<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/bluetooth/hidp, branch linux-3.14.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: hidp: fix device disconnect on idle timeout</title>
<updated>2015-12-09T18:42:58+00:00</updated>
<author>
<name>David Herrmann</name>
<email>dh.herrmann@gmail.com</email>
</author>
<published>2015-09-07T10:05:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3a645c2fe8182496b30022fe4ca07b0cd473c81a'/>
<id>3a645c2fe8182496b30022fe4ca07b0cd473c81a</id>
<content type='text'>
commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream.

The HIDP specs define an idle-timeout which automatically disconnects a
device. This has always been implemented in the HIDP layer and forced a
synchronous shutdown of the hidp-scheduler. This works just fine, but
lacks a forced disconnect on the underlying l2cap channels. This has been
broken since:

    commit 5205185d461d5902325e457ca80bd421127b7308
    Author: David Herrmann &lt;dh.herrmann@gmail.com&gt;
    Date:   Sat Apr 6 20:28:47 2013 +0200

        Bluetooth: hidp: remove old session-management

The old session-management always forced an l2cap error on the ctrl/intr
channels when shutting down. The new session-management skips this, as we
don't want to enforce channel policy on the caller. In other words, if
user-space removes an HIDP device, the underlying channels (which are
*owned* and *referenced* by user-space) are still left active. User-space
needs to call shutdown(2) or close(2) to release them.

Unfortunately, this does not work with idle-timeouts. There is no way to
signal user-space that the HIDP layer has been stopped. The API simply
does not support any event-passing except for poll(2). Hence, we restore
old behavior and force EUNATCH on the sockets if the HIDP layer is
disconnected due to idle-timeouts (behavior of explicit disconnects
remains unmodified). User-space can still call

    getsockopt(..., SO_ERROR, ...)

..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
still be re-used (which nobody does so far, though). Therefore, the API
still supports the new behavior, but with this patch it's also compatible
to the old implicit channel shutdown.

Reported-by: Mark Haun &lt;haunma@keteu.org&gt;
Reported-by: Luiz Augusto von Dentz &lt;luiz.dentz@gmail.com&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream.

The HIDP specs define an idle-timeout which automatically disconnects a
device. This has always been implemented in the HIDP layer and forced a
synchronous shutdown of the hidp-scheduler. This works just fine, but
lacks a forced disconnect on the underlying l2cap channels. This has been
broken since:

    commit 5205185d461d5902325e457ca80bd421127b7308
    Author: David Herrmann &lt;dh.herrmann@gmail.com&gt;
    Date:   Sat Apr 6 20:28:47 2013 +0200

        Bluetooth: hidp: remove old session-management

The old session-management always forced an l2cap error on the ctrl/intr
channels when shutting down. The new session-management skips this, as we
don't want to enforce channel policy on the caller. In other words, if
user-space removes an HIDP device, the underlying channels (which are
*owned* and *referenced* by user-space) are still left active. User-space
needs to call shutdown(2) or close(2) to release them.

Unfortunately, this does not work with idle-timeouts. There is no way to
signal user-space that the HIDP layer has been stopped. The API simply
does not support any event-passing except for poll(2). Hence, we restore
old behavior and force EUNATCH on the sockets if the HIDP layer is
disconnected due to idle-timeouts (behavior of explicit disconnects
remains unmodified). User-space can still call

    getsockopt(..., SO_ERROR, ...)

..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
still be re-used (which nobody does so far, though). Therefore, the API
still supports the new behavior, but with this patch it's also compatible
to the old implicit channel shutdown.

Reported-by: Mark Haun &lt;haunma@keteu.org&gt;
Reported-by: Luiz Augusto von Dentz &lt;luiz.dentz@gmail.com&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>HID: Bluetooth: hidp: make sure input buffers are big enough</title>
<updated>2014-02-17T20:17:55+00:00</updated>
<author>
<name>David Herrmann</name>
<email>dh.herrmann@gmail.com</email>
</author>
<published>2013-12-19T11:09:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a4b1b5877b514b276f0f31efe02388a9c2836728'/>
<id>a4b1b5877b514b276f0f31efe02388a9c2836728</id>
<content type='text'>
HID core expects the input buffers to be at least of size 4096
(HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an
input-report is smaller than advertised. We could, like i2c, compute the
biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will
blow up if report-descriptors are changed after -&gt;start() has been called.
So lets be safe and just use the biggest buffer we have.

Note that this adds an additional copy to the HIDP input path. If there is
a way to make sure the skb-buf is big enough, we should use that instead.

The best way would be to make hid-core honor the @size argument, though,
that sounds easier than it is. So lets just fix the buffer-overflows for
now and afterwards look for a faster way for all transport drivers.

Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
HID core expects the input buffers to be at least of size 4096
(HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an
input-report is smaller than advertised. We could, like i2c, compute the
biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will
blow up if report-descriptors are changed after -&gt;start() has been called.
So lets be safe and just use the biggest buffer we have.

Note that this adds an additional copy to the HIDP input path. If there is
a way to make sure the skb-buf is big enough, we should use that instead.

