<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/bluetooth/hidp, branch linux-5.4.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Bluetooth: Fix race condition in hidp_session_thread</title>
<updated>2023-04-20T10:07:35+00:00</updated>
<author>
<name>Min Li</name>
<email>lm0963hack@gmail.com</email>
</author>
<published>2023-03-04T14:23:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be'/>
<id>8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be</id>
<content type='text'>
commit c95930abd687fcd1aa040dc4fe90dff947916460 upstream.

There is a potential race condition in hidp_session_thread that may
lead to use-after-free. For instance, the timer is active while
hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
then 'session' will be freed, causing kernel panic when hidp_idle_timeout
is running.

The solution is to use del_timer_sync instead of del_timer.

Here is the call trace:

? hidp_session_probe+0x780/0x780
call_timer_fn+0x2d/0x1e0
__run_timers.part.0+0x569/0x940
hidp_session_probe+0x780/0x780
call_timer_fn+0x1e0/0x1e0
ktime_get+0x5c/0xf0
lapic_next_deadline+0x2c/0x40
clockevents_program_event+0x205/0x320
run_timer_softirq+0xa9/0x1b0
__do_softirq+0x1b9/0x641
__irq_exit_rcu+0xdc/0x190
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0xa1/0xc0

Cc: stable@vger.kernel.org
Signed-off-by: Min Li &lt;lm0963hack@gmail.com&gt;
Signed-off-by: Luiz Augusto von Dentz &lt;luiz.von.dentz@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c95930abd687fcd1aa040dc4fe90dff947916460 upstream.

There is a potential race condition in hidp_session_thread that may
lead to use-after-free. For instance, the timer is active while
hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
then 'session' will be freed, causing kernel panic when hidp_idle_timeout
is running.

The solution is to use del_timer_sync instead of del_timer.

Here is the call trace:

? hidp_session_probe+0x780/0x780
call_timer_fn+0x2d/0x1e0
__run_timers.part.0+0x569/0x940
hidp_session_probe+0x780/0x780
call_timer_fn+0x1e0/0x1e0
ktime_get+0x5c/0xf0
lapic_next_deadline+0x2c/0x40
clockevents_program_event+0x205/0x320
run_timer_softirq+0xa9/0x1b0
__do_softirq+0x1b9/0x641
__irq_exit_rcu+0xdc/0x190
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0xa1/0xc0

Cc: stable@vger.kernel.org
Signed-off-by: Min Li &lt;lm0963hack@gmail.com&gt;
Signed-off-by: Luiz Augusto von Dentz &lt;luiz.von.dentz@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: use correct wait queue when removing ctrl_wait</title>
<updated>2021-08-26T12:36:15+00:00</updated>
<author>
<name>Ole Bjørn Midtbø</name>
<email>omidtbo@cisco.com</email>
</author>
<published>2020-10-17T11:15:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=911a8141efddab3cde50a00d38aa4e1427c2da6f'/>
<id>911a8141efddab3cde50a00d38aa4e1427c2da6f</id>
<content type='text'>
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]

A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]

A different wait queue was used when removing ctrl_wait than when adding
it. This effectively made the remove operation without locking compared
to other operations on the wait queue ctrl_wait was part of. This caused
issues like below where dead000000000100 is LIST_POISON1 and
dead000000000200 is LIST_POISON2.

 list_add corruption. next-&gt;prev should be prev (ffffffc1b0a33a08), \
	but was dead000000000200. (next=ffffffc03ac77de0).
 ------------[ cut here ]------------
 CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
 ...
 ---[ end trace 0adc2158f0646eac ]---
 Call trace:
 [&lt;ffffffc000443f78&gt;] __list_add+0x38/0xb0
 [&lt;ffffffc0000f0d04&gt;] add_wait_queue+0x4c/0x68
 [&lt;ffffffc00020eecc&gt;] __pollwait+0xec/0x100
 [&lt;ffffffc000d1556c&gt;] bt_sock_poll+0x74/0x200
 [&lt;ffffffc000bdb8a8&gt;] sock_poll+0x110/0x128
 [&lt;ffffffc000210378&gt;] do_sys_poll+0x220/0x480
 [&lt;ffffffc0002106f0&gt;] SyS_poll+0x80/0x138
 [&lt;ffffffc00008510c&gt;] __sys_trace_return+0x0/0x4

