s32ton() shifts by n-1 where n is the field's report_size, a value that
comes directly from a HID device. The HID parser bounds report_size
only to <= 256, so a broken HID device can supply a report descriptor
with a wide field that triggers shift exponents up to 256 on a 32-bit
type when an output report is built via hid_output_field() or
hid_set_field().
Commit ec61b41918 ("HID: core: fix shift-out-of-bounds in
hid_report_raw_event") added the same n > 32 clamp to the function
snto32(), but s32ton() was never given the same fix as I guess syzbot
hadn't figured out how to fuzz a device the same way.
Fix this up by just clamping the max value of n, just like snto32()
does.
Cc: stable <stable@kernel.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <bentiss@kernel.org>
Cc: linux-input@vger.kernel.org
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Commit d7db259bd6 ("HID: core: factor out hid_parse_collections()")
reworked collection parsing code and inadvertently allowed returning
"success" when parsing 0-sized reports where old code returned -EINVAL.
Restore the original behavior by doing an explicit check.
Note that the error message now differs from the generic "item fetching
failed at offset %u/%u" that is now used only for non-empty descriptors.
Fixes: d7db259bd6 ("HID: core: factor out hid_parse_collections()")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
In preparation to making use of __free(...) cleanup facilities to
clean up temporary buffers, factor out code parsing collections into
a separate function to make the code simpler.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Add support for HID devices that report multiple batteries, each
identified by its report ID.
The hid_device->battery pointer is replaced with a batteries list.
Batteries are named using the pattern hid-{uniq}-battery-{report_id}.
The hid_get_battery() helper returns the first battery in the list for
backwards compatibility with single-battery drivers.
Signed-off-by: Lucas Zampieri <lcasmz54@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEL65usyKPHcrRDEicpmLzj2vtYEkFAmm5t3QACgkQpmLzj2vt
YEk90hAArhy85Gy5uTQwdj5TVnGIwVH5+twiOz4S0If396duQGfK3MY+c+jzW2kO
7UI2uWV4tgXJGSoK1kTuQ3IXGgUDGofbaQ15nltpibQ4c+3whcDmMRICGIA/OqCk
FmHHAV264Y5y6bapG7VvT8PLv0N+TtGV4G4LhQv90eObnRXXnc0m+H0s2IObr2py
aBJgmgFQQ3DMWddX5DMatMd6M6e+2kJHY3X/41youvbvVJoWtqrJQEKIB19HDR8o
9GkEjn4GLMPZ6hPlTJCnkRn7zfRWQ3MvUMft1kCdVtpOlqvftHoBrXvP6X1YDtPR
Hy07HkH1Jpq0zI6AYyKj7f36oasnnNCm4ZFijn2RBx2chmKEUrpz2fSJ4aS5YU81
QqhOjVR+euYL7kQ1UtoFGNwOhBHKWcJr5AezxxUNwn4SJ1bl8TGB63OEt2/1GI8/
L1PMMAgHnxUAlJui38PfeiXboUeS9bfPiJd20FnGzCghsdvk6a+W9oWz+2yhs+Fy
csm1MvcxhZZ7ugXPmscE/U6iLueaqlj42dQ+wkm6sh8aYKS+9eIlIgNpu4Q9Z//e
LZGPOjx+jDWiqqTBmXke7hGMXHNXHRbWDLWlE+Du4XS5sfKwTDRKXs+g3MWI/nVf
gHvuHuKQvrQHiAcnWH0fNJbsHaGExpWWAbb+yoWCJHJAU3vj7ek=
=1U5m
-----END PGP SIGNATURE-----
Merge tag 'hid-for-linus-2026031701' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Jiri Kosina:
- various fixes dealing with (intentionally) broken devices in HID
core, logitech-hidpp and multitouch drivers (Lee Jones)
- fix for OOB in wacom driver (Benoît Sevens)
- fix for potentialy HID-bpf-induced buffer overflow in () (Benjamin
Tissoires)
- various other small fixes and device ID / quirk additions
* tag 'hid-for-linus-2026031701' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
HID: multitouch: Check to ensure report responses match the request
HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure
HID: bpf: prevent buffer overflow in hid_hw_request
selftests/hid: fix compilation when bpf_wq and hid_device are not exported
HID: core: Mitigate potential OOB by removing bogus memset()
HID: intel-thc-hid: Set HID_PHYS with PCI BDF
HID: appletb-kbd: add .resume method in PM
HID: logitech-hidpp: Enable MX Master 4 over bluetooth
HID: input: Add HID_BATTERY_QUIRK_DYNAMIC for Elan touchscreens
HID: input: Drop Asus UX550* touchscreen ignore battery quirks
HID: asus: add xg mobile 2022 external hardware support
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The memset() in hid_report_raw_event() has the good intention of
clearing out bogus data by zeroing the area from the end of the incoming
data string to the assumed end of the buffer. However, as we have
previously seen, doing so can easily result in OOB reads and writes in
the subsequent thread of execution.
