Age | Commit message (Collapse) | Author | Files | Lines |
|
commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream.
If an empty buf is received, lbuf is also empty. So lbuf is
accessed by index -1.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 5f9242775bb61f390f0885f23fc16397262c7538 upstream.
The syzbot fuzzer found a general protection fault in the HID subsystem:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 3715 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069
Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48
89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00
RSP: 0018:ffff8881d99d78e0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000020 RCX: ffffc90003f3f000
RDX: 0000000416d8686d RSI: ffffffff82676841 RDI: 00000020b6c3436a
RBP: 00000020b6c340a9 R08: ffff8881c6d64800 R09: fffffbfff0e84c25
R10: ffff8881d99d7940 R11: ffffffff87426127 R12: 0000000000000004
R13: 0000000000000000 R14: ffff8881d9b94000 R15: ffffffff897f9048
FS: 00007f047f542700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30f21000 CR3: 00000001ca032000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707
usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
hid_hw_power include/linux/hid.h:1038 [inline]
hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
chrdev_open+0x219/0x5c0 fs/char_dev.c:413
do_dentry_open+0x497/0x1040 fs/open.c:778
do_last fs/namei.c:3416 [inline]
path_openat+0x1430/0x3ff0 fs/namei.c:3533
do_filp_open+0x1a1/0x280 fs/namei.c:3563
do_sys_open+0x3c0/0x580 fs/open.c:1070
do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
It turns out the fault was caused by a bug in the HID Logitech driver,
which violates the requirement that every pathway calling
hid_hw_start() must also call hid_hw_stop(). This patch fixes the bug
by making sure the requirement is met.
Reported-and-tested-by: syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Move ForceFeedback support for the Formula Force GP into hid-lgff4
and re-write HID descriptor, thus allowing combined pedals or not
as user desires.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Add support for computing a combined accelerator/brake axis for wheels
which don't contain combined data in their HID stream.
This includes DFGT, G25, G27, G29 and Wii-Wheel.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Add support for reporting a combined accelerator/brake axis for wheels
which contain combined data in their HID stream.
This includes DF, MOMO, MOMO2 and DFP.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Introduce a dev_attr which can be used to combine the accelerator
and brake pedals into a single axis. This is useful for older games
which can not handle seperate accelerator and brake.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Use to_hid_device() instead of container_of().
Signed-off-by: Geliang Tang <geliangtang@163.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
to_hid_device() macro is defined in both hid-lg4ff.c and
hid-logitech-hidpp.c. So I move it to include/linux/hid.h.
Signed-off-by: Geliang Tang <geliangtang@163.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
At present the G29 is mis-identified as a DFGT, this patch ensures
that the wheel is correctly detected and allows setting the LEDs and
turning range via the '/sys' interface.
This wheel can also emulate other types of Logitech wheels.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Simplfy how hid-logitech driver detects the native mode of the wheel,
done by looking at the USB-ID revision and comparing bit mask.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Allow the driver to continue without sysfs interface. Instead of bailing out
allow the driver to continue in a degraded mode.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Constify those members of lg4ff_device_entry struct whose value is not
supposed to change.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
entry struct
Store pointer to the output HID report struct in the device entry struct.
This eliminates the need to look the HID report struct up every time it is needed.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Protect concurrent access to output HID report with a spinlock. The HID report
structure used to submit commands to wheels is shared amongst all functions that
need to do so and some of these functions can be executed in parallel.
Additionally, lg4ff_play() can be called from interrupt context by ff-memless
module. Locking is necessary to prevent sending bogus data to the wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Stop the hid device from lg4ff. Originally hid-lg was responsible for
stopping of the device.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Make lg4ff_wheel_data a separate structure stored within lg4ff_device_entry.
Adjust the initialization process accordingly.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Update a warning message for a case where device is incorrectly flagged to be
handled by hid-lg4ff in hid-lg. The original warning message was highly
misleading. This warning can be triggered only if a device is flagged to be
handled by hid-lg4ff in hid-lg but hid-lg4ff lacks support for such device.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Explicit casts from void * are not necessary.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Remove unused variable from the "lg4ff_device_entry" struct. This is a leftover
from times where hid_get|set_drvdata() was not available to hid-lg4ff so it had
to keep track of the devices it managed by itself.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
functions prefixed with "lg4ff_"
Replace DEVICE_ATTR_RW with DEVICE_ATTR to have all internal functions prefixed
with "lg4ff_". All internal functions should be prefixed with just "lg4ff_".
Usage of DEVICE_ATTR_RW breaks this scheme because it expects the functions'
names to match the name of the respective sysfs entry.