The best way would be to make hid-core honor the @size argument, though,
that sounds easier than it is. So lets just fix the buffer-overflows for
now and afterwards look for a faster way for all transport drivers.

Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem</title>
<updated>2013-11-04T19:51:28+00:00</updated>
<author>
<name>John W. Linville</name>
<email>linville@tuxdriver.com</email>
</author>
<published>2013-11-04T19:51:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=87bc0728d462ae37841a550542829aa65a97e7c2'/>
<id>87bc0728d462ae37841a550542829aa65a97e7c2</id>
<content type='text'>
Conflicts:
	drivers/net/wireless/brcm80211/brcmfmac/sdio_host.h
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Conflicts:
	drivers/net/wireless/brcm80211/brcmfmac/sdio_host.h
</pre>
</div>
</content>
</entry>
<entry>
<title>net: 8021q/bluetooth/bridge/can/ceph: Remove extern from function prototypes</title>
<updated>2013-10-19T23:12:11+00:00</updated>
<author>
<name>Joe Perches</name>
<email>joe@perches.com</email>
</author>
<published>2013-10-18T20:48:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=348662a1429f95ed2d488c939c324ec152638742'/>
<id>348662a1429f95ed2d488c939c324ec152638742</id>
<content type='text'>
There are a mix of function prototypes with and without extern
in the kernel sources.  Standardize on not using extern for
function prototypes.

Function prototypes don't need to be written with extern.
extern is assumed by the compiler.  Its use is as unnecessary as
using auto to declare automatic/local variables in a block.

Signed-off-by: Joe Perches &lt;joe@perches.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are a mix of function prototypes with and without extern
in the kernel sources.  Standardize on not using extern for
function prototypes.

Function prototypes don't need to be written with extern.
extern is assumed by the compiler.  Its use is as unnecessary as
using auto to declare automatic/local variables in a block.

Signed-off-by: Joe Perches &lt;joe@perches.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Access HIDP session addresses through L2CAP channel</title>
<updated>2013-10-13T17:00:33+00:00</updated>
<author>
<name>Marcel Holtmann</name>
<email>marcel@holtmann.org</email>
</author>
<published>2013-10-13T16:49:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=755b82aa2fdb62a61990f6c132df150abd9e9206'/>
<id>755b82aa2fdb62a61990f6c132df150abd9e9206</id>
<content type='text'>
The L2CAP socket structure does not contain the address information
anymore. They need to be accessed through the L2CAP channel.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The L2CAP socket structure does not contain the address information
anymore. They need to be accessed through the L2CAP channel.

Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Johan Hedberg &lt;johan.hedberg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid</title>
<updated>2013-09-06T16:30:36+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-09-06T16:30:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22e04f6b4b04a8afe9af9239224591d06ba3b24d'/>
<id>22e04f6b4b04a8afe9af9239224591d06ba3b24d</id>
<content type='text'>
Pull HID updates from Jiri Kosina:
 "Highlights:

   - conversion of HID subsystem to use devm-based resource management,
     from Benjamin Tissoires

   - i2c-hid support for DT bindings, from Benjamin Tissoires

   - much improved support for Win8-multitouch devices, from Benjamin
     Tissoires

   - cleanup of core code using common hidinput_input_event(), from
     David Herrmann

   - fix for bug in implement() access to the bit stream (causing oops)
     that has been present in the code for ages, but devices that are
     able to trigger it have started to appear only now, from Jiri
     Kosina

   - fixes for CVE-2013-2899, CVE-2013-2898, CVE-2013-2896,
     CVE-2013-2892, CVE-2013-2888 (all triggerable only by specially
     crafted malicious HW devices plugged into the system), from Kees
     Cook

   - hidraw oops fix, from Manoj Chourasia

   - various smaller fixes here and there, support for a bunch of new
     devices by various contributors"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: (53 commits)
  HID: MAINTAINERS: add roccat drivers
  HID: hid-sensor-hub: change kmalloc + memcpy by kmemdup
  HID: hid-sensor-hub: move to devm_kzalloc
  HID: hid-sensor-hub: fix indentation accross the code
  HID: move HID_REPORT_TYPES closer to the report-definitions
  HID: check for NULL field when setting values
  HID: picolcd_core: validate output report details
  HID: sensor-hub: validate feature report details
  HID: ntrig: validate feature report details
  HID: pantherlord: validate output report details
  HID: hid-wiimote: print small buffers via %*phC
  HID: uhid: improve uhid example client
  HID: Correct the USB IDs for the new Macbook Air 6
  HID: wiimote: add support for Guitar-Hero guitars
  HID: wiimote: add support for Guitar-Hero drums
  Input: introduce BTN/ABS bits for drums and guitars
  HID: battery: don't do DMA from stack
  HID: roccat: add support for KonePureOptical v2
  HID: picolcd: Prevent NULL pointer dereference on _remove()
  HID: usbhid: quirk for N-Trig DuoSense Touch Screen
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull HID updates from Jiri Kosina:
 "Highlights:

   - conversion of HID subsystem to use devm-based resource management,
     from Benjamin Tissoires

