tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'hid-for-linus-2024020101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid

Pull HID fixes from Benjamin Tissoires:

- cleanups in the error path in hid-steam (Dan Carpenter)

- fixes for Wacom tablets selftests that sneaked in while the CI was
taking a break during the year end holidays (Benjamin Tissoires)

- null pointer check in nvidia-shield (Kunwu Chan)

- memory leak fix in hidraw (Su Hui)

- another null pointer fix in i2c-hid-of (Johan Hovold)

- another memory leak fix in HID-BPF this time, as well as a double
fdget() fix reported by Dan Carpenter (Benjamin Tissoires)

- fix for Cirque touchpad when they go on suspend (Kai-Heng Feng)

- new device ID in hid-logitech-hidpp: "Logitech G Pro X SuperLight 2"
(Jiri Kosina)

* tag 'hid-for-linus-2024020101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
HID: bpf: use __bpf_kfunc instead of noinline
HID: bpf: actually free hdev memory after attaching a HID-BPF program
HID: bpf: remove double fdget()
HID: i2c-hid-of: fix NULL-deref on failed power up
HID: hidraw: fix a problem of memory leak in hidraw_release()
HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend
HID: nvidia-shield: Add missing null pointer checks to LED initialization
HID: logitech-hidpp: add support for Logitech G Pro X Superlight 2
selftests/hid: wacom: fix confidence tests
HID: hid-steam: Fix cleanup in probe()
HID: hid-steam: remove pointless error message

