<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/hid, branch v3.12-rc5</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>HID: wiimote: fix FF deadlock</title>
<updated>2013-10-07T15:08:26+00:00</updated>
<author>
<name>David Herrmann</name>
<email>dh.herrmann@gmail.com</email>
</author>
<published>2013-10-02T11:47:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f50f9aabf32db7414551ffdfdccc71be5f3d6e7d'/>
<id>f50f9aabf32db7414551ffdfdccc71be5f3d6e7d</id>
<content type='text'>
The input core has an internal spinlock that is acquired during event
injection via input_event() and friends but also held during FF callbacks.
That means, there is no way to share a lock between event-injection and FF
handling. Unfortunately, this is what is required for wiimote state
tracking and what we do with state.lock and input-&gt;lock.

This deadlock can be triggered when using continuous data reporting and FF
on a wiimote device at the same time. I takes me at least 30m of
stress-testing to trigger it but users reported considerably shorter
times (http://bpaste.net/show/132504/) when using some gaming-console
emulators.

The real problem is that we have two copies of internal state, one in the
wiimote objects and the other in the input device. As the input-lock is
not supposed to be accessed from outside of input-core, we have no other
chance than offloading FF handling into a worker. This actually works
pretty nice and also allows to implictly merge fast rumble changes into a
single request.

Due to the 3-layered workers (rumble+queue+l2cap) this might reduce FF
responsiveness. Initial tests were fine so lets fix the race first and if
it turns out to be too slow we can always handle FF out-of-band and skip
the queue-worker.

Cc: &lt;stable@vger.kernel.org&gt; # 3.11+
Reported-by: Thomas Schneider
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The input core has an internal spinlock that is acquired during event
injection via input_event() and friends but also held during FF callbacks.
That means, there is no way to share a lock between event-injection and FF
handling. Unfortunately, this is what is required for wiimote state
tracking and what we do with state.lock and input-&gt;lock.

This deadlock can be triggered when using continuous data reporting and FF
on a wiimote device at the same time. I takes me at least 30m of
stress-testing to trigger it but users reported considerably shorter
times (http://bpaste.net/show/132504/) when using some gaming-console
emulators.

The real problem is that we have two copies of internal state, one in the
wiimote objects and the other in the input device. As the input-lock is
not supposed to be accessed from outside of input-core, we have no other
chance than offloading FF handling into a worker. This actually works
pretty nice and also allows to implictly merge fast rumble changes into a
single request.

Due to the 3-layered workers (rumble+queue+l2cap) this might reduce FF
responsiveness. Initial tests were fine so lets fix the race first and if
it turns out to be too slow we can always handle FF out-of-band and skip
the queue-worker.

Cc: &lt;stable@vger.kernel.org&gt; # 3.11+
Reported-by: Thomas Schneider
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: add Holtek USB ID 04d9:a081 SHARKOON DarkGlider</title>
<updated>2013-10-02T15:04:15+00:00</updated>
<author>
<name>Anders F. U. Kiær</name>
<email>ablacksheep@gmail.com</email>
</author>
<published>2013-10-01T17:22:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7da7cbbbeb60e0939fecdf9723b388136c175e5c'/>
<id>7da7cbbbeb60e0939fecdf9723b388136c175e5c</id>
<content type='text'>
Added id, bindings and comments for Holtek USB ID 04d9:a081 SHARKOON
DarkGlider Gaming mouse to use the same corrections of the report
descriptor as Holtek 04d9:a04a. As the mouse exceed HID_MAX_USAGES
at the same offsets in the reported descriptor.
Tested on the hardware.

Signed-off-by: Anders F. U. Kiær &lt;ablacksheep@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Added id, bindings and comments for Holtek USB ID 04d9:a081 SHARKOON
DarkGlider Gaming mouse to use the same corrections of the report
descriptor as Holtek 04d9:a04a. As the mouse exceed HID_MAX_USAGES
at the same offsets in the reported descriptor.
Tested on the hardware.

