* [PATCH v3] iio: magnetometer: hid-sensor-magn-3d: prefer 'u32' type
From: Joshua Crofts @ 2026-04-21 6:58 UTC (permalink / raw)
To: jikos, jic23, srinivas.pandruvada
Cc: dlechner, nuno.sa, andy, linux-input, linux-iio, linux-kernel,
Joshua Crofts, Andy Shevchenko
Use 'u32' instead of bare 'unsigned' to resolve checkpatch.pl warnings
and correct type use as defined in the struct hid_sensor_hub_callbacks.
No functional change.
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
---
v2:
- changed 'unsigned int' to 'u32' per struct definition
v3:
- commit message edits
drivers/iio/magnetometer/hid-sensor-magn-3d.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/iio/magnetometer/hid-sensor-magn-3d.c b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
index c673f9323e4..b01dd53eb10 100644
--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c
+++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
@@ -280,7 +280,7 @@ static const struct iio_info magn_3d_info = {
/* Callback handler to send event after all samples are received and captured */
static int magn_3d_proc_event(struct hid_sensor_hub_device *hsdev,
- unsigned usage_id,
+ u32 usage_id,
void *priv)
{
struct iio_dev *indio_dev = platform_get_drvdata(priv);
@@ -302,7 +302,7 @@ static int magn_3d_proc_event(struct hid_sensor_hub_device *hsdev,
/* Capture samples in local storage */
static int magn_3d_capture_sample(struct hid_sensor_hub_device *hsdev,
- unsigned usage_id,
+ u32 usage_id,
size_t raw_len, char *raw_data,
void *priv)
{
@@ -350,7 +350,7 @@ static int magn_3d_parse_report(struct platform_device *pdev,
struct hid_sensor_hub_device *hsdev,
struct iio_chan_spec **channels,
int *chan_count,
- unsigned usage_id,
+ u32 usage_id,
struct magn_3d_state *st)
{
int i;
--
2.47.3
^ permalink raw reply related
* [PATCH] Input: elan_i2c - Add ic type 0x19
From: Jingle Wu 吳金國 @ 2026-04-21 7:00 UTC (permalink / raw)
To: Linux-kernel@vger.kernel.org, Linux-input@vger.kernel.org,
Dmitry.torokhov@gmail.com
The 0x19 is valid 3000 serial ic type too.
Signed-off-by: Jingle Wu <jingle.wu@emc.com.tw>
---
drivers/input/mouse/elan_i2c_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
index fee1796da3d0..7475803c6ce4 100644
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -162,6 +162,9 @@ static int elan_get_fwinfo(u16 ic_type, u8 iap_version, u16 *validpage_count,
case 0x15:
*validpage_count = 1024;
break;
+ case 0x19:
+ *validpage_count = 2032;
+ break;
default:
/* unknown ic type clear value */
*validpage_count = 0;
--
2.34.1
^ permalink raw reply related
* [PATCH] Input: elan_i2c - increase device reset wait timeout after update FW
From: Jingle Wu 吳金國 @ 2026-04-21 7:02 UTC (permalink / raw)
To: Linux-kernel@vger.kernel.org, Linux-input@vger.kernel.org,
Dmitry.torokhov@gmail.com
In-Reply-To: <KL1PR01MB511699853D1B66D137C06806DC2C2@KL1PR01MB5116.apcprd01.prod.exchangelabs.com>
Extend wait_for_completion_timeout from 300ms to 700ms to ensure
sufficient time for device reset after firmware update.
Signed-off-by: Jingle Wu <jingle.wu@emc.com.tw>
---
drivers/input/mouse/elan_i2c_i2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/mouse/elan_i2c_i2c.c b/drivers/input/mouse/elan_i2c_i2c.c
index a9057d124a88..88d4070d4b44 100644
--- a/drivers/input/mouse/elan_i2c_i2c.c
+++ b/drivers/input/mouse/elan_i2c_i2c.c
@@ -690,7 +690,7 @@ static int elan_i2c_finish_fw_update(struct i2c_client *client,
if (error) {
dev_err(dev, "device reset failed: %d\n", error);
} else if (!wait_for_completion_timeout(completion,
- msecs_to_jiffies(300))) {
+ msecs_to_jiffies(700))) {
dev_err(dev, "timeout waiting for device reset\n");
error = -ETIMEDOUT;
}
--
2.34.1
^ permalink raw reply related
* Re: [PATCH v5 1/9] dt-bindings: mfd: mt6397: Add MT6392 PMIC
From: Krzysztof Kozlowski @ 2026-04-21 7:13 UTC (permalink / raw)
To: Luca Leonardo Scorcia
Cc: linux-mediatek, Fabien Parent, Val Packett, Dmitry Torokhov,
Rob Herring, Krzysztof Kozlowski, Conor Dooley, Sen Chu,
Sean Wang, Macpaul Lin, Lee Jones, Matthias Brugger,
AngeloGioacchino Del Regno, Linus Walleij, Liam Girdwood,
Mark Brown, Gary Bisson, Julien Massot, Louis-Alexis Eyraud,
Akari Tsuyukusa, Chen Zhong, linux-input, devicetree,
linux-kernel, linux-pm, linux-arm-kernel, linux-gpio
In-Reply-To: <20260420213529.1645560-2-l.scorcia@gmail.com>
On Mon, Apr 20, 2026 at 10:30:00PM +0100, Luca Leonardo Scorcia wrote:
> From: Fabien Parent <parent.f@gmail.com>
>
> Add the currently supported bindings for the MT6392 PMIC. Its MFD driver
> does not use the compatible property to bind the regulator driver, so
> don't mark it as required.