The current suggestion from one of the HID maintainers is to remove the
memset() and simply return if the incoming event buffer size is not
large enough to fill the associated report.
Suggested-by Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
[bentiss: changed the return value]
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Userspace software fwupd probes some HID devices when the daemon starts
up to determine the current firmware version in order to be able to offer
updated firmware if the manufacturer has made it available.
In order to do this fwupd will detach the existing kernel driver if one
is present, send a HID command and then reattach the kernel driver.
This can be problematic if the user is using the HID device at the time
that fwupd probes the hardware and can cause a few frames of input to be
dropped. In some cases HID drivers already have a command to look up the
firmware version, and so if that is exported to userspace fwupd can
discover it and avoid needing to detach the kernel driver until it's time
to update the device.
Introduce a new member in the struct hid_device for the version and export
a new uevent variable HID_FIRMWARE_VERSION that will display the version
that HID drivers obtained.
Reviewed-by: Derek J. Clark <derekjohn.clark@gmail.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Cc: Richard Hughes <hughsient@gmail.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
This was done entirely with mindless brute force, using
git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' |
xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/'
to convert the new alloc_obj() users that had a simple GFP_KERNEL
argument to just drop that argument.
Note that due to the extreme simplicity of the scripting, any slightly
more complex cases spread over multiple lines would not be triggered:
they definitely exist, but this covers the vast bulk of the cases, and
the resulting diff is also then easier to check automatically.
For the same reason the 'flex' versions will be done as a separate
conversion.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This is the result of running the Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to
avoid scalar types (which need careful case-by-case checking), and
instead replace kmalloc-family calls that allocate struct or union
object instances:
Single allocations: kmalloc(sizeof(TYPE), ...)
are replaced with: kmalloc_obj(TYPE, ...)
Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...)
are replaced with: kmalloc_objs(TYPE, COUNT, ...)
Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...)
are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...)
(where TYPE may also be *VAR)
The resulting allocations no longer return "void *", instead returning
"TYPE *".
Signed-off-by: Kees Cook <kees@kernel.org>
When a BPF gets loaded, it was previously not possible to bind a
hid-generic device to hid-multitouch because the group was never
updated.
This change forces a rescan of the report descriptor after a bpf is
loaded/unloaded so we set up the proper group.
This was detected while Peter was trying to fix a Viewsonic device: the
HID device sending multiotuch data through a proprietary collection was
handled by hid-generic, and we don't have any way of attaching it to
hid-multitouch because the pre-scanning wasn't able to see the Contact
ID HID usage.
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
When we load a bpf, we can change the report descriptor. However, the
current implementation doesn't change the group meaning that we can not
rebind a device from hid-generic to hid-multitouch.
This is a preparatory patch to force a rescan of the device after the
bpf has been loaded.
