_mapping() only set EV_REP if we are adding a mapping. The T100CHI bluetooth keyboard dock has a few input reports for which we do not create any mappings (these input-reports are present in the descriptors but never send). The hid-asus code relies on the HID core not creating input devices for input-reports without any mappings. But the present of the EV_REP but counts as a mapping causing 6 /dev/input/event# nodes to be created for the T100CHI bluetooth keyboard dock. This change brings the amount of created /dev/input/event# nodes / input-devices down to 4. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 4e4c60f826772dfeaacdf718f64afa38f46b6875 ]

Make asus_input_mapping() only set EV_REP if we are adding a mapping.

The T100CHI bluetooth keyboard dock has a few input reports for which
we do not create any mappings (these input-reports are present in the
descriptors but never send).

The hid-asus code relies on the HID core not creating input devices for
input-reports without any mappings. But the present of the EV_REP but
counts as a mapping causing 6 /dev/input/event# nodes to be created for
the T100CHI bluetooth keyboard dock. This change brings the amount of
created /dev/input/event# nodes / input-devices down to 4.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: bigben: use spinlock to safely schedule workers 2023-03-11T15:43:48+00:00 Pietro Borrello borrello@diag.uniroma1.it 2023-02-12T19:00:01+00:00 25e14bf0c894f9003247e3475372f33d9be1e424 [ Upstream commit 76ca8da989c7d97a7f76c75d475fe95a584439d7 ] Use spinlocks to deal with workers introducing a wrapper bigben_schedule_work(), and several spinlock checks. Otherwise, bigben_set_led() may schedule bigben->worker after the structure has been freed, causing a use-after-free. Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 76ca8da989c7d97a7f76c75d475fe95a584439d7 ]

Use spinlocks to deal with workers introducing a wrapper
bigben_schedule_work(), and several spinlock checks.
Otherwise, bigben_set_led() may schedule bigben->worker after the
structure has been freed, causing a use-after-free.

Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
HID: bigben_worker() remove unneeded check on report_field 2023-03-11T15:43:48+00:00 Pietro Borrello borrello@diag.uniroma1.it 2023-02-12T19:00:00+00:00 715edb0109ca6b2fb753c4bc1508ff3322e9ba40 [ Upstream commit 27d2a2fd844ec7da70d19fabb482304fd1e0595b ] bigben_worker() checks report_field to be non-NULL. The check has been added in commit 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") to prevent a NULL pointer crash. However, the true root cause was a missing check for output reports, patched in commit c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), where the type-confused report list_entry was overlapping with a NULL pointer, which was then causing the crash. Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it> Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 27d2a2fd844ec7da70d19fabb482304fd1e0595b ]

bigben_worker() checks report_field to be non-NULL.
The check has been added in commit
918aa1ef104d ("HID: bigbenff: prevent null pointer dereference")
to prevent a NULL pointer crash.
However, the true root cause was a missing check for output
reports, patched in commit
c7bf714f8755 ("HID: check empty report_list in bigben_probe()"),
where the type-confused report list_entry was overlapping with
a NULL pointer, which was then causing the crash.

Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>