>
> Signed-off-by: Fabien Parent <parent.f@gmail.com>
> Signed-off-by: Val Packett <val@packett.cool>
> Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
> ---
> .../bindings/mfd/mediatek,mt6397.yaml | 27 ++++++++++++++++---
> 1 file changed, 24 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/devicetree/bindings/mfd/mediatek,mt6397.yaml b/Documentation/devicetree/bindings/mfd/mediatek,mt6397.yaml
> index 05c121b0cb3d..2866e95e338b 100644
> --- a/Documentation/devicetree/bindings/mfd/mediatek,mt6397.yaml
> +++ b/Documentation/devicetree/bindings/mfd/mediatek,mt6397.yaml
> @@ -40,6 +40,10 @@ properties:
> - mediatek,mt6358
> - mediatek,mt6359
> - mediatek,mt6397
> + - items:
> + - enum:
> + - mediatek,mt6392
> + - const: mediatek,mt6323
> - items:
> - enum:
> - mediatek,mt6366
> @@ -68,6 +72,10 @@ properties:
> - mediatek,mt6331-rtc
> - mediatek,mt6358-rtc
> - mediatek,mt6397-rtc
> + - items:
> + - enum:
> + - mediatek,mt6392-rtc
> + - const: mediatek,mt6323-rtc
> - items:
> - enum:
> - mediatek,mt6366-rtc
> @@ -99,9 +107,6 @@ properties:
> - mediatek,mt6366-regulator
> - const: mediatek,mt6358-regulator
>
> - required:
> - - compatible
Please create a new binding file for your device. Having two ways to
define child is not making this binding easier to follow.
The style of defining children with compatibles should be followed by
"requierd: compatible". I am rather against of exceptions, unless needed
and this is not such case where you need one.
Best regards,
Krzysztof
^ permalink raw reply
* Re: [PATCH v5 3/9] regulator: dt-bindings: Add MediaTek MT6392 PMIC
From: Krzysztof Kozlowski @ 2026-04-21 7:14 UTC (permalink / raw)
To: Luca Leonardo Scorcia
Cc: linux-mediatek, Dmitry Torokhov, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Sen Chu, Sean Wang, Macpaul Lin, Lee Jones,
Matthias Brugger, AngeloGioacchino Del Regno, Linus Walleij,
Liam Girdwood, Mark Brown, Louis-Alexis Eyraud, Val Packett,
Julien Massot, Gary Bisson, Fabien Parent, Akari Tsuyukusa,
Chen Zhong, linux-input, devicetree, linux-kernel, linux-pm,
linux-arm-kernel, linux-gpio
In-Reply-To: <20260420213529.1645560-4-l.scorcia@gmail.com>
On Mon, Apr 20, 2026 at 10:30:02PM +0100, Luca Leonardo Scorcia wrote:
> Add bindings for the regulators found in the MediaTek MT6392 PMIC,
> usually found in board designs using the MediaTek MT8516/MT8167 SoCs.
>
> Signed-off-by: Luca Leonardo Scorcia <l.scorcia@gmail.com>
> ---
> .../regulator/mediatek,mt6392-regulator.yaml | 76 +++++++++++++++++++
> .../regulator/mediatek,mt6392-regulator.h | 24 ++++++
> 2 files changed, 100 insertions(+)
> create mode 100644 Documentation/devicetree/bindings/regulator/mediatek,mt6392-regulator.yaml
> create mode 100644 include/dt-bindings/regulator/mediatek,mt6392-regulator.h
>
Your patchset is obviously non-bisectable. This must be squashed.
Test/check individual patches please.
Best regards,
Krzysztof
^ permalink raw reply
* Re: [PATCH v4 1/2] dt-bindings: input: Add PixArt PAJ7620 gesture sensor
From: Krzysztof Kozlowski @ 2026-04-21 7:20 UTC (permalink / raw)
To: Harpreet Saini
Cc: dmitry.torokhov, robh, krzysztof.kozlowski, Krzysztof Kozlowski,
Conor Dooley, Neil Armstrong, Bjorn Andersson, Marek Vasut,
Lad Prabhakar, Kael D'Alcamo, linux-input, devicetree,
linux-kernel
In-Reply-To: <20260421041505.4548-2-sainiharpreet29@yahoo.com>
On Tue, Apr 21, 2026 at 12:12:39AM -0400, Harpreet Saini wrote:
> Add Device Tree bindings for Pixart PAJ7620 gesture sensor.
> The sensor supports 9 hand gestures via I2C interface.
>
> The GPIO controller properties are included to describe the
> hardware's ability to repurpose SPI pins as GPIOs when the
> sensor is used in I2C mode.
>
> Signed-off-by: Harpreet Saini <sainiharpreet29@yahoo.com>
> ---
Heh? No changelog, no improvements? No cover letter?
Please start using b4. You would solve yourself trouble and reduce our
review cycles.
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
<form letter>
This is an automated instruction, just in case, because many review
tags are being ignored. If you know the process, just skip it entirely
(please do not feel offended by me posting it here - no bad intentions
intended, no patronizing, I just want to avoid wasted efforts). If you
do not know the process, here is a short explanation:
Please add Acked-by/Reviewed-by/Tested-by tags when posting new
versions of patchset, under or above your Signed-off-by tag, unless
patch changed significantly (e.g. new properties added to the DT
bindings). Tag is "received", when provided in a message replied to you
on the mailing list. Tools like b4 can help here ('b4 trailers -u ...').
However, there's no need to repost patches *only* to add the tags. The
upstream maintainer will do that for tags received on the version they
apply.
https://elixir.bootlin.com/linux/v6.15/source/Documentation/process/submitting-patches.rst#L591
</form letter>
Best regards,
Krzysztof
^ permalink raw reply
* Re: [PATCH v3] iio: magnetometer: hid-sensor-magn-3d: prefer 'u32' type
From: Jonathan Cameron @ 2026-04-21 9:41 UTC (permalink / raw)
To: Joshua Crofts
Cc: jikos, srinivas.pandruvada, dlechner, nuno.sa, andy, linux-input,
linux-iio, linux-kernel, Andy Shevchenko
In-Reply-To: <20260421065837.1290-1-joshua.crofts1@gmail.com>
On Tue, 21 Apr 2026 06:58:37 +0000
Joshua Crofts <joshua.crofts1@gmail.com> wrote:
> Use 'u32' instead of bare 'unsigned' to resolve checkpatch.pl warnings
> and correct type use as defined in the struct hid_sensor_hub_callbacks.
>
> No functional change.
>
> Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
> Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
Applied.