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEL65usyKPHcrRDEicpmLzj2vtYEkFAmiL2DAACgkQpmLzj2vt
YEk9aRAApXAYs/LNZ6hS2FvqxSKJhThLEm4sib6CvdQ82Er92aqrZEutkpb8Rq0/
KMPLYTv9QsZgFKilZJnxIRwZRpy37C7SGO8Y3PSARpakxpCPe76RyqcY+DghrB9+
kBRUzfDq9JR8RM8lcxw5dgEjgI3cz/5gS8OFh/LOVqe2nqub3U3Dr2kQkDE3DSiG
BqIPhIG//TW0al6IxJQVL59egzVqzzqcgK/efBwT7WjToaCjXuZTClDiKASVLcmW
p/xvsPjIBeVuEdOTfboiHowOs3RyXa3zWlHS76/x9JXVDPOrPcleJyoxEedU4BBG
selhkdVEYcCOYMlzz7/p1BrIkkpczWfye5rSGQ05qmOeApMAxicKRp0DfTLm0EGa
bdmDLIncSBRBb5iATrRS+rQcV6PSzLCaB9+rGiWS/EQPFCKh54SZSNvl5rw0WCHY
+b9zmxmr2KG7B8eQQXx0/x6RNCC3gANqkVO4+TXamcGhJaoW2M0+xT9tzid0sL+S
Y7t5C8T4KoI4dc2be76KNs/LlR6F5LK1E0HTkapdG+ZoiLc/PsqK0pnGc0aXd+/z
Ee246MZEMsURgOEA68dEm4XBdh2xp9xVZIsZtaWcfSSQZJnfpx89v9Tl4MUlfqzj
8BPLeYxxg9gxfxpGcP+oGMjXbeKDjSbmRJroOP4jw/WdPZ2rs0s=
=kYcB
-----END PGP SIGNATURE-----
Merge tag 'hid-for-linus-2025073101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID updates from Jiri Kosina:
- hardening of HID core parser against conversion to 0 bits in s32ton()
by buggy/malicious devices (Alan Stern)
- fix for potential NULL pointer dereference in hid-apple that could be
caused by malicious device with APPLE_MAGIC_BACKLIGHT quirk present
triggering overflow in data field (Qasim Ijaz)
- support for Wake-on-touch in intel-thc (Even Xu)
- support for "Input max input size control" and "Input interrupt
delay" I2C features in order to improve compatibility of THC devices
with legacy HIDI2C touch devices (Even Xu)
- support for Touch Bars on x86 MacBook Pros (Kerem Karabay)
- support for XP-PEN Artist 22R Pro (Joshua Goins)
- third party trackpart support for MacBookPro15,1 (Aditya Garg)
- Apple Magic Keyboard A311[89] USB-C support (Aditya Garg, Grigorii
Sokoli)
- support for operating modes in amd-sfh (Basavaraj Natikar)
- avoid setting up battery timer for Apple and Magicmouse devices
without battery (Aditya Garg)
- fix for behavior of the hid-mcp2221 driver for !CONFIG_IIO cases
(Heiko Schocher)
- other assorted fixups and device ID additions
* tag 'hid-for-linus-2025073101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (54 commits)
HID: core: Harden s32ton() against conversion to 0 bits
HID: apple: validate feature-report field count to prevent NULL pointer dereference
HID: core: Improve the kerneldoc for hid_report_len()
selftests/hid: sync python tests to hid-tools 0.10
selftests/hid: sync the python tests to hid-tools 0.8
selftests/hid: run ruff format on the python part
HID: magicmouse: use secs_to_jiffies() for battery timeout
HID: apple: use secs_to_jiffies() for battery timeout
HID: magicmouse: avoid setting up battery timer when not needed
HID: apple: avoid setting up battery timer for devices without battery
HID: amd_sfh: Enable operating mode
HID: uclogic: Add support for XP-PEN Artist 22R Pro
HID: rate-limit hid_warn to prevent log flooding
HID: replace scnprintf() with sysfs_emit()
HID: uclogic: make read-only array reconnect_event static const
HID: mcp-2221: Replace manual comparison with min() macro
HID: intel-thc-hid: Separate max input size control conditional list
HID: mcp2221: set gpio pin mode
HID: multitouch: add device ID for Apple Touch Bar
HID: multitouch: specify that Apple Touch Bar is direct
...
- DEBUGFS
- Remove unneeded debugfs_file_{get,put}() instances
- Remove last remnants of debugfs_real_fops()
- Allow storing non-const void * in struct debugfs_inode_info::aux
- SYSFS
- Switch back to attribute_group::bin_attrs (treewide)
- Switch back to bin_attribute::read()/write() (treewide)
- Constify internal references to 'struct bin_attribute'
- Support cache-ids for device-tree systems
- Add arch hook arch_compact_of_hwid()
- Use arch_compact_of_hwid() to compact MPIDR values on arm64
- Rust
- Device
- Introduce CoreInternal device context (for bus internal methods)
- Provide generic drvdata accessors for bus devices
- Provide Driver::unbind() callbacks
- Use the infrastructure above for auxiliary, PCI and platform
- Implement Device::as_bound()
- Rename Device::as_ref() to Device::from_raw() (treewide)
- Implement fwnode and device property abstractions
- Implement example usage in the Rust platform sample driver
- Devres
- Remove the inner reference count (Arc) and use pin-init instead
- Replace Devres::new_foreign_owned() with devres::register()
- Require T to be Send in Devres<T>
- Initialize the data kept inside a Devres last
- Provide an accessor for the Devres associated Device
- Device ID
- Add support for ACPI device IDs and driver match tables
- Split up generic device ID infrastructure