Linus Torvalds 5c24e4e9 f6cdd897

+146 -93
+82 -35
drivers/hid/bpf/hid_bpf_dispatch.c
··· 143 143 } 144 144 EXPORT_SYMBOL_GPL(call_hid_bpf_rdesc_fixup); 145 145 146 + /* Disables missing prototype warnings */ 147 + __bpf_kfunc_start_defs(); 148 + 146 149 /** 147 150 * hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx 148 151 * ··· 155 152 * 156 153 * @returns %NULL on error, an %__u8 memory pointer on success 157 154 */ 158 - noinline __u8 * 155 + __bpf_kfunc __u8 * 159 156 hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr_buf_size) 160 157 { 161 158 struct hid_bpf_ctx_kern *ctx_kern; ··· 170 167 171 168 return ctx_kern->data + offset; 172 169 } 170 + __bpf_kfunc_end_defs(); 173 171 174 172 /* 175 173 * The following set contains all functions we agree BPF programs ··· 245 241 return 0; 246 242 } 247 243 248 - /** 249 - * hid_bpf_attach_prog - Attach the given @prog_fd to the given HID device 250 - * 251 - * @hid_id: the system unique identifier of the HID device 252 - * @prog_fd: an fd in the user process representing the program to attach 253 - * @flags: any logical OR combination of &enum hid_bpf_attach_flags 254 - * 255 - * @returns an fd of a bpf_link object on success (> %0), an error code otherwise. 256 - * Closing this fd will detach the program from the HID device (unless the bpf_link 257 - * is pinned to the BPF file system). 258 - */ 259 - /* called from syscall */ 260 - noinline int 261 - hid_bpf_attach_prog(unsigned int hid_id, int prog_fd, __u32 flags) 244 + static int do_hid_bpf_attach_prog(struct hid_device *hdev, int prog_fd, struct bpf_prog *prog, 245 + __u32 flags) 262 246 { 263 - struct hid_device *hdev; 264 - struct device *dev; 265 - int fd, err, prog_type = hid_bpf_get_prog_attach_type(prog_fd); 247 + int fd, err, prog_type; 266 248 267 - if (!hid_bpf_ops) 268 - return -EINVAL; 269 - 249 + prog_type = hid_bpf_get_prog_attach_type(prog); 270 250 if (prog_type < 0) 271 251 return prog_type; 272 252 273 253 if (prog_type >= HID_BPF_PROG_TYPE_MAX) 274 254 return -EINVAL; 275 - 276 - if ((flags & ~HID_BPF_FLAG_MASK)) 277 - return -EINVAL; 278 - 279 - dev = bus_find_device(hid_bpf_ops->bus_type, NULL, &hid_id, device_match_id); 280 - if (!dev) 281 - return -EINVAL; 282 - 283 - hdev = to_hid_device(dev); 284 255 285 256 if (prog_type == HID_BPF_PROG_TYPE_DEVICE_EVENT) { 286 257 err = hid_bpf_allocate_event_data(hdev); ··· 263 284 return err; 264 285 } 265 286 266 - fd = __hid_bpf_attach_prog(hdev, prog_type, prog_fd, flags); 287 + fd = __hid_bpf_attach_prog(hdev, prog_type, prog_fd, prog, flags); 267 288 if (fd < 0) 268 289 return fd; 269 290 ··· 278 299 return fd; 279 300 } 280 301 302 + /* Disables missing prototype warnings */ 303 + __bpf_kfunc_start_defs(); 304 + 305 + /** 306 + * hid_bpf_attach_prog - Attach the given @prog_fd to the given HID device 307 + * 308 + * @hid_id: the system unique identifier of the HID device 309 + * @prog_fd: an fd in the user process representing the program to attach 310 + * @flags: any logical OR combination of &enum hid_bpf_attach_flags 311 + * 312 + * @returns an fd of a bpf_link object on success (> %0), an error code otherwise. 313 + * Closing this fd will detach the program from the HID device (unless the bpf_link 314 + * is pinned to the BPF file system). 