Thanks,
J
^ permalink raw reply
* [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv
From: l1za0.sec @ 2026-04-21 13:48 UTC (permalink / raw)
To: jikos, benjamin.tissoires; +Cc: linux-input, linux-kernel
From: Haocheng Yu <l1za0.sec@gmail.com>
A general protection fault in u2fzero_recv is reported by a
modified Syzkaller-based kernel fuzzing tool we developed.
The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
function but ignores its return value. When the urb setting fails,
dev->urb remains NULL, but u2fzero_probe() continues to run. When
`dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
KASAN null pointer dereference crash will occur.
To fix this vulnerability, I added a check for the return value of
u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
added a NULL value check for dev->urb in u2fzero_recv() to further
ensure its integrity.
Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
drivers/hid/hid-u2fzero.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e78c..c51f6dd80635 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,
memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
+ if (!dev->urb) {
+ hid_err(hdev, "recv called without initialized URB");
+ ret = -ENODEV;
+ goto err;
+ }
+
dev->urb->context = &ctx;
init_completion(&ctx.done);
@@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
if (ret)
return ret;
- u2fzero_fill_in_urb(dev);
+ ret = u2fzero_fill_in_urb(dev);
+ if (ret) {
+ hid_hw_stop(hdev);
+ return ret;
+ }
dev->present = true;
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.51.0
^ permalink raw reply related
* Re: [PATCH] dt-bindings: Remove the redundant 'type: boolean'
From: Rob Herring (Arm) @ 2026-04-21 18:41 UTC (permalink / raw)
To: phucduc.bui
Cc: linusw, zyw, zhangqing, devicetree, alexandre.belloni, heiko,
gene_chen, linux-input, nick, dmitry.torokhov, gregkh,
claudiu.beznea, linux-arm-kernel, linux-usb, nicolas.ferre,
conor+dt, krzk+dt, lee
In-Reply-To: <20260417021858.6582-1-phucduc.bui@gmail.com>
On Fri, 17 Apr 2026 09:18:58 +0700, phucduc.bui@gmail.com wrote:
> From: bui duc phuc <phucduc.bui@gmail.com>
>
> The 'wakeup-source' property already has its type defined in the core
> schema. Remove the redundant 'type: boolean' from the binding file to
> clean up the binding files.
>
> Signed-off-by: bui duc phuc <phucduc.bui@gmail.com>
> ---
> Documentation/devicetree/bindings/input/atmel,maxtouch.yaml | 3 +--
> Documentation/devicetree/bindings/mfd/rockchip,rk816.yaml | 3 +--
> Documentation/devicetree/bindings/usb/richtek,rt1711h.yaml | 3 +--
> 3 files changed, 3 insertions(+), 6 deletions(-)
>
Applied, thanks!
^ permalink raw reply
* [PATCH] HID: pidff: Fix integer overflow in pidff_rescale
From: Tomasz Pakuła @ 2026-04-21 19:49 UTC (permalink / raw)
To: jikos, bentiss; +Cc: oleg, linux-input, linux-kernel, tomasz.pakula.oficjalny
Rescaling values close to the max (U16_MAX) temporairly creates values
that exceed the s32 range. This caused value overflow in case when, for
example, a periodic effect phase was higher than 180 degrees. In turn,
rescale function could return values outside of the logical range of the
HID field (negative when logical minimum is 0).
Fix by using 64 bit signed integer to store the value during calculation
but still return only 32 bit integer.
Closes: https://github.com/JacKeTUs/universal-pidff/issues/116
Cc: <stable@vger.kernel.org>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
---
For inclusion in the 7.1-RC period
drivers/hid/usbhid/hid-pidff.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index aee8a4443305..fb9b4f292732 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -326,8 +326,9 @@ static s32 pidff_clamp(s32 i, struct hid_field *field)
*/
static int pidff_rescale(int i, int max, struct hid_field *field)
{
- return i * (field->logical_maximum - field->logical_minimum) / max +
- field->logical_minimum;
+ /* 64 bits needed for big values during rescale */
+ return (s64)i * (field->logical_maximum - field->logical_minimum) /
+ max + field->logical_minimum;
}
/*
--
2.53.0
^ permalink raw reply related
* [PATCH v2 0/7] Add helper method hid_sensor_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, linux-iio, linux-input
This patch series introduces a generic helper function to handle channel bit mask adjustments
for HID sensors. Currently, multiple drivers implement identical logic for this task
Natália Salvino André (7):
iio: HID: Add helper method hid_sensor_adjust_channel_bit_mask()
iio: accel: HID: Replace method accel_3d_adjust_channel_bit_mask()
iio: gyro: HID: Replace method gyro_3d_adjust_channel_bit_mask()
iio: light: HID: Replace method als_adjust_channel_bit_mask()
iio: light: HID: Replace method prox_adjust_channel_bit_mask()
iio: magnetometer: HID: Replace method
magn_3d_adjust_channel_bit_mask()
iio: pressure: HID: Replace method press_adjust_channel_bit_mask()
drivers/iio/accel/hid-sensor-accel-3d.c | 17 +++--------------
.../common/hid-sensors/hid-sensor-attributes.c | 12 ++++++++++++
drivers/iio/gyro/hid-sensor-gyro-3d.c | 17 +++--------------
drivers/iio/light/hid-sensor-als.c | 13 +------------
drivers/iio/light/hid-sensor-prox.c | 15 ++-------------
drivers/iio/magnetometer/hid-sensor-magn-3d.c | 17 +++--------------
drivers/iio/pressure/hid-sensor-press.c | 15 ++-------------
include/linux/hid-sensor-hub.h | 3 +++
8 files changed, 29 insertions(+), 80 deletions(-)
--
2.51.0
^ permalink raw reply
* [PATCH v2 1/7] iio: HID: Add helper method hid_sensor_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Add helper method to deduplicate code in HID sensors.
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
.../iio/common/hid-sensors/hid-sensor-attributes.c | 12 ++++++++++++
include/linux/hid-sensor-hub.h | 3 +++
2 files changed, 15 insertions(+)
diff --git a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
index c115a72832b2..3ee6e83c6cac 100644
--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
@@ -3,6 +3,7 @@
* HID Sensors Driver
* Copyright (c) 2012, Intel Corporation.
