A device would never lie about the number of touch reports would it?
If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for the maximum number of 256
loop iteraions. The data that is read is emitted via evdev if the
DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
clamping the num_touch_reports value provided by the device to the
maximum size of the touch_reports array.
Fixes: 7520382488 ("HID: playstation: add DualShock4 touchpad support.")
Cc: stable@vger.kernel.org
Reported-by: Xingyu Jin <xingyuj@google.com>
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The DualShock 4 HID driver fails to validate the num_touch_reports field
received from the device in both USB and Bluetooth input reports.
A malicious device could set this field to a value larger than the
allocated size of the touch_reports array (3 for USB, 4 for Bluetooth),
leading to an out-of-bounds read in dualshock4_parse_report().
This can result in kernel memory disclosure when processing malicious
HID reports.
Validate num_touch_reports against the array size for the respective
connection types before processing the touch data.
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
This was done entirely with mindless brute force, using
git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' |
xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/'
to convert the new alloc_obj() users that had a simple GFP_KERNEL
argument to just drop that argument.
Note that due to the extreme simplicity of the scripting, any slightly
more complex cases spread over multiple lines would not be triggered:
they definitely exist, but this covers the vast bulk of the cases, and
the resulting diff is also then easier to check automatically.
For the same reason the 'flex' versions will be done as a separate
conversion.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This is the result of running the Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to
avoid scalar types (which need careful case-by-case checking), and
instead replace kmalloc-family calls that allocate struct or union
object instances:
Single allocations: kmalloc(sizeof(TYPE), ...)
are replaced with: kmalloc_obj(TYPE, ...)
Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...)
are replaced with: kmalloc_objs(TYPE, COUNT, ...)
Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...)
are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...)
(where TYPE may also be *VAR)
The resulting allocations no longer return "void *", instead returning
"TYPE *".
Signed-off-by: Kees Cook <kees@kernel.org>
The ps_gamepad_create() function calls input_ff_create_memless()
without verifying its return value, which can lead to incorrect
behavior or potential crashes when FF effects are triggered.
Add a check for the return value of input_ff_create_memless().
Fixes: 51151098d7 ("HID: playstation: add DualSense classic rumble support.")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized,
the input subsystem sets the default value for its absolute axes (e.g.,
ABS_X, ABS_Y) to 0.
However, the hardware's actual neutral/resting state for these joysticks
is 128 (0x80). This creates a mismatch.
When the first HID report arrives from the device, the driver sees the
resting value of 128. The kernel compares this to its initial state of 0
and incorrectly interprets this as a delta (0 -> 128). Consequently, it
generates EV_ABS events for this initial, non-existent movement.
This behavior can fail userspace 'sanity check' tests (e.g., in
Android CTS) that correctly assert no motion events should be generated
from a device that is already at rest.
This patch fixes the issue by explicitly setting the initial value of the
main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80)
in the common ps_gamepad_create() function.
This aligns the kernel's initial state with the hardware's expected
neutral state, ensuring that the first report (at 128) produces no
delta and thus, no spurious event.
Signed-off-by: Siarhei Vishniakou <svv@google.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
The memory allocated for buf is not freed in the error paths when
ps_get_report() fails. Free buf before jumping to transfer_failed label
Fixes: 947992c7fa ("HID: playstation: DS4: Fix calibration workaround for clone devices")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Those functions were initially excepted from using the scoped_guard()
infrastructure as they contain too many long statements, while adding
yet another level of indentation seemed to lower readability without
bringing an immediate benefit.
However, consistency should be more important, hence do the switch and
get rid of the remaining explicit acquires & releases of the spinlocks.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
It seems sparse has some difficulties with guard() handling or when
mixing it with scoped_guard(), as it shows a bunch lock related
warnings:
hid-playstation.c:1230:32: warning: context imbalance in 'dualsense_player_led_set_brightness' - wrong count at exit
hid-playstation.c:1414:12: warning: context imbalance in 'dualsense_parse_report' - wrong count at exit
hid-playstation.c:1615:12: warning: context imbalance in 'dualsense_play_effect' - different lock contexts for basic block
hid-playstation.c:1668:13: warning: context imbalance in 'dualsense_set_lightbar' - wrong count at exit
hid-playstation.c:1680:13: warning: context imbalance in 'dualsense_set_player_leds' - wrong count at exit
hid-playstation.c:2185:33: warning: context imbalance in 'dualshock4_led_set_blink' - wrong count at exit
hid-playstation.c:2226:33: warning: context imbalance in 'dualshock4_led_set_brightness' - wrong count at exit
hid-playstation.c:2596:12: warning: context imbalance in 'dualshock4_play_effect' - different lock contexts for basic block
hid-playstation.c:2634:13: warning: context imbalance in 'dualshock4_set_bt_poll_interval' - wrong count at exit
hid-playstation.c:2642:13: warning: context imbalance in 'dualshock4_set_default_lightbar_colors' - wrong count at exit
Silent them by switching from guard() to scoped_guard() in
{dualsense|dualshock4}_schedule_work().
