| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This is a temporary fix for not handling BT_ATT_OP_HANDLE_NFY_MULT in
GAttr so the code will use g_attrib_attach_client to attach the
bt_gatt_client instance which is then used to register notifications
including those sent with BT_ATT_OP_HANDLE_NFY_MULT.
Fixes: https://github.com/bluez/bluez/issues/71
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following errors:
profiles/input/hog-lib.c:600:19: warning: Access to field 'handle'
results in a dereference of a null pointer (loaded from variable 'chr')
report->handle = chr->handle;
^~~~~~~~~~~
profiles/input/hog-lib.c:637:11: warning: Access to field 'value_handle'
results in a dereference of a null pointer (loaded from variable 'chr')
start = chr->value_handle + 1;
^~~~~~~~~~~~~~~~~
profiles/input/hog-lib.c:1240:11: warning: Access to field 'value_handle'
results in a dereference of a null pointer (loaded from variable 'chr')
start = chr->value_handle + 1;
^~~~~~~~~~~~~~~~~
|
| |
|
|
|
|
|
|
|
|
| |
Although HIDS spec is quite clear the Report MAP shall be limited to
512 bytes it doesn't seem OS do enforce that on the profile/client side
and since there isn't any qualification test enforcing it either there
are quite many devices which uses Report MAP bigger that 512 bytes
(e.g.: Brydge W-Touch and Lenovo Duet 3 BT Folio).
https://github.com/bluez/bluez/issues/377
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On some rare occasions, the peer HID device might disconnect the ctrl
channel when we are trying to connect the intr channel. If this
happens, interrupt_connect_cb() will not be called by btio, and we
will be stuck in "connecting" state. Any future connection attempt to
the peer device will fail because of "busy".
This patch prevents that by checking if we need to report connection
failure when the ctrl channel is disconnected.
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
|
| |
|
|
|
|
|
|
| |
If there is multiple instances the gatt_db of the instances was not
initialized causing the report_map_attr to be NULL which prevents the
report_map to be read and uhid device to be created.
Fixes: https://github.com/bluez/bluez/issues/298
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before prepending the Report ID check if it is non-zero:
BLUETOOTH SPECIFICATION Page 16 of 26
HID Service Specification
Report ID shall be nonzero in a Report Reference characteristic
descriptor where there is more than one instance of the Report
characteristic for any given Report Type.
Fixes: https://www.spinics.net/lists/linux-bluetooth/msg97262.html
|
| |
|
|
|
|
|
| |
With use of UHID_CREATE2 the code needs to wait for UHID_START in order
to know if the reports are numbered or not.
Fixes: https://github.com/bluez/bluez/issues/298
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the GError variable is freeed with g_error_free(), it is not set to
NULL and reusing the same variable again can cause the seg_fault because
it is still pointing the old memory address which is freed.
This patch relaces the g_error_free() to g_clear_error() which frees the
variable and set it to NULL if the variable is used in the function
again.
Fixes: 4ad622d592ba5 ("profiles/a2dp: Fix unchecked return value")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This convert the use of UHID_CREATE to UHID_CREATE2 which gives back
the information of reports being numbered or not thus avoiding the need
to parse the report map in order to check if there are a report number
on them since UHID_START gives that information:
UHID_START:
This is sent when the HID device is started. Consider this as an
answer to UHID_CREATE2. This is always the first event that is sent.
Note that this event might not be available immediately after
write(UHID_CREATE2) returns.
Device drivers might require delayed setups.
This event contains a payload of type uhid_start_req. The "dev_flags"
field describes special behaviors of a device. The following flags
are defined:
- UHID_DEV_NUMBERED_FEATURE_REPORTS
- UHID_DEV_NUMBERED_OUTPUT_REPORTS
- UHID_DEV_NUMBERED_INPUT_REPORTS
Each of these flags defines whether a given report-type uses numbered
reports. If numbered reports are used for a type, all messages from
the kernel already have the report-number as prefix. Otherwise, no
prefix is added by the kernel. For messages sent by user-space to the
kernel, you must adjust the prefixes according to these flags
|
| |
|
|
|
|
|
| |
Since report map is only read after all reports it is possible to start
receiving notifications before uhid has been created, so this adds a
queue to store the events while the report map is pending and once uhid
has been created dequeue the events.
|
| |
|
|
|
|
|
|
| |
The Report Map must be read after all other attributes otherwise the
Kernel driver may start using UHID_SET_REPORT which requires the
report->id to be known in order to resolve the attribute to send to.