*/
+#include <linux/bits.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/time.h>
@@ -589,6 +590,17 @@ int hid_sensor_parse_common_attributes(struct hid_sensor_hub_device *hsdev,
}
EXPORT_SYMBOL_NS(hid_sensor_parse_common_attributes, "IIO_HID");
+void hid_sensor_adjust_channel_bit_mask(struct iio_chan_spec *channels,
+ int channel, int size)
+{
+ channels[channel].scan_type.format = 's';
+ /* Real storage bits will change based on the report desc. */
+ channels[channel].scan_type.realbits = size * BITS_PER_BYTE;
+ /* Maximum size of a sample to capture is u32 */
+ channels[channel].scan_type.storagebits = sizeof(u32) * BITS_PER_BYTE;
+}
+EXPORT_SYMBOL_NS(hid_sensor_adjust_channel_bit_mask, "IIO_HID");
+
MODULE_AUTHOR("Srinivas Pandruvada <srinivas.pandruvada@intel.com>");
MODULE_DESCRIPTION("HID Sensor common attribute processing");
MODULE_LICENSE("GPL");
diff --git a/include/linux/hid-sensor-hub.h b/include/linux/hid-sensor-hub.h
index e71056553108..6523d46c63e0 100644
--- a/include/linux/hid-sensor-hub.h
+++ b/include/linux/hid-sensor-hub.h
@@ -281,4 +281,7 @@ bool hid_sensor_batch_mode_supported(struct hid_sensor_common *st);
int hid_sensor_set_report_latency(struct hid_sensor_common *st, int latency);
int hid_sensor_get_report_latency(struct hid_sensor_common *st);
+void hid_sensor_adjust_channel_bit_mask(struct iio_chan_spec *channels,
+ int channel, int size);
+
#endif
--
2.51.0
^ permalink raw reply related
* [PATCH v2 2/7] iio: accel: HID: Replace method accel_3d_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method accel_3d_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/accel/hid-sensor-accel-3d.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c
index 2ff591b3458f..ac4ab69f80b9 100644
--- a/drivers/iio/accel/hid-sensor-accel-3d.c
+++ b/drivers/iio/accel/hid-sensor-accel-3d.c
@@ -119,17 +119,6 @@ static const struct iio_chan_spec gravity_channels[] = {
IIO_CHAN_SOFT_TIMESTAMP(CHANNEL_SCAN_INDEX_TIMESTAMP),
};
-/* Adjust channel real bits based on report descriptor */
-static void accel_3d_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int accel_3d_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -307,9 +296,9 @@ static int accel_3d_parse_report(struct platform_device *pdev,
&st->accel[CHANNEL_SCAN_INDEX_X + i]);
if (ret < 0)
break;
- accel_3d_adjust_channel_bit_mask(channels,
- CHANNEL_SCAN_INDEX_X + i,
- st->accel[CHANNEL_SCAN_INDEX_X + i].size);
+ hid_sensor_adjust_channel_bit_mask(channels,
+ CHANNEL_SCAN_INDEX_X + i,
+ st->accel[CHANNEL_SCAN_INDEX_X + i].size);
}
dev_dbg(&pdev->dev, "accel_3d %x:%x, %x:%x, %x:%x\n",
st->accel[0].index,
--
2.51.0
^ permalink raw reply related
* [PATCH v2 3/7] iio: gyro: HID: Replace method gyro_3d_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method gyro_3d_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/gyro/hid-sensor-gyro-3d.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/iio/gyro/hid-sensor-gyro-3d.c b/drivers/iio/gyro/hid-sensor-gyro-3d.c
index c340cc899a7c..e8d8ad884fcb 100644
--- a/drivers/iio/gyro/hid-sensor-gyro-3d.c
+++ b/drivers/iio/gyro/hid-sensor-gyro-3d.c
@@ -82,17 +82,6 @@ static const struct iio_chan_spec gyro_3d_channels[] = {
IIO_CHAN_SOFT_TIMESTAMP(CHANNEL_SCAN_INDEX_TIMESTAMP)
};
-/* Adjust channel real bits based on report descriptor */
-static void gyro_3d_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int gyro_3d_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -258,9 +247,9 @@ static int gyro_3d_parse_report(struct platform_device *pdev,
&st->gyro[CHANNEL_SCAN_INDEX_X + i]);
if (ret < 0)
break;
- gyro_3d_adjust_channel_bit_mask(channels,
- CHANNEL_SCAN_INDEX_X + i,
- st->gyro[CHANNEL_SCAN_INDEX_X + i].size);
+ hid_sensor_adjust_channel_bit_mask(channels,
+ CHANNEL_SCAN_INDEX_X + i,
+ st->gyro[CHANNEL_SCAN_INDEX_X + i].size);
}
dev_dbg(&pdev->dev, "gyro_3d %x:%x, %x:%x, %x:%x\n",
st->gyro[0].index,
--
2.51.0
^ permalink raw reply related
* [PATCH v2 4/7] iio: light: HID: Replace method als_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method als_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/light/hid-sensor-als.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/drivers/iio/light/hid-sensor-als.c b/drivers/iio/light/hid-sensor-als.c
index 384572844162..16ef9a37aeae 100644
--- a/drivers/iio/light/hid-sensor-als.c
+++ b/drivers/iio/light/hid-sensor-als.c
@@ -117,17 +117,6 @@ static const struct iio_chan_spec als_channels[] = {
IIO_CHAN_SOFT_TIMESTAMP(CHANNEL_SCAN_INDEX_TIMESTAMP)
};
-/* Adjust channel real bits based on report descriptor */
-static void als_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int als_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -335,7 +324,7 @@ static int als_parse_report(struct platform_device *pdev,
channels[index] = als_channels[i];
st->als_scan_mask[0] |= BIT(i);
- als_adjust_channel_bit_mask(channels, index, st->als[i].size);
+ hid_sensor_adjust_channel_bit_mask(channels, index, st->als[i].size);
++index;
dev_dbg(&pdev->dev, "als %x:%x\n", st->als[i].index,
--
2.51.0
^ permalink raw reply related
* [PATCH v2 5/7] iio: light: HID: Replace method prox_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method prox_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/light/hid-sensor-prox.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
index efa904a70d0e..edf76af76dfd 100644
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -67,17 +67,6 @@ static const struct iio_chan_spec prox_channels[] = {
PROX_CHANNEL(false, 0),
};
-/* Adjust channel real bits based on report descriptor */
