A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
It has been reported that there is a new version (different USB rev)
of the Logitech DFGT in the 'wild'.
This patch allows the kernel to recognise this wheel and send it the
command to enter native mode.
Reported-by: "Denis Jovic" <djovic78@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This allows the hid drivers to be independent from the transport layer.
The patch was constructed by replacing all occurences of
usbhid_submit_report() by its hid_hw_request() counterpart.
Then, drivers not requiring USB_HID anymore have their USB_HID
dependency cleaned in the Kconfig file.
Finally, few drivers still depends on USB_HID. Many of them
are requiring the io wait callback. They are found in the next patch.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
For the sensor-hub part:
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch removes code which is now unnecessary for setting the fuzz/flat
characterics for the logitech DFP wheel. This is now done in the previous
patch by marking the wheel as a multi-axis device.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The lg4ff driver doesn't fill the "input_absinfo" struct so it is left
with default values. Applications with rely on information in this struct
therefore do not work correctly with the wheel.
Other Logitech wheels probably need this fix too, but again I do not have
enough information to write it.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Range limiting command for the Driving Force Pro wheel is only a FF_SPRING
effect so that the wheel creates resistance when the user tries to turn it past
the limit. It is however possible to overpower the FFB motors quite easily which
leads to the X axis value exceeding the expected limit. This confuses
games which dynamically adjust calibration using the highest/lowest min and max
values reported by the wheel. Joydev device driver also doesn't take in account
any changes in an axis range after the joystick device is created.
This patch recalculates received ABS_X axis value so it is always in
<0; 16383> range where 0 is the left limit and 16383 the right limit.
Logitech driver for Windows does the same thing. As for any concerns about
possible loss of precision, I compared a large set of raw/adjusted values
generated by "mult_frac" to values returned by the Windows driver and I got
a 100% match.
Other Logitech wheels will probably need a similar fix, but I currently lack
the information needed to write one.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch replaces all occurrences of "report->field[0]->value[n]" with just
"value[n]" to get rid of the lengthy trains we have now.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Updated comments to say that this driver now supports all Logitech
gaming wheels, and not just the WiiWheel.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch adds supports for controlling the LED 'tachometer' on
the G27 wheel, via the LED subsystem.
The 5 LEDs are arranged from right (1=grn, 2=grn, 3=yel, 4=yel, 5=red)
and 'mirrored' to the left (10 LEDs in total).
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
lg4ff now calls hid_get/set_drvdata() to read or store device configuration.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Tested-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch fixes a possible race condition caused by the sysfs
interface being removed after the memory used by the interface
was already kfree'd.
Signed-off-by: Michal Malý <madcatsxter@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Casting (void *) value returned by kmalloc is useless
as mentioned in Documentation/CodingStyle, Chap 14.
The semantic patch that makes this change is available
in scripts/coccinelle/api/alloc/drop_kmalloc_cast.cocci.
Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
There is a small rare potential memory leak here. Also Walter Harms
points out that we can do a small cleanup as well by using kstrdup().
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The Logitech driver sends Formula Force EX wheel a different command to
autocenering force. FFEX will accept the standard command used by the rest of
the wheels, but it won't set the centering properly.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Wheel range of certain Logitech wheels - namely Driving Force GT, Driving Force
Pro, G25 and G27 can be adjusted. Minimu is 40 degrees, maximum 900. DFGT, G25
and G27 all use a common command, DFP uses another one. Range can be set from
userspace by writing to
"/sys/module/hid_logitech/drivers/hid:logitech/<dev>range". The driver use list
to store range of each connected wheel; it's not possible to use driver_data in
hid_device struct as it's already b hig-lg driver.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch allows the lg4ff driver to switch wheels to the native mode. Since
this is specific to Logitech wheels only, it's handled in hid-lg4ff rather than
hid-lg.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This is the first out of five patches me and Simon Wood (CC'd) have been
working on. It separates the handling of Logite from the generic lgff driver
and adds additional features specific for the Logitech wheels, namely
- Native mode support for Driving Force GT, Driving Force Pro, G25 and G27
wheels Every Logitech wheel reports itself as generic Logitech Driving Force
wheel (VID 046d, PID c294). This is done to ensu wheel will work on every USB
HID-aware system even when no Logitech driver is available. It however limits
the capabilit wheel - range is limited to 200 degrees, G25/G27 don't report the
clutch pedal and there is only one combined axis for t brake. The switch to
native mode is done via hardware-specific command which is different for each
wheel. When the wheel receives such command, it simulates reconnect and reports
to the OS with its actual PID.
- Adjustable wheel range DFGT, DFP, G25 and G27 have variable range of the
steering wheel. The range is limited by applying a maximum constant when the
wheel is turned beyond the allowed range. The limit as also set by a
hardware-specific command. There is a comm command for DFGT, G25 and G27 and
another one for DFP. It is probably possible to use the DFP command to limit
the range other Logitech wheels too, but this is not supported by the official
Logitech driver for Windows. The patch adds a sysfs interface which allows for
the range to be set from userspace.
- Fixed autocentering command All Logitech wheels support FF_AUTOCENTER effect.
The original implementation in the lgff driver didn't work well with patch
fixes it. According to USB communication sniffs the Formula Force EX (pretty
much rebranded original Driving Force accept the generic autocentering command,
this issue is also addressed by the patch
There are still some features this patch doesn't cover, but since some of them
will most likely require modifications of memless driver we have decided not to
include them yet.
As first we decided to move the handling of Logitech wheels from hid-lgff
driver to hid-lg4ff driver (originally used fo At also adds PID of Logitech
Driving Force GT.
Signed-off-by: Michal Malý <madcatxster@gmail.com>
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Neaten current uses of dev_<level> by adding and using
hid specific hid_<level> macros.
Convert existing uses of dev_<level> uses to hid_<level>.
Convert hid-pidff printk uses to hid_<level>.
Remove err_hid and use hid_err instead.
Add missing newlines to logging messages where necessary.
Coalesce format strings.
Add and use pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Other miscellaneous changes:
Add const struct hid_device * argument to hid-core functions
extract() and implement() so hid_<level> can be used by them.
Fix bad indentation in hid-core hid_input_field function
that calls extract() function above.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The following patch adds support for the Logitech Speed Force Wireless gaming
wheel. Originally designed for the WII console. Details on the protocol:
http://wiibrew.org/wiki/Logitech_USB_steering_wheel
This patch relies on previous patch:
"Don't Send Feature Reports on Interrupt Endpoint"
Logitech as produce a very similar wheel for the PS2/PS3, it is expected that
this patch could also support the PS2/PS3 wheel if the USB ID's are added and
(if required) the HID descriptor is modified.
Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>