 Unable to handle kernel paging request at virtual address dead000000000100
 ...
 CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
 ...
 Call trace:
  [&lt;ffffffc0000f079c&gt;] __wake_up_common+0x7c/0xa8
  [&lt;ffffffc0000f0818&gt;] __wake_up+0x50/0x70
  [&lt;ffffffc000be11b0&gt;] sock_def_wakeup+0x58/0x60
  [&lt;ffffffc000de5e10&gt;] l2cap_sock_teardown_cb+0x200/0x224
  [&lt;ffffffc000d3f2ac&gt;] l2cap_chan_del+0xa4/0x298
  [&lt;ffffffc000d45ea0&gt;] l2cap_conn_del+0x118/0x198
  [&lt;ffffffc000d45f8c&gt;] l2cap_disconn_cfm+0x6c/0x78
  [&lt;ffffffc000d29934&gt;] hci_event_packet+0x564/0x2e30
  [&lt;ffffffc000d19b0c&gt;] hci_rx_work+0x10c/0x360
  [&lt;ffffffc0000c2218&gt;] process_one_work+0x268/0x460
  [&lt;ffffffc0000c2678&gt;] worker_thread+0x268/0x480
  [&lt;ffffffc0000c94e0&gt;] kthread+0x118/0x128
  [&lt;ffffffc000085070&gt;] ret_from_fork+0x10/0x20
  ---[ end trace 0adc2158f0646ead ]---

Signed-off-by: Ole Bjørn Midtbø &lt;omidtbo@cisco.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message</title>
<updated>2019-09-06T13:55:40+00:00</updated>
<author>
<name>Dan Elkouby</name>
<email>streetwalkermc@gmail.com</email>
</author>
<published>2019-09-06T11:06:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8bb3537095f107ed55ad51f6241165b397aaafac'/>
<id>8bb3537095f107ed55ad51f6241165b397aaafac</id>
<content type='text'>
hidp_send_message was changed to return non-zero values on success,
which some other bits did not expect. This caused spurious errors to be
propagated through the stack, breaking some drivers, such as hid-sony
for the Dualshock 4 in Bluetooth mode.

As pointed out by Dan Carpenter, hid-microsoft directly relied on that
assumption as well.

Fixes: 48d9cc9d85dd ("Bluetooth: hidp: Let hidp_send_message return number of queued bytes")

Signed-off-by: Dan Elkouby &lt;streetwalkermc@gmail.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
hidp_send_message was changed to return non-zero values on success,
which some other bits did not expect. This caused spurious errors to be
propagated through the stack, breaking some drivers, such as hid-sony
for the Dualshock 4 in Bluetooth mode.

As pointed out by Dan Carpenter, hid-microsoft directly relied on that
assumption as well.

Fixes: 48d9cc9d85dd ("Bluetooth: hidp: Let hidp_send_message return number of queued bytes")

Signed-off-by: Dan Elkouby &lt;streetwalkermc@gmail.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: Let hidp_send_message return number of queued bytes</title>
<updated>2019-08-12T16:23:50+00:00</updated>
<author>
<name>Fabian Henneke</name>
<email>fabian.henneke@gmail.com</email>
</author>
<published>2019-07-15T17:40:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48d9cc9d85dde37c87abb7ac9bbec6598ba44b56'/>
<id>48d9cc9d85dde37c87abb7ac9bbec6598ba44b56</id>
<content type='text'>
Let hidp_send_message return the number of successfully queued bytes
instead of an unconditional 0.

With the return value fixed to 0, other drivers relying on hidp, such as
hidraw, can not return meaningful values from their respective
implementations of write(). In particular, with the current behavior, a
hidraw device's write() will have different return values depending on
whether the device is connected via USB or Bluetooth, which makes it
harder to abstract away the transport layer.

Signed-off-by: Fabian Henneke &lt;fabian.henneke@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Let hidp_send_message return the number of successfully queued bytes
instead of an unconditional 0.

With the return value fixed to 0, other drivers relying on hidp, such as
hidraw, can not return meaningful values from their respective
implementations of write(). In particular, with the current behavior, a
hidraw device's write() will have different return values depending on
whether the device is connected via USB or Bluetooth, which makes it
harder to abstract away the transport layer.

Signed-off-by: Fabian Henneke &lt;fabian.henneke@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: NUL terminate a string in the compat ioctl</title>
<updated>2019-07-06T11:07:41+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2019-05-16T18:24:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dcae9052ebb0c5b2614de620323d615fcbfda7f8'/>
<id>dcae9052ebb0c5b2614de620323d615fcbfda7f8</id>
<content type='text'>
This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix
buffer overflow") but for the compat ioctl.  We take a string from the
user and forgot to ensure that it's NUL terminated.