-static void prox_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int prox_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -250,8 +239,8 @@ static int prox_parse_report(struct platform_device *pdev,
st->scan_mask[0] |= BIT(index);
channels[index] = prox_channels[i];
channels[index].scan_index = index;
- prox_adjust_channel_bit_mask(channels, index,
- st->prox_attr[index].size);
+ hid_sensor_adjust_channel_bit_mask(channels, index,
+ st->prox_attr[index].size);
dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr[index].index,
st->prox_attr[index].report_id);
st->scale_precision[index] =
--
2.51.0
^ permalink raw reply related
* [PATCH v2 6/7] iio: magnetometer: HID: Replace method magn_3d_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method magn_3d_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/magnetometer/hid-sensor-magn-3d.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/iio/magnetometer/hid-sensor-magn-3d.c b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
index c673f9323e47..f1939da22e0d 100644
--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c
+++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
@@ -132,17 +132,6 @@ static const struct iio_chan_spec magn_3d_channels[] = {
IIO_CHAN_SOFT_TIMESTAMP(7)
};
-/* Adjust channel real bits based on report descriptor */
-static void magn_3d_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int magn_3d_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -418,9 +407,9 @@ static int magn_3d_parse_report(struct platform_device *pdev,
if (i != CHANNEL_SCAN_INDEX_TIMESTAMP) {
/* Set magn_val_addr to iio value address */
st->magn_val_addr[i] = &st->iio_vals[*chan_count];
- magn_3d_adjust_channel_bit_mask(_channels,
- *chan_count,
- st->magn[i].size);
+ hid_sensor_adjust_channel_bit_mask(_channels,
+ *chan_count,
+ st->magn[i].size);
}
(*chan_count)++;
}
--
2.51.0
^ permalink raw reply related
* [PATCH v2 7/7] iio: pressure: HID: Replace method press_adjust_channel_bit_mask()
From: Natália Salvino André @ 2026-04-21 22:20 UTC (permalink / raw)
To: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada
Cc: Natália Salvino André, Pietro Di Consolo Gregorio,
linux-iio, linux-input
In-Reply-To: <20260421222210.16016-1-natalia.andre@ime.usp.br>
Replace method press_adjust_channel_bit_mask()
with helper method hid_sensor_adjust_channel_bit_mask().
Signed-off-by: Natália Salvino André <natalia.andre@ime.usp.br>
Co-developed-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
Signed-off-by: Pietro Di Consolo Gregorio <pietro.gregorio@usp.br>
---
drivers/iio/pressure/hid-sensor-press.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/drivers/iio/pressure/hid-sensor-press.c b/drivers/iio/pressure/hid-sensor-press.c
index 5f1d6abda3e4..fd9dafe4945a 100644
--- a/drivers/iio/pressure/hid-sensor-press.c
+++ b/drivers/iio/pressure/hid-sensor-press.c
@@ -53,17 +53,6 @@ static const struct iio_chan_spec press_channels[] = {
};
-/* Adjust channel real bits based on report descriptor */
-static void press_adjust_channel_bit_mask(struct iio_chan_spec *channels,
- int channel, int size)
-{
- channels[channel].scan_type.sign = 's';
- /* Real storage bits will change based on the report desc. */
- channels[channel].scan_type.realbits = size * 8;
- /* Maximum size of a sample to capture is u32 */
- channels[channel].scan_type.storagebits = sizeof(u32) * 8;
-}
-
/* Channel read_raw handler */
static int press_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
@@ -225,8 +214,8 @@ static int press_parse_report(struct platform_device *pdev,
&st->press_attr);
if (ret < 0)
return ret;
- press_adjust_channel_bit_mask(channels, CHANNEL_SCAN_INDEX_PRESSURE,
- st->press_attr.size);
+ hid_sensor_adjust_channel_bit_mask(channels, CHANNEL_SCAN_INDEX_PRESSURE,
+ st->press_attr.size);
dev_dbg(&pdev->dev, "press %x:%x\n", st->press_attr.index,
st->press_attr.report_id);
--
2.51.0
^ permalink raw reply related
* Re: [moderation] KCSAN: data-race in evdev_pass_values / evdev_read (13)
From: syzbot @ 2026-04-22 1:04 UTC (permalink / raw)
To: dmitry.torokhov, linux-input, linux-kernel, osama.abdelkader,
syzkaller-upstream-moderation
In-Reply-To: <69727536.050a0220.706b.0029.GAE@google.com>
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
^ permalink raw reply
* RE: [PATCH v2] iio: orientation: hid-sensor-rotation: use ext_scan_type
From: Zhang, Lixu @ 2026-04-22 1:08 UTC (permalink / raw)
To: srinivas pandruvada, Jonathan Cameron, Lechner, David
Cc: Jiri Kosina, Nuno Sá, Andy Shevchenko,
linux-input@vger.kernel.org, linux-iio@vger.kernel.org,
linux-kernel@vger.kernel.org
In-Reply-To: <ff6d54f76139c43642f15ef21da6997145bca8e3.camel@linux.intel.com>
Tested-by: Lixu Zhang <lixu.zhang@intel.com>
>-----Original Message-----
>From: srinivas pandruvada <srinivas.pandruvada@linux.intel.com>
>Sent: Monday, April 20, 2026 11:46 PM
>To: Jonathan Cameron <jic23@kernel.org>; Lechner, David
><dlechner@baylibre.com>; Zhang, Lixu <lixu.zhang@intel.com>
>Cc: Jiri Kosina <jikos@kernel.org>; Nuno Sá <nuno.sa@analog.com>; Andy
>Shevchenko <andy@kernel.org>; linux-input@vger.kernel.org; linux-
>iio@vger.kernel.org; linux-kernel@vger.kernel.org
>Subject: Re: [PATCH v2] iio: orientation: hid-sensor-rotation: use ext_scan_type
>
>+Lixu
>
>On Sun, 2026-04-12 at 15:26 +0100, Jonathan Cameron wrote:
>> On Sun, 01 Mar 2026 17:46:48 -0600
>> David Lechner <dlechner@baylibre.com> wrote:
>>
>> > Make use of ext_scan_type to handle the dynamic realbits size of the
>> > quaternion data. This lets us implement it using static data rather
>> > than having to duplicate the channel info for each driver instance.