Fixes: https://github.com/bluez/bluez/issues/220
|
| |
|
|
|
|
|
|
|
|
|
| |
This replaces the uses of g_memdup with util_memdup since the former has
been deprecated:
warning: ‘g_memdup’ is deprecated: Use 'g_memdup2' instead
[-Wdeprecated-declarations]
g_memdup2 requires bumping glib version which would likely have its
own problems thus why util_memdup was introduced.
|
| |
|
|
|
|
| |
uhid.h is part of kernel uapi nowadays so it can be included
directly from linux/uhid.h so this removes the local copy to use it
instead.
|
| |
|
|
|
| |
This patch fixes the unchecked return value(CWE-252) issues reported by
the Coverity.
|
| |
|
|
|
|
|
| |
Currently we silently ignore missing connection (attrib) in read_char(),
but not in the other GATT interfaces (such as write_char, discover_desc,
etc). The code should avoid calling read_char() when there is no active
connection instead, and logging errors will help us trace the offenders.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to have active connection to fully discover a HOG instance,
and in the chain
bt_hog_new()->
gatt_db_foreach_service()->
foreach_hog_service()->
hog_attach_instance()
we have not set up hog->attrib yet. So let's skip calling
foreach_hog_chrc() from hog_attach_instance(), especially since
we will be calling bt_hog_attach() pretty much immediately after
bt_hog_new(), and we will be discovering characteristics there anyway.
|
| |
|
|
|
|
| |
When calling gatt_write_char(), gatt_read_char(), etc, id == 0 indicates
error. Let's recognize this fact and log it instead of queueing request
that will never be completed.
|
| |
|
|
|
|
|
|
| |
If UHID_GET_REPORT is received but a report cannot be found, etc, the
would pass bt_hog as user_data instead of report to get_report_cb
leading to a crash.
Fixes https://github.com/bluez/bluez/issues/112
|
| |
|
|
|
| |
Replace calls to g_timeout_add_seconds() by the timeout_add_seconds()
wrapper which takes care of 0 delay.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When cable pairing a PS3 clone device, we should try and keep the USB device
name to create a new btd_device so that the joypad is named after its USB name
when connecting through Bluetooth.
If that isn't done, "Shanwan" clone joypads are named like the genuine joypads, and
kernel Bluetooth quirks aren't applied.
gh-issue: https://github.com/bluez/bluez/issues/46
|
| |
|
|
|
|
|
|
|
| |
In commit 23b69ab3e484 ("input/hog: Cache the HID report map"), we
optimized HOG reconnection by registering report value callbacks early,
but there was a bug where we also re-register the same report value
callbacks after at CCC write callback. We should handle this case by
avoiding the second callback register if we know we have done it
earlier.
|
| |
|
|
|
|
| |
To optimize BLE HID devices reconnection response, we can cache the
report map so that the subsequent reconnections do not need round trip
time to read the report map.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit d6cafa1f0c3ea1989f8a580e52f418b0998a3552.
In commit d6cafa1f0c3e ("input/hog: Remove HID device after HoG device
disconnects"), the bt_hog structure is destroyed in order to fix a bug
where the UHID connection is not destroyed. This fix has the cost of
increasing reconnection time because every reconnection would need to
re-read the report map again. An improvement to this fix is, instead of
removing the bt_hog structure, we can just destroy the UHID with
UHID_DESTROY event and use the existing bt_hog structure to keep the
cache of the report map to avoid re-reading the report map at
reconnection.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the HID subsystem requests a HID report to be read from the
device, we currently incorrectly strip off the first byte of the
response, if the device has report IDs set in the HID report
descriptor.
This is incorrect; unlike USB HID, the report ID is *not* included
in the HOG profile's HID reports, and instead exists out of band
in a descriptor on the report's bluetooth characteristic in the
device.
In this patch, we remove the erroneous stripping of the first
byte of the report, and (if report IDs are enabled) prepend the
report ID to the front of the result. This makes the HID report
returned indentical in format to that of a USB HID report, so
that the upper HID drivers can consume HOG device reports in the
same way as USB.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds SPDX License Identifier and removes the license text.