- Use generic device ID infrastructure in net::phy
- DMA
- Implement the dma::Device trait
- Add DMA mask accessors to dma::Device
- Implement dma::Device for PCI and platform devices
- Use DMA masks from the DMA sample module
- I/O
- Implement abstraction for resource regions (struct resource)
- Implement resource-based ioremap() abstractions
- Provide platform device accessors for I/O (remap) requests
- Misc
- Support fallible PinInit types in Revocable
- Implement Wrapper<T> for Opaque<T>
- Merge pin-init blanket dependencies (for Devres)
- Misc
- Fix OF node leak in auxiliary_device_create()
- Use util macros in device property iterators
- Improve kobject sample code
- Add device_link_test() for testing device link flags
- Fix typo in Documentation/ABI/testing/sysfs-kernel-address_bits
- Hint to prefer container_of_const() over container_of()
-----BEGIN PGP SIGNATURE-----
iHQEABYKAB0WIQS2q/xV6QjXAdC7k+1FlHeO1qrKLgUCaIjkhwAKCRBFlHeO1qrK
LpXuAP9RWwfD9ZGgQZ9OsMk/0pZ2mDclaK97jcmI9TAeSxeZMgD1FHnOMTY7oSIi
iG7Muq0yLD+A5gk9HUnMUnFNrngWCg==
=jgRj
-----END PGP SIGNATURE-----
Merge tag 'driver-core-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core
Pull driver core updates from Danilo Krummrich:
"debugfs:
- Remove unneeded debugfs_file_{get,put}() instances
- Remove last remnants of debugfs_real_fops()
- Allow storing non-const void * in struct debugfs_inode_info::aux
sysfs:
- Switch back to attribute_group::bin_attrs (treewide)
- Switch back to bin_attribute::read()/write() (treewide)
- Constify internal references to 'struct bin_attribute'
Support cache-ids for device-tree systems:
- Add arch hook arch_compact_of_hwid()
- Use arch_compact_of_hwid() to compact MPIDR values on arm64
Rust:
- Device:
- Introduce CoreInternal device context (for bus internal methods)
- Provide generic drvdata accessors for bus devices
- Provide Driver::unbind() callbacks
- Use the infrastructure above for auxiliary, PCI and platform
- Implement Device::as_bound()
- Rename Device::as_ref() to Device::from_raw() (treewide)
- Implement fwnode and device property abstractions
- Implement example usage in the Rust platform sample driver
- Devres:
- Remove the inner reference count (Arc) and use pin-init instead
- Replace Devres::new_foreign_owned() with devres::register()
- Require T to be Send in Devres<T>
- Initialize the data kept inside a Devres last
- Provide an accessor for the Devres associated Device
- Device ID:
- Add support for ACPI device IDs and driver match tables
- Split up generic device ID infrastructure
- Use generic device ID infrastructure in net::phy
- DMA:
- Implement the dma::Device trait
- Add DMA mask accessors to dma::Device
- Implement dma::Device for PCI and platform devices
- Use DMA masks from the DMA sample module
- I/O:
- Implement abstraction for resource regions (struct resource)
- Implement resource-based ioremap() abstractions
- Provide platform device accessors for I/O (remap) requests
- Misc:
- Support fallible PinInit types in Revocable
- Implement Wrapper<T> for Opaque<T>
- Merge pin-init blanket dependencies (for Devres)
Misc:
- Fix OF node leak in auxiliary_device_create()
- Use util macros in device property iterators
- Improve kobject sample code
- Add device_link_test() for testing device link flags
- Fix typo in Documentation/ABI/testing/sysfs-kernel-address_bits
- Hint to prefer container_of_const() over container_of()"
* tag 'driver-core-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core: (84 commits)
rust: io: fix broken intra-doc links to `platform::Device`
rust: io: fix broken intra-doc link to missing `flags` module
rust: io: mem: enable IoRequest doc-tests
rust: platform: add resource accessors
rust: io: mem: add a generic iomem abstraction
rust: io: add resource abstraction
rust: samples: dma: set DMA mask
rust: platform: implement the `dma::Device` trait
rust: pci: implement the `dma::Device` trait
rust: dma: add DMA addressing capabilities
rust: dma: implement `dma::Device` trait
rust: net::phy Change module_phy_driver macro to use module_device_table macro
rust: net::phy represent DeviceId as transparent wrapper over mdio_device_id
rust: device_id: split out index support into a separate trait
device: rust: rename Device::as_ref() to Device::from_raw()
arm64: cacheinfo: Provide helper to compress MPIDR value into u32
cacheinfo: Add arch hook to compress CPU h/w id into 32 bits for cache-id
cacheinfo: Set cache 'id' based on DT data
container_of: Document container_of() is not to be used in new code
driver core: auxiliary bus: fix OF node leak
...