This partially reverts "2f1cec3250e38609bf9252db52dbbe61603c04a7"
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Remove "hid_" prefix from some functions' names. All internal functions
of hid-lg4ff should be prefixed with just "lg4ff_"
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Remove double underscore prefix from numeric types. This code will never be used
outside the kernel so the prefixes are unnecessary.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Fix "undefined reference" build issue with CONFIG_USB disabled; make the
driver use generic HID API instead.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
compatibility modes
Allow switching of Logitech gaming wheels between available compatibility modes
through sysfs. This only applies to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
compatibility mode
Introduce a module parameter to disable automatic switch of Logitech gaming
wheels from compatibility to native mode. This only applies to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Display the real wheel model and supported alternate modes through sysfs. This
applies only to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Identify Logitech gaming wheels in compatibility modes accordingly to Logitech
specifications.
Logitech specification contains a general method of identifying various
models of their gaming wheels while they are in "compatibility" mode.
This patch implements the method instead of checking against known
values of bcdDevice. Handling of the mode switch upon initialization is
also adjusted so that the driver does not have to go through the entire
initialization routine because the wheels are set to perform a USB
detach before they reappear in "native" mode.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Use the DEVICE_ATTR_RW macro to reduce boiler plate and move the
attribute declaration to get rid of function signatures.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
There is no reason to set the range attribute executable to the user and
group, and writable to the group. Fix the permission to 0644.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
If the device data is not accessible for some reason, returning 0 will cause the call to be
continuously called again as none of the string has been 'consumed'.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
In line with practice for module parameters, we're adding a build-time
check that sysfs files aren't world-writable.
Cc: Simon Wood <simon@mungewell.org>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
|
It has been reported that there is a new hardware version of the G27
in the 'wild'. This patch add's this new revision so that it can be
sent the command to switch to native mode.
Reported-by: "Ivan Baldo" <ibaldo@adinet.com.uy>
Tested-by: "evilcow" <evilcow93@yahoo.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The MOMO and MOMO2 wheels have a slightly different autocenter command,
and accept values in the range 0..F (rather than 0..7 for the other wheels).
This patch uses the product ID to determine how to compute the strength.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Re-arrange code slightly to ensure that device properties are configured
before calling auto-center command.
Reported-by: Michal Malý <madcatxster@prifuk.cz>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
When 'Constant Force' is set to 0 it is not turned off completely,
the wheel feels 'heavy'. This patch issues the '13 00..' command
to ensure that the force in slot 1 (the Constant Force) is
deactivated.
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
When the autocenter is set to zero, this patch issues a command to
totally disable the autocenter - this results in less resistance
in the wheel.
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Adjust the scaling and lineartity to match that of the Windows
driver (from MOMO testing).
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
'for-3.10/hid-driver-transport-cleanups', 'for-3.10/i2c-hid' and 'for-3.10/logitech' into for-linus
|
|
It has been reported that there is a new version (different USB rev)
of the Logitech DFGT in the 'wild'.
This patch allows the kernel to recognise this wheel and send it the
command to enter native mode.
Reported-by: "Denis Jovic" <djovic78@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
This allows the hid drivers to be independent from the transport layer.
The patch was constructed by replacing all occurences of
usbhid_submit_report() by its hid_hw_request() counterpart.
Then, drivers not requiring USB_HID anymore have their USB_HID
dependency cleaned in the Kconfig file.
Finally, few drivers still depends on USB_HID. Many of them
are requiring the io wait callback. They are found in the next patch.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
For the sensor-hub part:
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
This patch removes code which is now unnecessary for setting the fuzz/flat
characterics for the logitech DFP wheel. This is now done in the previous
patch by marking the wheel as a multi-axis device.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Conflicts:
drivers/hid/usbhid/hid-quirks.c
|
|
Fixes a couple of minor coding style issues.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The lg4ff driver doesn't fill the "input_absinfo" struct so it is left
with default values. Applications with rely on information in this struct
therefore do not work correctly with the wheel.
Other Logitech wheels probably need this fix too, but again I do not have
enough information to write it.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Range limiting command for the Driving Force Pro wheel is only a FF_SPRING
effect so that the wheel creates resistance when the user tries to turn it past
the limit. It is however possible to overpower the FFB motors quite easily which
leads to the X axis value exceeding the expected limit. This confuses
games which dynamically adjust calibration using the highest/lowest min and max
values reported by the wheel. Joydev device driver also doesn't take in account
any changes in an axis range after the joystick device is created.
This patch recalculates received ABS_X axis value so it is always in
<0; 16383> range where 0 is the left limit and 16383 the right limit.
Logitech driver for Windows does the same thing. As for any concerns about
possible loss of precision, I compared a large set of raw/adjusted values
generated by "mult_frac" to values returned by the Windows driver and I got
a 100% match.
Other Logitech wheels will probably need a similar fix, but I currently lack
the information needed to write one.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
This patch replaces all occurrences of "report->field[0]->value[n]" with just
"value[n]" to get rid of the lengthy trains we have now.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
'out' label will be unused of CONFIG_LEDS_CLASS is unset.
Move it into conditional block.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|