The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details you
should have received a copy of the gnu general public license along
with this program if not write to the free software foundation inc
59 temple place suite 330 boston ma 02111 1307 usa
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1334 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Logitech WingMan Formula GP by default presents a combined
accelerate/brake axis, so this patch assigns it to hid-logitech in order to
benefit from the axis-splitting logic in lg4ff. There is also a fixed
report descriptor for the resulting report.
Signed-off-by: Jarrad Whitaker <jarrad.whitaker@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The pointer value is being assigned a value and this is never read, and later
on it is being assigned a new value. This the first assignment is redundant
and can be removed and hence also the variables report and report_list. Cleans
up the clang warning: Value stored to 'value' during its initialization is
never read
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Move ForceFeedback support for the Formula Force GP into hid-lgff4
and re-write HID descriptor, thus allowing combined pedals or not
as user desires.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Add support for computing a combined accelerator/brake axis for wheels
which don't contain combined data in their HID stream.
This includes DFGT, G25, G27, G29 and Wii-Wheel.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Add support for reporting a combined accelerator/brake axis for wheels
which contain combined data in their HID stream.
This includes DF, MOMO, MOMO2 and DFP.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Introduce a dev_attr which can be used to combine the accelerator
and brake pedals into a single axis. This is useful for older games
which can not handle seperate accelerator and brake.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
to_hid_device() macro is defined in both hid-lg4ff.c and
hid-logitech-hidpp.c. So I move it to include/linux/hid.h.
Signed-off-by: Geliang Tang <geliangtang@163.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
At present the G29 is mis-identified as a DFGT, this patch ensures
that the wheel is correctly detected and allows setting the LEDs and
turning range via the '/sys' interface.
This wheel can also emulate other types of Logitech wheels.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Simplfy how hid-logitech driver detects the native mode of the wheel,
done by looking at the USB-ID revision and comparing bit mask.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Allow the driver to continue without sysfs interface. Instead of bailing out
allow the driver to continue in a degraded mode.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Constify those members of lg4ff_device_entry struct whose value is not
supposed to change.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Store pointer to the output HID report struct in the device entry struct.
This eliminates the need to look the HID report struct up every time it is needed.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Protect concurrent access to output HID report with a spinlock. The HID report
structure used to submit commands to wheels is shared amongst all functions that
need to do so and some of these functions can be executed in parallel.
Additionally, lg4ff_play() can be called from interrupt context by ff-memless
module. Locking is necessary to prevent sending bogus data to the wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Stop the hid device from lg4ff. Originally hid-lg was responsible for
stopping of the device.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Make lg4ff_wheel_data a separate structure stored within lg4ff_device_entry.
Adjust the initialization process accordingly.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Update a warning message for a case where device is incorrectly flagged to be
handled by hid-lg4ff in hid-lg. The original warning message was highly
misleading. This warning can be triggered only if a device is flagged to be
handled by hid-lg4ff in hid-lg but hid-lg4ff lacks support for such device.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Remove unused variable from the "lg4ff_device_entry" struct. This is a leftover
from times where hid_get|set_drvdata() was not available to hid-lg4ff so it had
to keep track of the devices it managed by itself.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Replace DEVICE_ATTR_RW with DEVICE_ATTR to have all internal functions prefixed
with "lg4ff_". All internal functions should be prefixed with just "lg4ff_".
Usage of DEVICE_ATTR_RW breaks this scheme because it expects the functions'
names to match the name of the respective sysfs entry.
This partially reverts "2f1cec3250e38609bf9252db52dbbe61603c04a7"
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Remove "hid_" prefix from some functions' names. All internal functions
of hid-lg4ff should be prefixed with just "lg4ff_"
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Remove double underscore prefix from numeric types. This code will never be used
outside the kernel so the prefixes are unnecessary.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Fix "undefined reference" build issue with CONFIG_USB disabled; make the
driver use generic HID API instead.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Allow switching of Logitech gaming wheels between available compatibility modes
through sysfs. This only applies to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Introduce a module parameter to disable automatic switch of Logitech gaming
wheels from compatibility to native mode. This only applies to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Display the real wheel model and supported alternate modes through sysfs. This
applies only to multimode wheels.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Identify Logitech gaming wheels in compatibility modes accordingly to Logitech
specifications.