This includes lots of file shuffling due to HD-audio code
reorganization and many trivial changes, but otherwise there shouldn't
be much surprise from the functionality POV. The PR includes the PM
changes as prerequisite, too. Some highlights below:
Core:
- Performance optimizations in PCM core code
- Refactoring of ASoC Kconfig menus to be hopefully more consistant
and easier to navigate.
- Refactoring of ASoC DAPM code, mainly hiding functionality that
doesn't need to be exposed to drivers
HD-audio reorganization:
- All code are moved under sound/hda with a bit more understandable
tree structure, as well as file renames
- The huge Realtek driver code is split to several parts, a common
helper module with driver modules per probe entry
- HDMI and Cirrus codec drivers also split
ASoC:
- Further work on the generic handling for SoundWire SDCA devices
- Support for AMD ACP7.2 and SoundWire on ACP 7.1, Fairphone 4 & 5,
various Intel systems, Qualcomm QCS8275, Richtek RTQ9124 and TI
TAS5753
HD-audio and USB-audio:
- TAS2781 driver cleanup and TAS2770 support
- EQ enablement in CA0132 driver
- USB audio quirk code cleanups
Others:
- Cleanups of PM autosuspend call patterns with the update from the PM
tree
- Lots of strcpy() -> strscpy() conversions for fixed size arrays
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmiDUeAOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE8lWRAAmJtKS6FtI9AuiXqcZBtngw1W19gZdWNhxoIo
nYB4YwSVl8glbji/BnVplO2hI1MD+BXWad46+Og2DROzNr6E4HS0eEbNut8UzfbU
mhFsw2BQ3B4sRK2qyqimuQiJYcdVflk2ixj6VVBqu3fPwWPXQ3dOkZgwo4bUubuT
I2Rh/yGrFoAJSviUU8TZGX7Qqv4euhiMmvtFREDHh3PsH5LREy8BcimuACA+qlt1
LvEjW9lMAHOcjq7Kh5N1BD7vRH190KOYh0qgtwswy3oCUI1qLlk3SlSGX9V/I5W7
zQbClitA595SwdUh39b2nf6wp/hgFu3jx05yOA6it4cxmcM3ejfKMHp1ASyZxupl
d9tJK0GTztDT4tANmWzIrar3A/zHw1dOW5HWbbU77U7onxILRbdvmO4wP+iZSlL4
NSQcoyhmMvDe9ti2JQ6BNdjekeaH1Tq+bvMK8G04kqhl1x5GM8IYDIMU7Bw29Hw8
PFaY67wJTI6muQD/7iIEFKglYDkuROFSaXRJbaMEgWyKvgjmU1RzJCOShzymAfNV
EZBvfLC1ennZfTdOmZ/4nFUioKRWwDelO1c3Ab6gjwn4I7e5Th9GZqSrP3Vh8zcu
Dz/ayOIxmmnlDxufSZHvoPNkzCPeV0IDpmSnqy6aDZ4bpnA6yp9+a7zArROVLWqI
+zz8tIM=
=Wr97
-----END PGP SIGNATURE-----
Merge tag 'sound-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound updates from Takashi Iwai:
"This includes lots of file shuffling due to HD-audio code
reorganization and many trivial changes, but otherwise there shouldn't
be much surprise from the functionality POV. The PR includes the PM
changes as prerequisite, too. Some highlights below:
Core:
- Performance optimizations in PCM core code
- Refactoring of ASoC Kconfig menus to be hopefully more consistant
and easier to navigate.