315 + */ 316 + /* called from syscall */ 317 + __bpf_kfunc int 318 + hid_bpf_attach_prog(unsigned int hid_id, int prog_fd, __u32 flags) 319 + { 320 + struct hid_device *hdev; 321 + struct bpf_prog *prog; 322 + struct device *dev; 323 + int err, fd; 324 + 325 + if (!hid_bpf_ops) 326 + return -EINVAL; 327 + 328 + if ((flags & ~HID_BPF_FLAG_MASK)) 329 + return -EINVAL; 330 + 331 + dev = bus_find_device(hid_bpf_ops->bus_type, NULL, &hid_id, device_match_id); 332 + if (!dev) 333 + return -EINVAL; 334 + 335 + hdev = to_hid_device(dev); 336 + 337 + /* 338 + * take a ref on the prog itself, it will be released 339 + * on errors or when it'll be detached 340 + */ 341 + prog = bpf_prog_get(prog_fd); 342 + if (IS_ERR(prog)) { 343 + err = PTR_ERR(prog); 344 + goto out_dev_put; 345 + } 346 + 347 + fd = do_hid_bpf_attach_prog(hdev, prog_fd, prog, flags); 348 + if (fd < 0) { 349 + err = fd; 350 + goto out_prog_put; 351 + } 352 + 353 + return fd; 354 + 355 + out_prog_put: 356 + bpf_prog_put(prog); 357 + out_dev_put: 358 + put_device(dev); 359 + return err; 360 + } 361 + 281 362 /** 282 363 * hid_bpf_allocate_context - Allocate a context to the given HID device 283 364 * ··· 345 306 * 346 307 * @returns A pointer to &struct hid_bpf_ctx on success, %NULL on error. 347 308 */ 348 - noinline struct hid_bpf_ctx * 309 + __bpf_kfunc struct hid_bpf_ctx * 349 310 hid_bpf_allocate_context(unsigned int hid_id) 350 311 { 351 312 struct hid_device *hdev; ··· 362 323 hdev = to_hid_device(dev); 363 324 364 325 ctx_kern = kzalloc(sizeof(*ctx_kern), GFP_KERNEL); 365 - if (!ctx_kern) 326 + if (!ctx_kern) { 327 + put_device(dev); 366 328 return NULL; 329 + } 367 330 368 331 ctx_kern->ctx.hid = hdev; 369 332 ··· 378 337 * @ctx: the HID-BPF context to release 379 338 * 380 339 */ 381 - noinline void 340 + __bpf_kfunc void 382 341 hid_bpf_release_context(struct hid_bpf_ctx *ctx) 383 342 { 384 343 struct hid_bpf_ctx_kern *ctx_kern; 344 + struct hid_device *hid; 385 345 386 346 ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); 347 + hid = (struct hid_device *)ctx_kern->ctx.hid; /* ignore const */ 387 348 388 349 kfree(ctx_kern); 350 + 351 + /* get_device() is called by bus_find_device() */ 352 + put_device(&hid->dev); 389 353 } 390 354 391 355 /** ··· 404 358 * 405 359 * @returns %0 on success, a negative error code otherwise. 406 360 */ 407 - noinline int 361 + __bpf_kfunc int 408 362 hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz, 409 363 enum hid_report_type rtype, enum hid_class_request reqtype) 410 364 { ··· 472 426 kfree(dma_data); 473 427 return ret; 474 428 } 429 + __bpf_kfunc_end_defs(); 475 430 476 431 /* our HID-BPF entrypoints */ 477 432 BTF_SET8_START(hid_bpf_fmodret_ids)
+2 -2
drivers/hid/bpf/hid_bpf_dispatch.h
··· 12 12 13 13 int hid_bpf_preload_skel(void); 14 14 void hid_bpf_free_links_and_skel(void); 15 - int hid_bpf_get_prog_attach_type(int prog_fd); 15 + int hid_bpf_get_prog_attach_type(struct bpf_prog *prog); 16 16 int __hid_bpf_attach_prog(struct hid_device *hdev, enum hid_bpf_prog_type prog_type, int prog_fd, 17 - __u32 flags); 17 + struct bpf_prog *prog, __u32 flags); 18 18 void __hid_bpf_destroy_device(struct hid_device *hdev); 19 19 int hid_bpf_prog_run(struct hid_device *hdev, enum hid_bpf_prog_type type, 20 20 struct hid_bpf_ctx_kern *ctx_kern);
+20 -20
drivers/hid/bpf/hid_bpf_jmp_table.c