Reported-by: Benjamin Tissoires <bentiss@kernel.org>
Suggested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The DualSense controller complies with v1.0 of the USB Audio Class spec
(UAC1), hence it cannot advertise any jack detection capability.
However, this feature can be implemented in the generic USB audio driver
via quirks, i.e. by configuring an input handler to receive hotplug
events from the HID driver.
When operating in USB mode, register a dedicated input device for the
audio jack and use it to report all headphone and headset mic insert
events.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The default audio output path on DualSense controller hardware is set to
headphones, regardless of whether they are actually inserted or not.
Detect when the plugged state of the 3.5mm audio jack changes and toggle
audio output between headphones and internal speaker, as required. The
latter is achieved by essentially routing the right channel of the audio
source to the mono speaker.
Additionally, adjust the speaker volume since its default level is too
low and, therefore, cannot generate any audible sound.
It's worth noting the audio functionality is currently not supported for
Bluetooth, hence it's limited to USB connectivity.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The 'status' member of struct dualsense_input_report is currently used
to store just the battery data, despite the fact that hardware is
capable to report two extra bytes of status information.
In preparation to make use of some of the additional data, redefine the
field type as a 3-byte array.
Moreover, to preserve consistency with the related DS_STATUS[0..2]_*
registers in datasheet, rename DS_STATUS_* bitfield macros accordingly.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Use the shorter variant as suggested by checkpatch.pl:
CHECK: Prefer kzalloc(sizeof(*buf)...) over kzalloc(sizeof(struct dualsense_output_report_bt)...)
This also improves further maintainability.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Document the usage of 'lock' member in struct ps_device and silent
checkpatch.pl complaint:
CHECK: spinlock_t definition without comment
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Format code to address the following checkpatch.pl reports:
CHECK: Alignment should match open parenthesis
CHECK: line length of <N> exceeds 100 columns
CHECK: Please don't use multiple blank lines
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Handle a couple of spelling complaints from checkpatch.pl:
CHECK: 'connectd' may be misspelled - perhaps 'connected'?
CHECK: 'Comptabile' may be misspelled - perhaps 'Compatible'?
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
And get rid of the following checkpatch.pl complaints:
CHECK: Prefer kernel type 'u32' over 'uint32_t'
CHECK: Prefer kernel type 'u16' over 'uint16_t'
CHECK: Prefer kernel type 'u8' over 'uint8_t'
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Use guard() and scoped_guard() infrastructure instead of explicitly
acquiring and releasing spinlocks and mutexes to simplify the code and
ensure that all locks are released properly.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Get rid of several checkpatch.pl complaints:
CHECK: spaces preferred around that '*' (ctx:VxV)
CHECK: spaces preferred around that '/' (ctx:VxV)
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Improve code readability and make it more robust by replacing open coded
bit operations with the equivalent bitfield macros.
While at it, also fix the vertical alignment for some of the bitfield
constants.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Benjamin Tissoires <bentiss@kernel.org>
Tested-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
asm/unaligned.h is always an include of asm-generic/unaligned.h;
might as well move that thing to linux/unaligned.h and include
that - there's nothing arch-specific in that header.
auto-generated by the following:
for i in `git grep -l -w asm/unaligned.h`; do
sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i
done
for i in `git grep -l -w asm-generic/unaligned.h`; do
sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i
done
git mv include/asm-generic/unaligned.h include/linux/unaligned.h
git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h
sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild
sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h
Some 3rd party gamepads expect updates to rumble and lightbar together,
and setting one may cancel the other.
Let's maximise compatibility by always sending rumble and lightbar
updates together, even when only one has been scheduled.
Further background reading:
- Apparently the PS4 always sends rumble and lightbar updates together:
https://eleccelerator.com/wiki/index.php?title=DualShock_4#0x11_2
- 3rd party gamepads may not implement lightbar_blink, and may simply
ignore updates with 0x07 set, according to:
https://github.com/Ryochan7/DS4Windows/pull/1839
[jkosina@suse.com: fix shortlog]
Acked-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The logic in dualshock4_get_calibration_data() used uninitialised data
in case of a failed kzalloc() for the transfer buffer.
The solution is to group all business logic and all sanity checks
together, and jump only to the latter in case of an error.
While we're at it, factor out the axes' labelling, since it must happen
either way for input_report_abs() to succeed later on.
Thanks to Dan Carpenter for the Smatch static checker warning.