>> >
>> > Signed-off-by: David Lechner <dlechner@baylibre.com>
>> > ---
>> I'm going to apply this now, but would welcome any additional feedback
>> from Srinivas or others.
>>
>> Note, given this is next cycle material now I'll only push the tree
>> out as testing until I can rebase on rc1.
>>
>
>In real world I think report size is always 16 copying from spec.
Yes, it's always 16 for Intel ISH.
Thanks,
Lixu
>
> Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
>
>Thanks,
>Srinivas
>
>
>> Thanks,
>>
>> Jonathan
>>
^ permalink raw reply
* Re: [PATCH 0/2] HID: appletb-kbd: fix UAF and mutex-in-atomic in inactivity timer
From: Sangyun Kim @ 2026-04-22 6:01 UTC (permalink / raw)
To: Aditya Garg; +Cc: jikos, bentiss, qasdev00, linux-input, linux-kernel
In-Reply-To: <MAUPR01MB115460F44776CC8E5E5EE7DC4B82F2@MAUPR01MB11546.INDPRD01.PROD.OUTLOOK.COM>
On Mon, Apr 20, 2026 at 06:17:36 PM +0530, Aditya Garg wrote:
>
>
>On 4/20/26 10:43, Sangyun Kim wrote:
>>This series addresses two defects in hid-appletb-kbd's inactivity
>>timer subsystem. The two patches target different bugs and are
>>logically independent; they are sent together because they touch the
>>same tear-down code and because the same maintainer will review both.
>>
>>Patch 1 fixes a slab use-after-free with two related tear-down windows
>>introduced by commit 38224c472a03 ("HID: appletb-kbd: fix slab
>>use-after-free bug in appletb_kbd_probe"):
>>
>> A) Within "if (kbd->backlight_dev)" the order was
>> put_device() then timer_delete_sync(). A concurrent
>> hid_appletb_bl unbind between those two calls can drop the last
>> devm reference and free the backlight_device; the still-armed
>> inactivity timer softirq then dereferences the freed object
>> through backlight_device_set_brightness() -> mutex_lock(&ops_lock).
>>
>> B) The "if (kbd->backlight_dev)" block ran before
>> hid_hw_close()/hid_hw_stop(), so even after window A is closed a
>> late ".event" callback from the HID core (USB URB completion on
>> real hardware) can arrive between timer_delete_sync() and
>> put_device(), reach reset_inactivity_timer(), re-arm the timer
>> via mod_timer(), and reopen the same UAF.
>>
>>Both windows produce the same KASAN slab-use-after-free on the object
>>allocated by devm_backlight_device_register(). Patch 1 closes them
>>together by moving hid_hw_close()/hid_hw_stop() before the backlight
>>cleanup and, inside that cleanup block, calling timer_delete_sync()
>>before put_device(). Shipping both as one commit avoids leaving
>>stable kernels in a half-fixed state where only window A is closed.
>>
>>Patch 2 fixes a separate "sleeping function called from invalid
>>context" bug in the same subsystem. The inactivity timer is a
>>struct timer_list, so the callback runs in softirq context and calls
>>backlight_device_set_brightness() -> mutex_lock() from atomic
>>context; reset_inactivity_timer() has the same issue on the
>>brightness-restore path (it is called from appletb_kbd_hid_event()
>>and appletb_kbd_inp_event(), which run in softirq/IRQ context on
>>real USB hardware). Convert the inactivity timer to a delayed_work
>>and defer the brightness-restore call to a dedicated work_struct so
>>both sleeping calls run in process context.
>>
>>Sangyun Kim (2):
>> HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
>> HID: appletb-kbd: run inactivity autodim from workqueues
>>
>> drivers/hid/hid-appletb-kbd.c | 56 ++++++++++++++++++++++-------------
>> 1 file changed, 36 insertions(+), 20 deletions(-)
>>
>
>I had a very weird bug just once. And that was when I pressed fn key,
>upon releasing, the touchbar mode did not restore to normal.
>
>Although it was just once, and I was never able to reproduce it again.
>
>Have you tested it on your Machine btw?
>
>
Hi,
I have not tested this series on actual Apple Touch Bar hardware on my
side, as I do not have access to such a machine locally. All testing on
my side was done under QEMU with a uhid-based setup.
Because of that, I cannot say much about the one-off case where the
Touch Bar did not restore the normal mode after releasing Fn. I have not
been able to reproduce that specific behavior in my setup.
For patch 1, however, I was able to reproduce the teardown UAF in the
uhid/QEMU setup and got the following KASAN report.