- Refactoring of ASoC DAPM code, mainly hiding functionality that
doesn't need to be exposed to drivers
HD-audio reorganization:
- All code are moved under sound/hda with a bit more understandable
tree structure, as well as file renames
- The huge Realtek driver code is split to several parts, a common
helper module with driver modules per probe entry
- HDMI and Cirrus codec drivers also split
ASoC:
- Further work on the generic handling for SoundWire SDCA devices
- Support for AMD ACP7.2 and SoundWire on ACP 7.1, Fairphone 4 & 5,
various Intel systems, Qualcomm QCS8275, Richtek RTQ9124 and TI
TAS5753
HD-audio and USB-audio:
- TAS2781 driver cleanup and TAS2770 support
- EQ enablement in CA0132 driver
- USB audio quirk code cleanups
Others:
- Cleanups of PM autosuspend call patterns with the update from the
PM tree
- Lots of strcpy() -> strscpy() conversions for fixed size arrays"
* tag 'sound-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (385 commits)
ALSA: hda: Add TAS2770 support
ASoC: qcom: sm8250: Add Fairphone 4 soundcard compatible
ASoC: dt-bindings: qcom,sm8250: Add Fairphone 4 sound card
ASoC: dt-bindings: qcom,q6afe: Document q6usb subnode
ASoC: SDCA: Fix implicit cast from le16
ASoC: SDCA: Shrink detected_mode_handler() stack frame
ASoC: SDCA: Check devm_mutex_init() return value
ASoC: SDCA: add route by the number of input pins in MU entity
ALSA: hda/realtek: Add support for ASUS Commercial laptops using CS35L41 HDA
ASoC: Intel: sof_rt5682: Add HDMI-In capture with rt5682 support for PTL.
ASoC: codec: tlv320aic32x4: Fix reset GPIO check
ASoC: dt-bindings: qcom,lpass-va-macro: Define clock-names in top-level
ASoC: SDCA: Add hw_params() helper function
ASoC: SDCA: Add a helper to get the SoundWire port number
ASoC: SDCA: Add helper to add DAI constraints
ASoC: soc-dai: Add private data to snd_soc_dai
ASoC: SDCA: Move SDCA search functions and export
ASoC: SDCA: Remove overly chatty input pin list warning
ASoC: SDCA: Allow read-only controls to be deferrable
ASoC: SDCA: Update memory allocations to zero initialise
...
The low level transport driver expects the first byte to be the report
ID, even when the report ID is not use (in which case they just shift
the buffer).
However, __hid_request() whas not offsetting the buffer it used by one
in this case, meaning that the raw_request() callback emitted by the
transport driver would be stripped of the first byte.
Note: this changes the API for uhid devices when a request is made
through hid_hw_request. However, several considerations makes me think
this is fine:
- every request to a HID device made through hid_hw_request() would see
that change, but every request made through hid_hw_raw_request()
already has the new behaviour. So that means that the users are
already facing situations where they might have or not the first byte
being the null report ID when it is 0. We are making things more
straightforward in the end.
- uhid is mainly used for BLE devices
- uhid is also used for testing, but I don't see that change a big issue
- for BLE devices, we can check which kernel module is calling
hid_hw_request()
- and in those modules, we can check which are using a Bluetooth device
- and then we can check if the command is used with a report ID or not.
- surprise: none of the kernel module are using a report ID 0
- and finally, bluez, in its function set_report()[0], does the same
shift if the report ID is 0 and the given buffer has a size > 0.
[0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c#n879
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/
Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43
Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com
Fixes: 4fa5a7f76c ("HID: core: implement generic .request()")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Syzkaller can create many uhid devices that trigger
repeated warnings like:
"hid-generic xxxx: unknown main item tag 0x0"
These messages can flood the system log, especially if a crash occurs
(e.g., with a slow UART console, leading to soft lockups). To mitigate
this, convert `hid_warn()` to use `dev_warn_ratelimited()`.
This helps reduce log noise and improves system stability under fuzzing
or faulty device scenarios.
Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
SDCA (SoundWire Device Class for Audio) uses HID to convey
input events from peripheral devices. Add a bus define for the
SoundWire bus to prepare support for this.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Shuming Fan <shumingf@realtek.com>
Acked-by: Jiri Kosina <jkosina@suse.com>
Link: https://patch.msgid.link/20250616114907.855452-1-shumingf@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Documentation/filesystems/sysfs.rst mentions that show() should only
use sysfs_emit() or sysfs_emit_at() when formating the value to be
returned to user space. So replace scnprintf() with sysfs_emit().
Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Adds a new function to the hid_driver struct that is called when the
userspace starts using the device, and another one that is called when
userspace stop using the device. With this a hid driver can implement
special suspend handling for devices currently not in use.
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20250211133950.422232-1-wse@tuxedocomputers.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
For main items, separate warning of reserved item tag from
warning of unknown item tag.
This comes from 6.2.2.4 Main Items of Device Class Definition
for HID 1.11 specification.