Fixes: a48a7cd85f ("HID: playstation: DS4: Don't fail on calibration data request")
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Distinguish PS4/PS5 type controllers using .driver_data in
MODULE_DEVICE_TABLE rather than by VID/PID.
This allows adding compatible controllers with different VID/PID.
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Some third-party controllers never switch to the full 0x11 report.
They keep sending the short 0x01 report, so let's parse that instead.
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Some third-party controllers can't report calibration data for the
gyro/accelerometer.
We can still use the gamepad as-is, so let's do that.
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Some third-party controllers can't report firmware/hardware version.
Unlike for the DualSense, the driver does not use these values for
anything in the DualShock 4 case, but merely exposes them via sysfs.
They will simply be 0x0.
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
There was no way to disable blinking once enabled.
Disable it on brightness = 0, as per the Linux LED spec.
The driver reports back the values it sends to the controller, but they
need to be scaled back to milliseconds. Setting the LED blinking via
sysfs works as expected now.
Signed-off-by: Max Staudt <max@enpas.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
The bias for the gyroscope is not used correctly. The sensor bias
needs to be used in calculation of the 'sensivity' instead of being
an offset.
In practice this has little input on the values as the bias values
tends to be small (+/- 20).
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The bias for the gyroscope is not used correctly. The sensor bias
needs to be used in calculation of the 'sensivity' instead of being
an offset.
In practice this has little input on the values as the bias values
tends to be small (+/- 20).
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Make sure calibration values are defined to prevent potential kernel
crashes. This fixes a hypothetical issue for virtual or clone devices
inspired by a similar fix for DS4.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Some DualShock4 devices report invalid calibration data resulting
in kernel oopses due to division by zero during report handling.
The devices affected generally appear to be clone devices, which don't
implement all reports properly and don't populate proper calibration
data. The issue may have been seen on an official device with erased
calibration reports.
This patch prevents the crashes by essentially disabling calibration
when invalid values are detected.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Tested-by: Alain Carlucci <alain.carlucci@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The 'buf' variable is only used in the USB (if-path) and not in the Bluetooth
else-path. Since it is not set to NULL. this results in freeing an uninitialized
pointer. Since the else code-path doesn't need buf, just return 0.
Fixes: 2d77474a23 ("HID: playstation: add DualShock4 bluetooth support.")
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20221213044935.1775499-2-roderick.colenbrander@sony.com
The driver was by accident reading the CRC directly from a hardware
structure instead of using get_unaligned_le32.
Fixes: 2d77474a23 ("HID: playstation: add DualShock4 bluetooth support.")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The size of the output buffer used for output reports was not updated
to the larger size needed for Bluetooth. This ultimately resulted
in memory corruption of surrounding structures e.g. due to memsets.
Fixes: 2d77474a23 ("HID: playstation: add DualShock4 bluetooth support.")
Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch adds support for the DualShock4 dongle in a very similar
way we contributed to hid-sony before.
The dongle is a USB to Bluetooth bridge and uses the same HID reports
as a USB device. It reports data through the DS4's main USB input
report independent on whether a Bluetooth controller is connected.
For this reason there is custom dongle report parsing code to
detect controller hotplug and kick of calibration work until we
are ready to process actual input reports.
The logic also incorporates a workaround needed for Steam in which
hid-playstation and Steam using hidraw can fight.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
The poll interval for DualShock4 in Bluetooth mode is adjustable
through the main output report. Configure it to 4ms, which is
similar to USB.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Add support for DualShock4 in Bluetooth mode. In Bluetooth, the device
is a bit strange in that after 'calibration' it switches sending all its
input data from a basic report (only containing buttons/sticks) to an
extended report, which also contains touchpad, motion sensors and other
data. The overall design of this code is similar to the DualSense code.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch adds a parameter to ps_get_report to ignore CRC checks.
This prepares for DualShock4, which has some HID reports, which lack CRC.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Expose the lightbar LEDs in the same manner as hid-sony through
individual LEDs for backwards compatibility reasons. There is a
slight change in LED naming to use the input device name as opposed
to the MAC address like hid-sony did. This is expected to not
cause any issues and should make the naming more compliant.
In addition set a default lightbar color based on player ID.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Make the max_brightness adjustable through ps_led_info struct. This
paves the way for a next DualShock4 patch to allow larger brightness
values.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This patch implements DualShock4 rumble support in a similar manner
as the DualSense implementation. It adds an output worker with
granular control of different features of the main DualShock4 output
report.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Support accelerometer and gyroscope as separate input devices similar
how DualSense and hid-sony do it.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Support the DualShock4 touchpad as a separate input device. The code
describes the touchpad input reports through structures similar a bit
to the DualSense code.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Provide DualShock4 battery support through powersupply framework.
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
T.J. Mercier