··· 196 196 static void hid_bpf_release_progs(struct work_struct *work) 197 197 { 198 198 int i, j, n, map_fd = -1; 199 + bool hdev_destroyed; 199 200 200 201 if (!jmp_table.map) 201 202 return; ··· 221 220 if (entry->hdev) { 222 221 hdev = entry->hdev; 223 222 type = entry->type; 223 + /* 224 + * hdev is still valid, even if we are called after hid_destroy_device(): 225 + * when hid_bpf_attach() gets called, it takes a ref on the dev through 226 + * bus_find_device() 227 + */ 228 + hdev_destroyed = hdev->bpf.destroyed; 224 229 225 230 hid_bpf_populate_hdev(hdev, type); 226 231 ··· 239 232 if (test_bit(next->idx, jmp_table.enabled)) 240 233 continue; 241 234 242 - if (next->hdev == hdev && next->type == type) 235 + if (next->hdev == hdev && next->type == type) { 236 + /* 237 + * clear the hdev reference and decrement the device ref 238 + * that was taken during bus_find_device() while calling 239 + * hid_bpf_attach() 240 + */ 243 241 next->hdev = NULL; 242 + put_device(&hdev->dev); 243 + } 244 244 } 245 245 246 - /* if type was rdesc fixup, reconnect device */ 247 - if (type == HID_BPF_PROG_TYPE_RDESC_FIXUP) 246 + /* if type was rdesc fixup and the device is not gone, reconnect device */ 247 + if (type == HID_BPF_PROG_TYPE_RDESC_FIXUP && !hdev_destroyed) 248 248 hid_bpf_reconnect(hdev); 249 249 } 250 250 } ··· 347 333 return err; 348 334 } 349 335 350 - int hid_bpf_get_prog_attach_type(int prog_fd) 336 + int hid_bpf_get_prog_attach_type(struct bpf_prog *prog) 351 337 { 352 - struct bpf_prog *prog = NULL; 353 - int i; 354 338 int prog_type = HID_BPF_PROG_TYPE_UNDEF; 355 - 356 - prog = bpf_prog_get(prog_fd); 357 - if (IS_ERR(prog)) 358 - return PTR_ERR(prog); 339 + int i; 359 340 360 341 for (i = 0; i < HID_BPF_PROG_TYPE_MAX; i++) { 361 342 if (hid_bpf_btf_ids[i] == prog->aux->attach_btf_id) { ··· 358 349 break; 359 350 } 360 351 } 361 - 362 - bpf_prog_put(prog); 363 352 364 353 return prog_type; 365 354 } ··· 395 388 /* called from syscall */ 396 389 noinline int 397 390 __hid_bpf_attach_prog(struct hid_device *hdev, enum hid_bpf_prog_type prog_type, 398 - int prog_fd, __u32 flags) 391 + int prog_fd, struct bpf_prog *prog, __u32 flags) 399 392 { 400 393 struct bpf_link_primer link_primer; 401 394 struct hid_bpf_link *link; 402 - struct bpf_prog *prog = NULL; 403 395 struct hid_bpf_prog_entry *prog_entry; 404 396 int cnt, err = -EINVAL, prog_table_idx = -1; 405 - 406 - /* take a ref on the prog itself */ 407 - prog = bpf_prog_get(prog_fd); 408 - if (IS_ERR(prog)) 409 - return PTR_ERR(prog); 410 397 411 398 mutex_lock(&hid_bpf_attach_lock); 412 399 ··· 468 467 err_unlock: 469 468 mutex_unlock(&hid_bpf_attach_lock); 470 469 471 - bpf_prog_put(prog); 472 470 kfree(link); 473 471 474 472 return err;
+3
drivers/hid/hid-ids.h
··· 298 298 299 299 #define USB_VENDOR_ID_CIDC 0x1677 300 300 301 + #define I2C_VENDOR_ID_CIRQUE 0x0488 302 + #define I2C_PRODUCT_ID_CIRQUE_1063 0x1063 303 + 301 304 #define USB_VENDOR_ID_CJTOUCH 0x24b8 302 305 #define USB_DEVICE_ID_CJTOUCH_MULTI_TOUCH_0020 0x0020 303 306 #define USB_DEVICE_ID_CJTOUCH_MULTI_TOUCH_0040 0x0040
+2
drivers/hid/hid-logitech-hidpp.c
