From 4ea5454203d991ec85264f64f89ca8855fce69b0 Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Wed, 10 Aug 2011 14:02:07 +0200 Subject: HID: Fix race condition between driver core and ll-driver HID low level drivers register new devices with the HID core which then adds the devices to the HID bus. The HID bus normally immediately probes an appropriate driver which then handles HID input for this device. The ll driver now uses the hid_input_report() function to report input events for a specific device. However, if the HID bus unloads the driver at the same time (for instance via a call to /sys/bus/hid/devices//unbind) then the hdev->driver pointer may be used by hid_input_report() and hid_device_remove() at the same time which may cause hdev->driver to point to invalid memory. This fix adds a semaphore to every hid device which protects hdev->driver from asynchronous access. This semaphore is locked during driver *_probe and *_remove and also inside hid_input_report(). The *_probe and *_remove functions may sleep so the semaphore is good here, however, hid_input_report() is in atomic context and hence only uses down_trylock(). If it cannot acquire the lock it simply drops the input package. The low-level drivers report input events synchronously so hid_input_report() should never be entered twice at the same time on the same device. Hence, the lock should always be available. But if the driver is currently probed/removed then the lock is not available and dropping the package should be safe because this is what would have happened if the package arrived some milliseconds earlier/later. This also fixes another race condition while probing drivers: First the *_probe function of the driver is called and only if that succeeds, the related input device of hidinput is registered. If the low level driver reports input events after the *_probe function returned but before the input device is registered, then a NULL pointer dereference will occur. (Equivalently on driver remove function). This is not possible anymore, since the semaphore lock drops all incoming packages until the driver/device is fully initialized. Signed-off-by: David Herrmann Signed-off-by: Jiri Kosina --- include/linux/hid.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/linux') diff --git a/include/linux/hid.h b/include/linux/hid.h index 9cf8e7ae745..9c02d07af0d 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -71,6 +71,7 @@ #include #include #include +#include /* * We parse each description item into this structure. Short items data @@ -475,6 +476,7 @@ struct hid_device { /* device report descriptor */ unsigned country; /* HID country */ struct hid_report_enum report_enum[HID_REPORT_TYPES]; + struct semaphore driver_lock; /* protects the current driver */ struct device dev; /* device */ struct hid_driver *driver; struct hid_ll_driver *ll_driver; -- cgit v1.2.3-70-g09d2 From b77c3920e90e96103e4f41442999402925fe5f73 Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires Date: Wed, 21 Sep 2011 16:56:54 +0200 Subject: HID: add autodetection of multitouch devices As mentioned by http://www.microsoft.com/whdc/device/input/DigitizerDrvs_touch.mspx multitouch devices are those that have the input report HID_CONTACTID. This patch detects this and unloads the generic-usb driver. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina --- drivers/hid/hid-core.c | 6 ++++++ drivers/hid/hid-input.c | 11 +++++++++++ include/linux/hid.h | 1 + 3 files changed, 18 insertions(+) (limited to 'include/linux') diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 956f84968fa..f869ab35e6d 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1212,6 +1212,12 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask) if ((connect_mask & HID_CONNECT_HIDINPUT) && !hidinput_connect(hdev, connect_mask & HID_CONNECT_HIDINPUT_FORCE)) hdev->claimed |= HID_CLAIMED_INPUT; + if (hdev->quirks & HID_QUIRK_MULTITOUCH) { + /* this device should be handled by hid-multitouch, skip it */ + hdev->quirks &= ~HID_QUIRK_MULTITOUCH; + return -ENODEV; + } + if ((connect_mask & HID_CONNECT_HIDDEV) && hdev->hiddev_connect && !hdev->hiddev_connect(hdev, connect_mask & HID_CONNECT_HIDDEV_FORCE)) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 6559e2e3364..f333139d1a4 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -474,6 +474,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel map_key_clear(BTN_STYLUS2); break; + case 0x51: /* ContactID */ + device->quirks |= HID_QUIRK_MULTITOUCH; + goto unknown; + default: goto unknown; } break; @@ -978,6 +982,13 @@ int hidinput_connect(struct hid_device *hid, unsigned int force) } } + if (hid->quirks & HID_QUIRK_MULTITOUCH) { + /* generic hid does not know how to handle multitouch devices */ + if (hidinput) + goto out_cleanup; + goto out_unwind; + } + if (hidinput && input_register_device(hidinput->input)) goto out_cleanup; diff --git a/include/linux/hid.h b/include/linux/hid.h index 9cf8e7ae745..6fb743d72bf 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -312,6 +312,7 @@ struct hid_item { #define HID_QUIRK_BADPAD 0x00000020 #define HID_QUIRK_MULTI_INPUT 0x00000040 #define HID_QUIRK_HIDINPUT_FORCE 0x00000080 +#define HID_QUIRK_MULTITOUCH 0x00000100 #define HID_QUIRK_SKIP_OUTPUT_REPORTS 0x00010000 #define HID_QUIRK_FULLSPEED_INTERVAL 0x10000000 #define HID_QUIRK_NO_INIT_REPORTS 0x20000000 -- cgit v1.2.3-70-g09d2