[ 56.040407] ==================================================================
[ 56.042444] BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x861/0x910
[ 56.044962] Write of size 8 at addr ffff88801b7e8958 by task swapper/0/0
[ 56.049092] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G N 7.0.0-dirty #2 PREEMPT(full)
[ 56.049967] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 56.050843] Call Trace:
[ 56.051146] <IRQ>
[ 56.052394] __run_timer_base.part.0+0x861/0x910
[ 56.053123] run_timer_softirq+0xd1/0x190
[ 56.075012] Allocated by task 11:
[ 56.077221] devm_kmalloc+0x70/0x1d0
[ 56.077545] appletb_kbd_probe+0x65/0x470 [hid_appletb_kbd]
[ 56.085606] uhid_device_add_worker+0x3b/0x100
[ 56.088719] Freed by task 11:
[ 56.091296] devres_release_group+0x1fd/0x3d0
[ 56.091844] hid_device_probe+0x4db/0x7d0
[ 56.096916] uhid_device_add_worker+0x3b/0x100
[ 56.123572] backlight_device_set_brightness+0x77/0x280
[ 56.123902] appletb_inactivity_timer+0xe9/0x190 [hid_appletb_kbd]
[ 56.123967] call_timer_fn+0x163/0x4a0
[ 56.124338] __run_timer_base.part.0+0x575/0x910
[ 56.124711] run_timer_softirq+0xd1/0x190
Patch 2 also matches what I saw in the same setup. On the unpatched
tree, I can reproduce:
[ 56.120488] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
[ 56.121118] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0
[ 56.123080] __mutex_lock+0xda/0x21c0
[ 56.123572] backlight_device_set_brightness+0x77/0x280
[ 56.123902] appletb_inactivity_timer+0xe9/0x190 [hid_appletb_kbd]
[ 56.124338] __run_timer_base.part.0+0x575/0x910
[ 56.124711] run_timer_softirq+0xd1/0x190
After applying patch 2, that warning no longer appeared in the timer
reproducer in my uhi/QEMU runs. I also added a small UHID input trigger
to exercise appletb_kbd_hid_event(), and in that setup brightness
restored from 1 back to 2 in 5/5 iterations after the synthetic key
event.
The limitation is that this is still UHID-only coverage. I do not have
native Touch Bar hardware, and pure UHID does not model a real internal
Apple keyboard/trackpad closely enough for me to claim coverage of the
appletb_kbd_inp_event() path or real USB IRQ-context behavior.
Thanks,
Sangyun
^ permalink raw reply
* Re: [PATCH v2 1/7] iio: HID: Add helper method hid_sensor_adjust_channel_bit_mask()
From: Andy Shevchenko @ 2026-04-22 9:03 UTC (permalink / raw)
To: Natália Salvino André
Cc: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada, Pietro Di Consolo Gregorio, linux-iio,
linux-input
In-Reply-To: <20260421222210.16016-2-natalia.andre@ime.usp.br>
On Tue, Apr 21, 2026 at 07:20:33PM -0300, Natália Salvino André wrote:
> Add helper method to deduplicate code in HID sensors.
...
> +#include <linux/bits.h>
Will need bitops.h instead (see below why).
...
> +void hid_sensor_adjust_channel_bit_mask(struct iio_chan_spec *channels,
> + int channel, int size)
> +{
> + channels[channel].scan_type.format = 's';
> + /* Real storage bits will change based on the report desc. */
> + channels[channel].scan_type.realbits = size * BITS_PER_BYTE;
BITS_TO_BYTES(size)
> + /* Maximum size of a sample to capture is u32 */
> + channels[channel].scan_type.storagebits = sizeof(u32) * BITS_PER_BYTE;
BITS_PER_TYPE(u32)
> +}
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply
* Re: [PATCH v2 2/7] iio: accel: HID: Replace method accel_3d_adjust_channel_bit_mask()
From: Andy Shevchenko @ 2026-04-22 9:07 UTC (permalink / raw)
To: Natália Salvino André
Cc: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada, Pietro Di Consolo Gregorio, linux-iio,
linux-input
In-Reply-To: <20260421222210.16016-3-natalia.andre@ime.usp.br>
On Tue, Apr 21, 2026 at 07:20:34PM -0300, Natália Salvino André wrote:
> Replace method accel_3d_adjust_channel_bit_mask()
> with helper method hid_sensor_adjust_channel_bit_mask().
...
> - accel_3d_adjust_channel_bit_mask(channels,
> - CHANNEL_SCAN_INDEX_X + i,
> - st->accel[CHANNEL_SCAN_INDEX_X + i].size);
> + hid_sensor_adjust_channel_bit_mask(channels,
> + CHANNEL_SCAN_INDEX_X + i,
> + st->accel[CHANNEL_SCAN_INDEX_X + i].size);
Indentation is broken. Taking into account that the last line is too long when
properly indented, perhaps
hid_sensor_adjust_channel_bit_mask(channels,
CHANNEL_SCAN_INDEX_X + i,
st->accel[CHANNEL_SCAN_INDEX_X + i].size);
Which makes it most right and under 80 limit.
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply
* Re: [PATCH v2 3/7] iio: gyro: HID: Replace method gyro_3d_adjust_channel_bit_mask()
From: Andy Shevchenko @ 2026-04-22 9:14 UTC (permalink / raw)
To: Natália Salvino André
Cc: andy, bentiss, dlechner, jic23, jikos, nuno.sa,
srinivas.pandruvada, Pietro Di Consolo Gregorio, linux-iio,
linux-input
In-Reply-To: <20260421222210.16016-4-natalia.andre@ime.usp.br>
On Tue, Apr 21, 2026 at 07:20:35PM -0300, Natália Salvino André wrote:
> Replace method gyro_3d_adjust_channel_bit_mask()
> with helper method hid_sensor_adjust_channel_bit_mask().
...
> + hid_sensor_adjust_channel_bit_mask(channels,
> + CHANNEL_SCAN_INDEX_X + i,
> + st->gyro[CHANNEL_SCAN_INDEX_X + i].size);
Same, at least one more tab for indentation.
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply
* Re: [PATCH 0/2] HID: appletb-kbd: fix UAF and mutex-in-atomic in inactivity timer
From: Aditya Garg @ 2026-04-22 9:15 UTC (permalink / raw)
To: Sangyun Kim
Cc: jikos@kernel.org, bentiss@kernel.org, qasdev00@gmail.com,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
In-Reply-To: <20260422060104.jbimo4nm6pat3f53@nunu>
I got the bug just once so it's possible that it was a firmware related bug in the touchbar as well.
> On 22 Apr 2026, at 11:31 AM, Sangyun Kim <sangyun.kim@snu.ac.kr> wrote:
>
> On Mon, Apr 20, 2026 at 06:17:36 PM +0530, Aditya Garg wrote:
>
>>
>>
>>> On 4/20/26 10:43, Sangyun Kim wrote:
>>> This series addresses two defects in hid-appletb-kbd's inactivity
>>> timer subsystem. The two patches target different bugs and are
>>> logically independent; they are sent together because they touch the
>>> same tear-down code and because the same maintainer will review both.