Logitech specification contains a general method of identifying various
models of their gaming wheels while they are in "compatibility" mode.
This patch implements the method instead of checking against known
values of bcdDevice. Handling of the mode switch upon initialization is
also adjusted so that the driver does not have to go through the entire
initialization routine because the wheels are set to perform a USB
detach before they reappear in "native" mode.
Signed-off-by: Michal Malý <madcatxster@devoid-pointer.net>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Use the DEVICE_ATTR_RW macro to reduce boiler plate and move the
attribute declaration to get rid of function signatures.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
There is no reason to set the range attribute executable to the user and
group, and writable to the group. Fix the permission to 0644.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
If the device data is not accessible for some reason, returning 0 will cause the call to be
continuously called again as none of the string has been 'consumed'.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
In line with practice for module parameters, we're adding a build-time
check that sysfs files aren't world-writable.
Cc: Simon Wood <simon@mungewell.org>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It has been reported that there is a new hardware version of the G27
in the 'wild'. This patch add's this new revision so that it can be
sent the command to switch to native mode.
Reported-by: "Ivan Baldo" <ibaldo@adinet.com.uy>
Tested-by: "evilcow" <evilcow93@yahoo.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The MOMO and MOMO2 wheels have a slightly different autocenter command,
and accept values in the range 0..F (rather than 0..7 for the other wheels).
This patch uses the product ID to determine how to compute the strength.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Re-arrange code slightly to ensure that device properties are configured
before calling auto-center command.
Reported-by: Michal Malý <madcatxster@prifuk.cz>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When 'Constant Force' is set to 0 it is not turned off completely,
the wheel feels 'heavy'. This patch issues the '13 00..' command
to ensure that the force in slot 1 (the Constant Force) is
deactivated.
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
When the autocenter is set to zero, this patch issues a command to
totally disable the autocenter - this results in less resistance
in the wheel.
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Adjust the scaling and lineartity to match that of the Windows
driver (from MOMO testing).
Reported-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
It has been reported that there is a new version (different USB rev)
of the Logitech DFGT in the 'wild'.
This patch allows the kernel to recognise this wheel and send it the
command to enter native mode.
Reported-by: "Denis Jovic" <djovic78@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This allows the hid drivers to be independent from the transport layer.
The patch was constructed by replacing all occurences of
usbhid_submit_report() by its hid_hw_request() counterpart.
Then, drivers not requiring USB_HID anymore have their USB_HID
dependency cleaned in the Kconfig file.
Finally, few drivers still depends on USB_HID. Many of them
are requiring the io wait callback. They are found in the next patch.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
For the sensor-hub part:
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch removes code which is now unnecessary for setting the fuzz/flat
characterics for the logitech DFP wheel. This is now done in the previous
patch by marking the wheel as a multi-axis device.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The lg4ff driver doesn't fill the "input_absinfo" struct so it is left
with default values. Applications with rely on information in this struct
therefore do not work correctly with the wheel.
Other Logitech wheels probably need this fix too, but again I do not have
enough information to write it.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Range limiting command for the Driving Force Pro wheel is only a FF_SPRING
effect so that the wheel creates resistance when the user tries to turn it past
the limit. It is however possible to overpower the FFB motors quite easily which
leads to the X axis value exceeding the expected limit. This confuses
games which dynamically adjust calibration using the highest/lowest min and max
values reported by the wheel. Joydev device driver also doesn't take in account
any changes in an axis range after the joystick device is created.
This patch recalculates received ABS_X axis value so it is always in
<0; 16383> range where 0 is the left limit and 16383 the right limit.
Logitech driver for Windows does the same thing. As for any concerns about
possible loss of precision, I compared a large set of raw/adjusted values
generated by "mult_frac" to values returned by the Windows driver and I got
a 100% match.
Other Logitech wheels will probably need a similar fix, but I currently lack
the information needed to write one.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch replaces all occurrences of "report->field[0]->value[n]" with just
"value[n]" to get rid of the lengthy trains we have now.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>