··· 4610 4610 HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, 0xC088) }, 4611 4611 { /* Logitech G Pro X Superlight Gaming Mouse over USB */ 4612 4612 HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, 0xC094) }, 4613 + { /* Logitech G Pro X Superlight 2 Gaming Mouse over USB */ 4614 + HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, 0xC09b) }, 4613 4615 4614 4616 { /* G935 Gaming Headset */ 4615 4617 HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, 0x0a87),
+4
drivers/hid/hid-nvidia-shield.c
··· 800 800 801 801 led->name = devm_kasprintf(&ts->base.hdev->dev, GFP_KERNEL, 802 802 "thunderstrike%d:blue:led", ts->id); 803 + if (!led->name) 804 + return -ENOMEM; 803 805 led->max_brightness = 1; 804 806 led->flags = LED_CORE_SUSPENDRESUME | LED_RETAIN_AT_SHUTDOWN; 805 807 led->brightness_get = &thunderstrike_led_get_brightness; ··· 833 831 shield_dev->battery_dev.desc.name = 834 832 devm_kasprintf(&ts->base.hdev->dev, GFP_KERNEL, 835 833 "thunderstrike_%d", ts->id); 834 + if (!shield_dev->battery_dev.desc.name) 835 + return -ENOMEM; 836 836 837 837 shield_dev->battery_dev.psy = power_supply_register( 838 838 &hdev->dev, &shield_dev->battery_dev.desc, &psy_cfg);
+18 -18
drivers/hid/hid-steam.c
··· 1109 1109 return hid_hw_start(hdev, HID_CONNECT_DEFAULT); 1110 1110 1111 1111 steam = devm_kzalloc(&hdev->dev, sizeof(*steam), GFP_KERNEL); 1112 - if (!steam) { 1113 - ret = -ENOMEM; 1114 - goto steam_alloc_fail; 1115 - } 1112 + if (!steam) 1113 + return -ENOMEM; 1114 + 1116 1115 steam->hdev = hdev; 1117 1116 hid_set_drvdata(hdev, steam); 1118 1117 spin_lock_init(&steam->lock); ··· 1128 1129 */ 1129 1130 ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_HIDRAW); 1130 1131 if (ret) 1131 - goto hid_hw_start_fail; 1132 + goto err_cancel_work; 1132 1133 1133 1134 ret = hid_hw_open(hdev); 1134 1135 if (ret) { 1135 1136 hid_err(hdev, 1136 1137 "%s:hid_hw_open\n", 1137 1138 __func__); 1138 - goto hid_hw_open_fail; 1139 + goto err_hw_stop; 1139 1140 } 1140 1141 1141 1142 if (steam->quirks & STEAM_QUIRK_WIRELESS) { ··· 1151 1152 hid_err(hdev, 1152 1153 "%s:steam_register failed with error %d\n", 1153 1154 __func__, ret); 1154 - goto input_register_fail; 1155 + goto err_hw_close; 1155 1156 } 1156 1157 } 1157 1158 1158 1159 steam->client_hdev = steam_create_client_hid(hdev); 1159 1160 if (IS_ERR(steam->client_hdev)) { 1160 1161 ret = PTR_ERR(steam->client_hdev); 1161 - goto client_hdev_fail; 1162 + goto err_stream_unregister; 1162 1163 } 1163 1164 steam->client_hdev->driver_data = steam; 1164 1165 1165 1166 ret = hid_add_device(steam->client_hdev); 1166 1167 if (ret) 1167 - goto client_hdev_add_fail; 1168 + goto err_destroy; 1168 1169 1169 1170 return 0; 1170 1171 1171 - client_hdev_add_fail: 1172 - hid_hw_stop(hdev); 1173 - client_hdev_fail: 1172 + err_destroy: 1174 1173 hid_destroy_device(steam->client_hdev); 1175 - input_register_fail: 1176 - hid_hw_open_fail: 1177 - hid_hw_start_fail: 1174 + err_stream_unregister: 1175 + if (steam->connected) 1176 + steam_unregister(steam); 1177 + err_hw_close: 1178 + hid_hw_close(hdev); 1179 + err_hw_stop: 1180 + hid_hw_stop(hdev); 1181 + err_cancel_work: 1178 1182 cancel_work_sync(&steam->work_connect); 1179 1183 cancel_delayed_work_sync(&steam->mode_switch); 1180 1184 cancel_work_sync(&steam->rumble_work); 1181 - steam_alloc_fail: 1182 - hid_err(hdev, "%s: failed with error %d\n", 1183 - __func__, ret); 1185 + 1184 1186 return ret; 1185 1187 } 1186 1188
+5 -2
drivers/hid/hidraw.c