Signed-off-by: Anders F. U. Kiær &lt;ablacksheep@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: hidraw: close underlying device at removal of last reader</title>
<updated>2013-10-02T15:02:08+00:00</updated>
<author>
<name>Manoj Chourasia</name>
<email>mchourasia@nvidia.com</email>
</author>
<published>2013-10-01T10:09:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0f5a24c6602063e014ee48892ebf56093241106e'/>
<id>0f5a24c6602063e014ee48892ebf56093241106e</id>
<content type='text'>
Even though device exist bit is set the underlying
HW device should be closed when the last reader
of the device is closed i.e. open count drops to zero.

Signed-off-by: Manoj Chourasia &lt;mchourasia@nvidia.com&gt;
Reported-by: mika.westerberg@linux.intel.com
Tested-by: mika.westerberg@linux.intel.com
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Even though device exist bit is set the underlying
HW device should be closed when the last reader
of the device is closed i.e. open count drops to zero.

Signed-off-by: Manoj Chourasia &lt;mchourasia@nvidia.com&gt;
Reported-by: mika.westerberg@linux.intel.com
Tested-by: mika.westerberg@linux.intel.com
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: roccat: Fix "cannot create duplicate filename" problems</title>
<updated>2013-09-30T08:51:31+00:00</updated>
<author>
<name>Stefan Achatz</name>
<email>erazor_de@users.sourceforge.net</email>
</author>
<published>2013-09-28T03:57:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=550dbf47819239c7ceb27bbd9879e2feb0633aab'/>
<id>550dbf47819239c7ceb27bbd9879e2feb0633aab</id>
<content type='text'>
Fixing some wrong macro stringification/concatenation.

Acked-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Stefan Achatz &lt;erazor_de@users.sourceforge.net&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fixing some wrong macro stringification/concatenation.

Acked-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Stefan Achatz &lt;erazor_de@users.sourceforge.net&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: uhid: allocate static minor</title>
<updated>2013-09-26T09:03:29+00:00</updated>
<author>
<name>David Herrmann</name>
<email>dh.herrmann@gmail.com</email>
</author>
<published>2013-09-09T16:33:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=19872d20c890073c5207d9e02bb8f14d451a11eb'/>
<id>19872d20c890073c5207d9e02bb8f14d451a11eb</id>
<content type='text'>
udev has this nice feature of creating "dead" /dev/&lt;node&gt; device-nodes if
it finds a devnode:&lt;node&gt; modalias. Once the node is accessed, the kernel
automatically loads the module that provides the node. However, this
requires udev to know the major:minor code to use for the node. This
feature was introduced by:

  commit 578454ff7eab61d13a26b568f99a89a2c9edc881
  Author: Kay Sievers &lt;kay.sievers@vrfy.org&gt;
  Date:   Thu May 20 18:07:20 2010 +0200

      driver core: add devname module aliases to allow module on-demand auto-loading

However, uhid uses dynamic minor numbers so this doesn't actually work. We
need to load uhid to know which minor it's going to use.

Hence, allocate a static minor (just like uinput does) and we're good
to go.

Reported-by: Tom Gundersen &lt;teg@jklm.no&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
udev has this nice feature of creating "dead" /dev/&lt;node&gt; device-nodes if
it finds a devnode:&lt;node&gt; modalias. Once the node is accessed, the kernel
automatically loads the module that provides the node. However, this
requires udev to know the major:minor code to use for the node. This
feature was introduced by:

  commit 578454ff7eab61d13a26b568f99a89a2c9edc881
  Author: Kay Sievers &lt;kay.sievers@vrfy.org&gt;
  Date:   Thu May 20 18:07:20 2010 +0200

      driver core: add devname module aliases to allow module on-demand auto-loading

However, uhid uses dynamic minor numbers so this doesn't actually work. We
need to load uhid to know which minor it's going to use.

Hence, allocate a static minor (just like uinput does) and we're good
to go.

Reported-by: Tom Gundersen &lt;teg@jklm.no&gt;
Signed-off-by: David Herrmann &lt;dh.herrmann@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid</title>
<updated>2013-09-18T01:54:05+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-09-18T01:54:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=84fca9f38c5d646e95cdeef70e41cf15db549b95'/>
<id>84fca9f38c5d646e95cdeef70e41cf15db549b95</id>
<content type='text'>
Pull HID updates from Jiri Kosina:
 "Fixes for CVE-2013-2897, CVE-2013-2895, CVE-2013-2897, CVE-2013-2894,
  CVE-2013-2893, CVE-2013-2891, CVE-2013-2890, CVE-2013-2889.