Signed-off-by: Tatsuya S <tatsuya.s2862@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
- hid-core fix for long-standing cornercase of Resolution Multiplier not being
present in any of the Logical Collections in the device HID report descriptor
(Alan Stern)
A report in 2019 by the syzbot fuzzer was found to be connected to two
errors in the HID core associated with Resolution Multipliers. One of
the errors was fixed by commit ea427a222d ("HID: core: Fix deadloop
in hid_apply_multiplier."), but the other has not been fixed.
This error arises because hid_apply_multipler() assumes that every
Resolution Multiplier control is contained in a Logical Collection,
i.e., there's no way the routine can ever set multiplier_collection to
NULL. This is in spite of the fact that the function starts with a
big comment saying:
* "The Resolution Multiplier control must be contained in the same
* Logical Collection as the control(s) to which it is to be applied.
...
* If no Logical Collection is
* defined, the Resolution Multiplier is associated with all
* controls in the report."
* HID Usage Table, v1.12, Section 4.3.1, p30
*
* Thus, search from the current collection upwards until we find a
* logical collection...
The comment and the code overlook the possibility that none of the
collections found may be a Logical Collection.
The fix is to set the multiplier_collection pointer to NULL if the
collection found isn't a Logical Collection.
Reported-by: syzbot+ec5f884c4a135aa0dbb9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000109c040597dc5843@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: Peter Hutterer <peter.hutterer@who-t.net>
Fixes: 5a4abb36f3 ("HID: core: process the Resolution Multiplier")
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The sysfs core now allows instances of 'struct bin_attribute' to be
moved into read-only memory. Make use of that to protect them against
accidental or malicious modifications.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Save some lines of code and prepare for the constification of
'struct bin_attribute'.
Also align the definitions within the source file.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
This reverts commit 6fd47effe9, and the related self-test update
commit e14e0eaeb0 ("selftests/hid: add test for assigning a given
device to hid-generic").
It results in things like the scroll wheel on Logitech mice not working
after a reboot due to the kernel being confused about the state of the
high-resolution mode.
Quoting Benjamin Tissoires:
"The idea of 6fd47effe9 was to be able to call hid_bpf_rdesc_fixup()
once per reprobe of the device.
However, because the bpf filter can now change the quirk value, the
call had to be moved before the driver gets bound (which was
previously ensuring the unicity of the call).
The net effect is that now, in the case hid-generic gets loaded first
and then the specific driver gets loaded once the disk is available,
the value of ->quirks is not reset, but kept to the value that was set
by hid-generic (HID_QUIRK_INPUT_PER_APP).
Once hid-logitech-hidpp kicks in, that quirk is now set, which creates
two inputs for the single mouse: one keyboard for fancy shortcuts, and
one mouse node.
However, hid-logitech-hidpp expects only one input node to be attached
(it stores it into hidpp->input), and when a wheel event is received,
because there is some processing with high-resolution wheel events,
the wheel event is injected into hidpp->input.
And of course, when HID_QUIRK_INPUT_PER_APP is set, hidpp->input gets
the keyboard node, which doesn't have wheel event type, and the events
are ignored"
Reported-and-bisected-by: Mike Galbraith <efault@gmx.de>
Link: https://lore.kernel.org/all/CAHk-=wiUkQM3uheit2cNM0Y0OOY5qqspJgC8LkmOkJ2p2LDxcw@mail.gmail.com/
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
Fixes: 27ce405039 ("HID: fix data access in implement()")
Reported-by: Benoît Sevens <bsevens@google.com>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
A default case statement with a bare unreachable() was recently added to
fetch_item(), which by itself introduces undefined behavior. objtool
points this out with a few different warnings, depending on
configuration and compiler:
vmlinux.o: warning: objtool: fetch_item() falls through to next function ...
vmlinux.o: warning: objtool: hid_open_report() falls through to next function hid_parser_main()
vmlinux.o: warning: objtool: hid_scan_report() falls through to next function hid_allocate_device()
vmlinux.o: warning: objtool: hid_open_report+0x21b: can't find jump dest instruction at .text.hid_open_report+0x40f
Replacing unreachable() with BUG() is a typical fix to eliminate the
undefined behavior and make the default case well defined. However, in
this case, all possible values are enumerated in the switch statement,
so the default case can never actually happen, as proven with the
comment next to the item->size assignment. Just remove the default case
altogether, as the return statement would still be valid if the switch
statement were ever to be skipped.