··· 357 357 down_write(&minors_rwsem); 358 358 359 359 spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); 360 - for (int i = list->tail; i < list->head; i++) 361 - kfree(list->buffer[i].value); 360 + while (list->tail != list->head) { 361 + kfree(list->buffer[list->tail].value); 362 + list->buffer[list->tail].value = NULL; 363 + list->tail = (list->tail + 1) & (HIDRAW_BUFFER_SIZE - 1); 364 + } 362 365 list_del(&list->node); 363 366 spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); 364 367 kfree(list);
+5 -1
drivers/hid/i2c-hid/i2c-hid-core.c
··· 49 49 #define I2C_HID_QUIRK_RESET_ON_RESUME BIT(2) 50 50 #define I2C_HID_QUIRK_BAD_INPUT_SIZE BIT(3) 51 51 #define I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET BIT(4) 52 + #define I2C_HID_QUIRK_NO_SLEEP_ON_SUSPEND BIT(5) 52 53 53 54 /* Command opcodes */ 54 55 #define I2C_HID_OPCODE_RESET 0x01 ··· 132 131 I2C_HID_QUIRK_RESET_ON_RESUME }, 133 132 { USB_VENDOR_ID_ITE, I2C_DEVICE_ID_ITE_LENOVO_LEGION_Y720, 134 133 I2C_HID_QUIRK_BAD_INPUT_SIZE }, 134 + { I2C_VENDOR_ID_CIRQUE, I2C_PRODUCT_ID_CIRQUE_1063, 135 + I2C_HID_QUIRK_NO_SLEEP_ON_SUSPEND }, 135 136 /* 136 137 * Sending the wakeup after reset actually break ELAN touchscreen controller 137 138 */ ··· 959 956 return ret; 960 957 961 958 /* Save some power */ 962 - i2c_hid_set_power(ihid, I2C_HID_PWR_SLEEP); 959 + if (!(ihid->quirks & I2C_HID_QUIRK_NO_SLEEP_ON_SUSPEND)) 960 + i2c_hid_set_power(ihid, I2C_HID_PWR_SLEEP); 963 961 964 962 disable_irq(client->irq); 965 963
+1
drivers/hid/i2c-hid/i2c-hid-of.c
··· 87 87 if (!ihid_of) 88 88 return -ENOMEM; 89 89 90 + ihid_of->client = client; 90 91 ihid_of->ops.power_up = i2c_hid_of_power_up; 91 92 ihid_of->ops.power_down = i2c_hid_of_power_down; 92 93
-11
include/linux/hid_bpf.h
··· 77 77 int hid_bpf_device_event(struct hid_bpf_ctx *ctx); 78 78 int hid_bpf_rdesc_fixup(struct hid_bpf_ctx *ctx); 79 79 80 - /* Following functions are kfunc that we export to BPF programs */ 81 - /* available everywhere in HID-BPF */ 82 - __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t __sz); 83 - 84 - /* only available in syscall */ 85 - int hid_bpf_attach_prog(unsigned int hid_id, int prog_fd, __u32 flags); 86 - int hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz, 87 - enum hid_report_type rtype, enum hid_class_request reqtype); 88 - struct hid_bpf_ctx *hid_bpf_allocate_context(unsigned int hid_id); 89 - void hid_bpf_release_context(struct hid_bpf_ctx *ctx); 90 - 91 80 /* 92 81 * Below is HID internal 93 82 */
+4 -4
tools/testing/selftests/hid/tests/test_wacom_generic.py
··· 880 880 does not overlap with other contacts. The value of `t` may be 881 881 incremented over time to move the point along a linear path. 882 882 """ 883 - x = 50 + 10 * contact_id + t 884 - y = 100 + 100 * contact_id + t 883 + x = 50 + 10 * contact_id + t * 11 884 + y = 100 + 100 * contact_id + t * 11 885 885 return test_multitouch.Touch(contact_id, x, y) 886 886 887 887 def make_contacts(self, n, t=0): ··· 902 902 tracking_id = contact_ids.tracking_id 903 903 slot_num = contact_ids.slot_num 904 904 905 - x = 50 + 10 * contact_id + t 906 - y = 100 + 100 * contact_id + t 905 + x = 50 + 10 * contact_id + t * 11 906 + y = 100 + 100 * contact_id + t * 11 907 907 908 908 # If the data isn't supposed to be stored in any slots, there is 909 909 # nothing we can check for in the evdev stream.