  All the bugs are triggerable only by specially crafted evil-on-purpose
  HW devices.  Fixes by Kees Cook and Benjamin Tissoires"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
  HID: multitouch: validate indexes details
  HID: logitech-dj: validate output report details
  HID: validate feature and input report details
  HID: lenovo-tpkbd: validate output report details
  HID: LG: validate HID output report details
  HID: steelseries: validate output report details
  HID: sony: validate HID output report details
  HID: zeroplus: validate output report details
  HID: provide a helper for validating hid reports
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull HID updates from Jiri Kosina:
 "Fixes for CVE-2013-2897, CVE-2013-2895, CVE-2013-2897, CVE-2013-2894,
  CVE-2013-2893, CVE-2013-2891, CVE-2013-2890, CVE-2013-2889.

  All the bugs are triggerable only by specially crafted evil-on-purpose
  HW devices.  Fixes by Kees Cook and Benjamin Tissoires"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
  HID: multitouch: validate indexes details
  HID: logitech-dj: validate output report details
  HID: validate feature and input report details
  HID: lenovo-tpkbd: validate output report details
  HID: LG: validate HID output report details
  HID: steelseries: validate output report details
  HID: sony: validate HID output report details
  HID: zeroplus: validate output report details
  HID: provide a helper for validating hid reports
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails</title>
<updated>2013-09-13T13:15:11+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-09-11T19:56:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0ccdd9e7476680c16113131264ad6597bd10299d'/>
<id>0ccdd9e7476680c16113131264ad6597bd10299d</id>
<content type='text'>
If tpkbd_probe_tp() bails out, the probe() function return an error,
but hid_hw_stop() is never called.

fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1003998

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If tpkbd_probe_tp() bails out, the probe() function return an error,
but hid_hw_stop() is never called.

fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1003998

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: multitouch: validate indexes details</title>
<updated>2013-09-13T13:13:52+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-09-11T19:56:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8821f5dc187bdf16cfb32ef5aa8c3035273fa79a'/>
<id>8821f5dc187bdf16cfb32ef5aa8c3035273fa79a</id>
<content type='text'>
When working on report indexes, always validate that they are in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

Note that we need to change the indexes from s8 to s16 as they can
be between -1 and 255.

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When working on report indexes, always validate that they are in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

Note that we need to change the indexes from s8 to s16 as they can
be between -1 and 255.

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: logitech-dj: validate output report details</title>
<updated>2013-09-13T13:13:32+00:00</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2013-09-11T19:56:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=297502abb32e225fb23801fcdb0e4f6f8e17099a'/>
<id>297502abb32e225fb23801fcdb0e4f6f8e17099a</id>
<content type='text'>
A HID device could send a malicious output report that would cause the
logitech-dj HID driver to leak kernel memory contents to the device, or
trigger a NULL dereference during initialization:

[  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
...
[  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
[  304.781409] IP: [&lt;ffffffff815d50aa&gt;] logi_dj_recv_send_report.isra.11+0x1a/0x90

CVE-2013-2895

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A HID device could send a malicious output report that would cause the
logitech-dj HID driver to leak kernel memory contents to the device, or
trigger a NULL dereference during initialization:

[  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
...
[  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
[  304.781409] IP: [&lt;ffffffff815d50aa&gt;] logi_dj_recv_send_report.isra.11+0x1a/0x90

CVE-2013-2895

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>HID: validate feature and input report details</title>
<updated>2013-09-13T13:13:22+00:00</updated>
<author>
<name>Benjamin Tissoires</name>
<email>benjamin.tissoires@redhat.com</email>
</author>
<published>2013-09-11T19:56:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=cc6b54aa54bf40b762cab45a9fc8aa81653146eb'/>
<id>cc6b54aa54bf40b762cab45a9fc8aa81653146eb</id>
<content type='text'>
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.

When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:

[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten

CVE-2013-2897

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires &lt;benjamin.tissoires@redhat.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