Fixes: 61595012f2 ("HID: simplify code in fetch_item()")
Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Closes: https://lore.kernel.org/20241010222451.GA3571761@thelio-3990X/
Reported-by: Paul E. McKenney <paulmck@kernel.org>
Closes: https://lore.kernel.org/fe8c909e-bf02-4466-b3eb-0a4747df32e3@paulmck-laptop/
Tested-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
We already have the possibility to force not binding to hid-generic and
rely on a dedicated driver, but we couldn't do the other way around.
This is useful for BPF programs where we are fixing the report descriptor
and the events, but want to avoid a specialized driver to come after BPF
which would unwind everything that is done there.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-8-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
This allows to give more control from BPF during report descriptor fixup.
We already reset the quirks before calling ->probe(), so now we reset
it once before calling hid_bpf_rdesc_fixup().
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-4-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
That last kmemdup while opening the report descriptor was required to
have a common kfree() on it.
Move that kmemdup in the only special case it's required (if there is a
.report_fixup()), and add a more elaborated check before freeing
hdev->rdesc, to avoid a double free.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-3-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Turns out the first kmemdup is only required for the .report_fixup()
driver callback. There is no need to do two kmemdup() in a row in case
.report_fixup() is not present.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-2-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Currently, hid_bpf_rdesc_fixup() is called once the match between the
HID device and the driver is done. This can be problematic in case
the driver selected by the kernel would change the report descriptor
after the fact.
To give a chance for hid_bpf_rdesc_fixup() to provide hints on to how
to select a dedicated driver or not, move the call to that BPF hook
earlier in the .probe() process, when we get the first match.
However, this means that we might get called more than once (typically
once for hid-generic, and once for hid-vendor-specific). So we store the
result of HID-BPF fixup in struct hid_device. Basically, this means that
->bpf_rdesc can replace ->dev_rdesc when it was used in the code.
In order to not grow struct hid_device, some fields are re-ordered. This
was the output of pahole for the first 128 bytes:
struct hid_device {
__u8 * dev_rdesc; /* 0 8 */
unsigned int dev_rsize; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u8 * rdesc; /* 16 8 */
unsigned int rsize; /* 24 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_collection * collection; /* 32 8 */
unsigned int collection_size; /* 40 4 */
unsigned int maxcollection; /* 44 4 */
unsigned int maxapplication; /* 48 4 */
__u16 bus; /* 52 2 */
__u16 group; /* 54 2 */
__u32 vendor; /* 56 4 */
__u32 product; /* 60 4 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u32 version; /* 64 4 */
enum hid_type type; /* 68 4 */
unsigned int country; /* 72 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_report_enum report_enum[3]; /* 80 6216 */
Basically, we got three holes of 4 bytes. We can reorder things a little
and makes those 3 holes a continuous 12 bytes hole, which can be replaced
by the new pointer and the new unsigned int we need.
In terms of code allocation, when not using HID-BPF, we are back to kernel
v6.2 in hid_open_report(). These multiple kmemdup() calls will be fixed
in a later commit.
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-1-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
The only user of hid_snto32() is Logitech HID++ driver, which always
calls hid_snto32() with valid size (constant, either 12 or 8) and
therefore can simply use sign_extend32().
Make the switch and remove hid_snto32(). Move snto32() and s32ton() to
avoid introducing forward declaration.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://patch.msgid.link/20241003144656.3786064-2-dmitry.torokhov@gmail.com
[bentiss: fix checkpatch warning]
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
snto32() does exactly what sign_extend32() does, but handles
potentially malformed data coming from the device. Keep the checks,
but then call sign_extend32() to perform the actual conversion.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://patch.msgid.link/20241003144656.3786064-1-dmitry.torokhov@gmail.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
We can easily calculate the size of the item using arithmetic (shifts).
This allows to pull duplicated code out of the switch statement, making
it cleaner.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://patch.msgid.link/ZvwYbESMZ667QZqY@google.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
asm/unaligned.h is always an include of asm-generic/unaligned.h;
might as well move that thing to linux/unaligned.h and include
that - there's nothing arch-specific in that header.
auto-generated by the following:
for i in `git grep -l -w asm/unaligned.h`; do
sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i
done
for i in `git grep -l -w asm-generic/unaligned.h`; do
sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i
done
git mv include/asm-generic/unaligned.h include/linux/unaligned.h
git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h
sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild
sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h
fetch_item() does not modify the descriptor it operates on.
As a prerequisite for the constification of hid_driver::dev_rdesc,
mark the parameters and return value of fetch_item() as const.
Also adapt the variable types in the callers to match this
constification.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://patch.msgid.link/20240803-hid-const-fixup-v2-4-f53d7a7b29d8@weissschuh.net
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