   - i2c-hid support for DT bindings, from Benjamin Tissoires

   - much improved support for Win8-multitouch devices, from Benjamin
     Tissoires

   - cleanup of core code using common hidinput_input_event(), from
     David Herrmann

   - fix for bug in implement() access to the bit stream (causing oops)
     that has been present in the code for ages, but devices that are
     able to trigger it have started to appear only now, from Jiri
     Kosina

   - fixes for CVE-2013-2899, CVE-2013-2898, CVE-2013-2896,
     CVE-2013-2892, CVE-2013-2888 (all triggerable only by specially
     crafted malicious HW devices plugged into the system), from Kees
     Cook

   - hidraw oops fix, from Manoj Chourasia

   - various smaller fixes here and there, support for a bunch of new
     devices by various contributors"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: (53 commits)
  HID: MAINTAINERS: add roccat drivers
  HID: hid-sensor-hub: change kmalloc + memcpy by kmemdup
  HID: hid-sensor-hub: move to devm_kzalloc
  HID: hid-sensor-hub: fix indentation accross the code
  HID: move HID_REPORT_TYPES closer to the report-definitions
  HID: check for NULL field when setting values
  HID: picolcd_core: validate output report details
  HID: sensor-hub: validate feature report details
  HID: ntrig: validate feature report details
  HID: pantherlord: validate output report details
  HID: hid-wiimote: print small buffers via %*phC
  HID: uhid: improve uhid example client
  HID: Correct the USB IDs for the new Macbook Air 6
  HID: wiimote: add support for Guitar-Hero guitars
  HID: wiimote: add support for Guitar-Hero drums
  Input: introduce BTN/ABS bits for drums and guitars
  HID: battery: don't do DMA from stack
  HID: roccat: add support for KonePureOptical v2
  HID: picolcd: Prevent NULL pointer dereference on _remove()
  HID: usbhid: quirk for N-Trig DuoSense Touch Screen
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' into for-3.12/upstream</title>
<updated>2013-09-04T08:49:57+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-09-04T08:49:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=efd15f5f4ff63f6ac5d80850686e3d2cc8c4481b'/>
<id>efd15f5f4ff63f6ac5d80850686e3d2cc8c4481b</id>
<content type='text'>
Sync with Linus' tree to be able to apply fixup patch on top
of 9d9a04ee75 ("HID: apple: Add support for the 2013 Macbook Air")

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Sync with Linus' tree to be able to apply fixup patch on top
of 9d9a04ee75 ("HID: apple: Add support for the 2013 Macbook Air")

Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: remove wrong send_report at init</title>
<updated>2013-07-25T13:15:24+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-07-11T13:41:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=159d865f2078ffa4441abb0155f725368371f836'/>
<id>159d865f2078ffa4441abb0155f725368371f836</id>
<content type='text'>
The USB hid implementation does retrieve the reports during the start.
However, this implementation does not call the HID command GET_REPORT
(which would fetch the current status of each report), but use the
DATA command, which is an Output Report (so transmitting data from the
host to the device).
The Wiimote controller is already guarded against this problem in the
protocol, but it is not conformant to the specification to set all the
reports to 0 on start.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Reviewed-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Acked-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The USB hid implementation does retrieve the reports during the start.
However, this implementation does not call the HID command GET_REPORT
(which would fetch the current status of each report), but use the
DATA command, which is an Output Report (so transmitting data from the
host to the device).
The Wiimote controller is already guarded against this problem in the
protocol, but it is not conformant to the specification to set all the
reports to 0 on start.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Reviewed-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Acked-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: implement hidinput_input_event callback</title>
<updated>2013-07-25T13:15:24+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-07-11T13:41:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2583d706a13d0dc7fa591d5bb036454d0ddbf5b0'/>
<id>2583d706a13d0dc7fa591d5bb036454d0ddbf5b0</id>
<content type='text'>
We can re-enable hidinput_input_event to allow the leds of bluetooth
keyboards to be set.
Now the callbacks uses hid core to retrieve the right HID report to
send, so this version is safer.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Reviewed-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Acked-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We can re-enable hidinput_input_event to allow the leds of bluetooth
keyboards to be set.
Now the callbacks uses hid core to retrieve the right HID report to
send, so this version is safer.

Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Reviewed-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Acked-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: fix unused rsize usage</title>
<updated>2013-07-22T15:11:44+00:00</updated>
<author>
<name>Jiri Kosina</name>
<email>jkosina@suse.cz</email>
</author>
<published>2013-07-22T15:11:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bc197eedef1ae082ec662c64c3f4aa302821fb7a'/>
<id>bc197eedef1ae082ec662c64c3f4aa302821fb7a</id>
<content type='text'>
27ce4050 ("HID: fix data access in implement()") by mistake removed
a setting of buffer size in hidp. Fix that by putting it back.

Reported-by: kbuild test robot &lt;fengguang.wu@intel.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
27ce4050 ("HID: fix data access in implement()") by mistake removed
a setting of buffer size in hidp. Fix that by putting it back.

Reported-by: kbuild test robot &lt;fengguang.wu@intel.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