>>>
>>> Patch 1 fixes a slab use-after-free with two related tear-down windows
>>> introduced by commit 38224c472a03 ("HID: appletb-kbd: fix slab
>>> use-after-free bug in appletb_kbd_probe"):
>>>
>>> A) Within "if (kbd->backlight_dev)" the order was
>>> put_device() then timer_delete_sync(). A concurrent
>>> hid_appletb_bl unbind between those two calls can drop the last
>>> devm reference and free the backlight_device; the still-armed
>>> inactivity timer softirq then dereferences the freed object
>>> through backlight_device_set_brightness() -> mutex_lock(&ops_lock).
>>>
>>> B) The "if (kbd->backlight_dev)" block ran before
>>> hid_hw_close()/hid_hw_stop(), so even after window A is closed a
>>> late ".event" callback from the HID core (USB URB completion on
>>> real hardware) can arrive between timer_delete_sync() and
>>> put_device(), reach reset_inactivity_timer(), re-arm the timer
>>> via mod_timer(), and reopen the same UAF.
>>>
>>> Both windows produce the same KASAN slab-use-after-free on the object
>>> allocated by devm_backlight_device_register(). Patch 1 closes them
>>> together by moving hid_hw_close()/hid_hw_stop() before the backlight
>>> cleanup and, inside that cleanup block, calling timer_delete_sync()
>>> before put_device(). Shipping both as one commit avoids leaving
>>> stable kernels in a half-fixed state where only window A is closed.
>>>
>>> Patch 2 fixes a separate "sleeping function called from invalid
>>> context" bug in the same subsystem. The inactivity timer is a
>>> struct timer_list, so the callback runs in softirq context and calls
>>> backlight_device_set_brightness() -> mutex_lock() from atomic
>>> context; reset_inactivity_timer() has the same issue on the
>>> brightness-restore path (it is called from appletb_kbd_hid_event()
>>> and appletb_kbd_inp_event(), which run in softirq/IRQ context on
>>> real USB hardware). Convert the inactivity timer to a delayed_work
>>> and defer the brightness-restore call to a dedicated work_struct so
>>> both sleeping calls run in process context.
>>>
>>> Sangyun Kim (2):
>>> HID: appletb-kbd: fix UAF in inactivity-timer cleanup path
>>> HID: appletb-kbd: run inactivity autodim from workqueues
>>>
>>> drivers/hid/hid-appletb-kbd.c | 56 ++++++++++++++++++++++-------------
>>> 1 file changed, 36 insertions(+), 20 deletions(-)
>>>
>>
>> I had a very weird bug just once. And that was when I pressed fn key, upon releasing, the touchbar mode did not restore to normal.
>>
>> Although it was just once, and I was never able to reproduce it again.
>>
>> Have you tested it on your Machine btw?
>>
>>
>
> Hi,
>
> I have not tested this series on actual Apple Touch Bar hardware on my
> side, as I do not have access to such a machine locally. All testing on
> my side was done under QEMU with a uhid-based setup.
>
> Because of that, I cannot say much about the one-off case where the
> Touch Bar did not restore the normal mode after releasing Fn. I have not
> been able to reproduce that specific behavior in my setup.
>
> For patch 1, however, I was able to reproduce the teardown UAF in the
> uhid/QEMU setup and got the following KASAN report.
>
> [ 56.040407] ==================================================================
> [ 56.042444] BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x861/0x910
> [ 56.044962] Write of size 8 at addr ffff88801b7e8958 by task swapper/0/0
> [ 56.049092] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G N 7.0.0-dirty #2 PREEMPT(full)
> [ 56.049967] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [ 56.050843] Call Trace:
> [ 56.051146] <IRQ>
> [ 56.052394] __run_timer_base.part.0+0x861/0x910
> [ 56.053123] run_timer_softirq+0xd1/0x190
>
> [ 56.075012] Allocated by task 11:
> [ 56.077221] devm_kmalloc+0x70/0x1d0
> [ 56.077545] appletb_kbd_probe+0x65/0x470 [hid_appletb_kbd]
> [ 56.085606] uhid_device_add_worker+0x3b/0x100
>
> [ 56.088719] Freed by task 11:
> [ 56.091296] devres_release_group+0x1fd/0x3d0
> [ 56.091844] hid_device_probe+0x4db/0x7d0
> [ 56.096916] uhid_device_add_worker+0x3b/0x100
>
> [ 56.123572] backlight_device_set_brightness+0x77/0x280
> [ 56.123902] appletb_inactivity_timer+0xe9/0x190 [hid_appletb_kbd]
> [ 56.123967] call_timer_fn+0x163/0x4a0
> [ 56.124338] __run_timer_base.part.0+0x575/0x910
> [ 56.124711] run_timer_softirq+0xd1/0x190
>
> Patch 2 also matches what I saw in the same setup. On the unpatched
> tree, I can reproduce:
>
> [ 56.120488] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
> [ 56.121118] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0
> [ 56.123080] __mutex_lock+0xda/0x21c0
> [ 56.123572] backlight_device_set_brightness+0x77/0x280
> [ 56.123902] appletb_inactivity_timer+0xe9/0x190 [hid_appletb_kbd]
> [ 56.124338] __run_timer_base.part.0+0x575/0x910
> [ 56.124711] run_timer_softirq+0xd1/0x190
>
> After applying patch 2, that warning no longer appeared in the timer
> reproducer in my uhi/QEMU runs. I also added a small UHID input trigger
> to exercise appletb_kbd_hid_event(), and in that setup brightness
> restored from 1 back to 2 in 5/5 iterations after the synthetic key
> event.
>
> The limitation is that this is still UHID-only coverage. I do not have
> native Touch Bar hardware, and pure UHID does not model a real internal
> Apple keyboard/trackpad closely enough for me to claim coverage of the
> appletb_kbd_inp_event() path or real USB IRQ-context behavior.
>
> Thanks,
> Sangyun
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox