implement() is setting bytes in LE data stream. In case the data is not
aligned to 64bits, it reads past the allocated buffer. It doesn't really
change any value there (it's properly bitmasked), but in case that this
read past the boundary hits a page boundary, pagefault happens when
accessing 64bits of 'x' in implement(), and kernel oopses.
This happens much more often when numbered reports are in use, as the
initial 8bit skip in the buffer makes the whole process work on values
which are not aligned to 64bits.
This problem dates back to attempts in 2005 and 2006 to make implement()
and extract() as generic as possible, and even back then the problem
was realized by Adam Kroperlin, but falsely assumed to be impossible
to cause any harm:
http://www.mail-archive.com/linux-usb-devel@lists.sourceforge.net/msg47690.html
I have made several attempts at fixing it "on the spot" directly in
implement(), but the results were horrible; the special casing for processing
last 64bit chunk and switching to different math makes it unreadable mess.
I therefore took a path to allocate a few bytes more which will never make
it into final report, but are there as a cushion for all the 64bit math
operations happening in implement() and extract().
All callers of hid_output_report() are converted at the same time to allocate
the buffer by newly introduced hid_alloc_report_buf() helper.
Bruno noticed that the whole raw_size test can be dropped as well, as
hid_alloc_report_buf() makes sure that the buffer is always of a proper
size.
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This allows the hid drivers to be independent from the transport layer.
The patch was constructed by replacing all occurences of
usbhid_submit_report() by its hid_hw_request() counterpart.
Then, drivers not requiring USB_HID anymore have their USB_HID
dependency cleaned in the Kconfig file.
Finally, few drivers still depends on USB_HID. Many of them
are requiring the io wait callback. They are found in the next patch.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
For the sensor-hub part:
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Matthieu CASTET adjusted picolcd_debug_out_report() to only operate when
there is an active listener on debugfs for events.
His change got lost while splitting hid_picolcd.c, restore it.
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Make sure we keep enough space for terminating NUL character after last
newline. If we have too much data, replace last byte with '.'s to
make overflow visible.
Using hex_dump_to_buffer() is not interesting as it adds more overhead
and does not append the trailing linefeed.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The first payload byte indicates how many IR data bytes are following, not
including itself. The IR data bytes appear in pairs as they represent a
series of 16bit intervals.
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Matthieu CASTET adjusted picolcd_debug_out_report() to only operate when
there is an active listener on debugfs for events.
Do the same on the more important picolcd_debug_raw_event() that is
called in interrupt context as opposed to picolcd_debug_out_report()
which happens in whichever context that sends reports to device.
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
m68k/allmodconfig:
drivers/hid/hid-picolcd_debugfs.c: In function ‘picolcd_debug_reset_write’:
drivers/hid/hid-picolcd_debugfs.c:54: error: implicit declaration of function ‘copy_from_user’
drivers/hid/hid-picolcd_debugfs.c: In function ‘picolcd_debug_eeprom_read’:
drivers/hid/hid-picolcd_debugfs.c:112: error: implicit declaration of function ‘copy_to_user’
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
WARNING: static const char * array should probably be static const char * const
+static const char *error_codes[] = {
WARNING: min() should probably be min_t(size_t, 20, s)
+ raw_data[2] = min((size_t)20, s);
Note: the second min_t suggestion cannot be followed because GCC is not
smart enough to track constants through it and make
copy_from_user_overflow() check happy.
WARNING: min() should probably be min_t(u8, 20, raw_data[2])
+ if (copy_from_user(raw_data+3, u, min((u8)20, raw_data[2])))
return -EFAULT;
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
In order to make code maintenance easier, split the vairous
functions into individial files (this removes a bunch of #ifdefs).
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>