I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
The difference is the strncpy() doesn't necessarily NUL terminate the
destination string.  Either change would fix the problem but it's nice
to take a belt and suspenders approach and do both.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This change is similar to commit a1616a5ac99e ("Bluetooth: hidp: fix
buffer overflow") but for the compat ioctl.  We take a string from the
user and forgot to ensure that it's NUL terminated.

I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
The difference is the strncpy() doesn't necessarily NUL terminate the
destination string.  Either change would fix the problem but it's nice
to take a belt and suspenders approach and do both.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier - Makefile/Kconfig</title>
<updated>2019-05-21T08:50:46+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1'/>
<id>ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1</id>
<content type='text'>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: hidp: fix buffer overflow</title>
<updated>2019-04-23T17:04:38+00:00</updated>
<author>
<name>Young Xiao</name>
<email>YangX92@hotmail.com</email>
</author>
<published>2019-04-12T07:24:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a1616a5ac99ede5d605047a9012481ce7ff18b16'/>
<id>a1616a5ac99ede5d605047a9012481ce7ff18b16</id>
<content type='text'>
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao &lt;YangX92@hotmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: stable@vger.kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.

This vulnerability is similar to CVE-2011-1079.

Signed-off-by: Young Xiao &lt;YangX92@hotmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
Cc: stable@vger.kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs</title>
<updated>2018-10-25T19:48:22+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-10-25T19:48:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22'/>
<id>ba7d4f36a2ec7d6f8d9e5c6cabbc57469dd4dc22</id>
<content type='text'>
Pull compat_ioctl fixes from Al Viro:
 "A bunch of compat_ioctl fixes, mostly in bluetooth.

  Hopefully, most of fs/compat_ioctl.c will get killed off over the next
  few cycles; between this, tty series already merged and Arnd's work
  this cycle ought to take a good chunk out of the damn thing..."

* 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  hidp: fix compat_ioctl
  hidp: constify hidp_connection_add()
  cmtp: fix compat_ioctl
  bnep: fix compat_ioctl
  compat_ioctl: trim the pointless includes
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull compat_ioctl fixes from Al Viro:
 "A bunch of compat_ioctl fixes, mostly in bluetooth.

  Hopefully, most of fs/compat_ioctl.c will get killed off over the next
  few cycles; between this, tty series already merged and Arnd's work
  this cycle ought to take a good chunk out of the damn thing..."

* 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  hidp: fix compat_ioctl
  hidp: constify hidp_connection_add()
  cmtp: fix compat_ioctl
  bnep: fix compat_ioctl
  compat_ioctl: trim the pointless includes
</pre>
</div>
</content>
</entry>
<entry>
<title>Bluetooth: Remove unnecessary smp_mb__{before,after}_atomic</title>
<updated>2018-09-27T09:59:58+00:00</updated>
<author>
<name>Andrea Parri</name>
<email>andrea.parri@amarulasolutions.com</email>
</author>
<published>2018-08-14T18:41:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5aac49378742a52bbe8af3d25bc51b487be7b17f'/>
<id>5aac49378742a52bbe8af3d25bc51b487be7b17f</id>
<content type='text'>
The barriers are unneeded; wait_woken() and woken_wake_function()
already provide us with the required synchronization: remove them
and document that we're relying on the (implicit) synchronization
provided by wait_woken() and woken_wake_function().

Signed-off-by: Andrea Parri &lt;andrea.parri@amarulasolutions.com&gt;
Reviewed-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The barriers are unneeded; wait_woken() and woken_wake_function()
already provide us with the required synchronization: remove them
and document that we're relying on the (implicit) synchronization
provided by wait_woken() and woken_wake_function().

Signed-off-by: Andrea Parri &lt;andrea.parri@amarulasolutions.com&gt;
Reviewed-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Marcel Holtmann &lt;marcel@holtmann.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hidp: fix compat_ioctl</title>
<updated>2018-09-10T16:41:07+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2018-08-17T01:55:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=702ec3072ae61cdf018725b353ff043e196548a6'/>
<id>702ec3072ae61cdf018725b353ff043e196548a6</id>
<content type='text'>
1) no point putting it into fs/compat_ioctl.c when you handle it in
your -&gt;compat_ioctl() anyway.
2) HIDPCONNADD is *not* COMPATIBLE_IOCTL() stuff at all - it does
layout massage (pointer-chasing there)
3) use compat_ptr()

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
1) no point putting it into fs/compat_ioctl.c when you handle it in
your -&gt;compat_ioctl() anyway.
2) HIDPCONNADD is *not* COMPATIBLE_IOCTL() stuff at all - it does
layout massage (pointer-chasing there)
3) use compat_ptr()

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