-------------------------------------
License COUNT
-------------------------------------
GPL-2.0-or-later : 72
LGPL-2.1-or-later : 6
License: GPL-2.0-or-later
profiles/deviceinfo/dis.c
profiles/deviceinfo/deviceinfo.c
profiles/health/hdp_types.h
profiles/health/mcap.c
profiles/health/hdp_manager.c
profiles/health/hdp_main.c
profiles/health/mcap.h
profiles/health/hdp_util.h
profiles/health/hdp_manager.h
profiles/health/hdp_util.c
profiles/health/hdp.c
profiles/health/hdp.h
profiles/network/server.c
profiles/network/connection.h
profiles/network/connection.c
profiles/network/manager.c
profiles/network/bnep.c
profiles/network/server.h
profiles/network/bnep.h
profiles/battery/battery.c
profiles/cups/cups.h
profiles/cups/sdp.c
profiles/cups/main.c
profiles/cups/spp.c
profiles/cups/hcrp.c
profiles/scanparam/scpp.c
profiles/scanparam/scan.c
profiles/audio/transport.h
profiles/audio/avdtp.h
profiles/audio/source.c
profiles/audio/player.c
profiles/audio/avctp.c
profiles/audio/control.h
profiles/audio/a2dp.c
profiles/audio/source.h
profiles/audio/transport.c
profiles/audio/sink.c
profiles/audio/avrcp.h
profiles/audio/avdtp.c
profiles/audio/a2dp.h
profiles/audio/avrcp.c
profiles/audio/media.h
profiles/audio/avctp.h
profiles/audio/control.c
profiles/audio/sink.h
profiles/audio/player.h
profiles/audio/media.c
profiles/sap/server.c
profiles/sap/sap-dummy.c
profiles/sap/main.c
profiles/sap/sap.h
profiles/sap/manager.c
profiles/sap/server.h
profiles/sap/manager.h
profiles/iap/main.c
profiles/gap/gas.c
profiles/midi/midi.c
profiles/midi/libmidi.c
profiles/midi/libmidi.h
profiles/input/server.c
profiles/input/suspend.h
profiles/input/uhid_copy.h
profiles/input/device.c
profiles/input/hog.c
profiles/input/device.h
profiles/input/hidp_defs.h
profiles/input/manager.c
profiles/input/suspend-none.c
profiles/input/sixaxis.h
profiles/input/hog-lib.c
profiles/input/suspend-dummy.c
profiles/input/server.h
License: LGPL-2.1-or-later
profiles/deviceinfo/dis.h
profiles/battery/bas.h
profiles/battery/bas.c
profiles/scanparam/scpp.h
profiles/audio/a2dp-codecs.h
profiles/input/hog-lib.h
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When destroying UHID, we should also unregister all event listeners so
that they don't get double registered at reconnection. It fixes a bug
where battery report is not available to kernel after reconnection and
also prevents memory leak.
Tested with Logitech M535 mouse:
* Connect mouse to the device running BlueZ
* cat /sys/class/power_supply/hid-{addr}-battery/capacity # works
* Disconnect mouse
* Reconnect mouse
* cat /sys/class/power_supply/hid-{addr}-battery/capacity # still works
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the HID1.1 spec, part 5.3.4.9:
The HIDSDPDisable attribute is a Boolean value, which indicates
whether connection to the SDP channel and Control or Interrupt
channels are mutually exclusive. This feature supports Bluetooth
HID devices that have minimal resources, and multiplex those
resources between servicing the initialization (SDP) and runtime
(Control and Interrupt) channels.
However, Bluez still tries to connect SDP upon HID connection,
regardless of the existence of the HIDSDPDisable attribute.
This patch prevents the connection of SDP after HID has been
established, if the device has HIDSDPDisable attribute.
|
| |
|
|
|
| |
According to the uhid documentation: "If your device disconnects,
you should send an UHID_DESTROY event"
|
| |
|
|
|
|
|
|
|
| |
This patch listens to UHID_SET_REPORT event and forwards this
message to the hid device. Upon reply, we also send a report back
to the kernel as UHID_SET_REPORT_REPLY.
hidp_send_set_report no longer listen UHID_OUTPUT events, that is
handled by hidp_send_output instead.
|
| |
|
|
|
| |
According to kernel's uhid.h, UHID_FEATURE is obsolete and is
replaced with UHID_GET_REPORT.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
From Bluetooth HID Profile 1.1 Spec: If a Virtual Cable is
unplugged via a HID control Virtual Unplug command, then both the
Bluetooth HID device and Bluetooth HID Host shall destroy or
invalidate all Bluetooth bonding and Virtual Cable information
that was previously stored in persistent memory for the respective
Virtually Cabled devices and hosts.
This patch removes the bonding information upon receiving and/or
sending a "virtual cable unplug".
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
According to bluetooth HID1.1 spec, section 5.4.3.5.3:
If the Bluetooth HID Host is bonded to a Bluetooth HID device:
If encryption is not already enabled, the Bluetooth HID Host shall
enable encryption with the Bluetooth HID device before sending an
L2CAP Connect Response with a result code of “Connection Successful”
(0x0000) after an L2CAP Connect Request is received.
This patch raises the security level to medium when listening for
incoming connection if the flag classic_bonded_only is set,
effectively starting encryption.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to bluetooth HID1.1 spec, part 5.4.3.4.3:
If the Bluetooth HID Host is bonded to a Bluetooth HID device:
If encryption is not already enabled, the Bluetooth HID Host shall
enable encryption with the Bluetooth HID device before sending an
L2CAP Connect Request to open the HID L2CAP Control channel.
When creating connection, this patch checks whether the target
device is bonded, if yes then we use the medium security level
instead of the low one to enable encryption.
|
| |
|
|
|
|
|
| |
HID devices can wake the host from a suspended state. Mark the profiles
to support wake when they are accepted. If the device hasn't already
been configured with a Wake Allowed configuration, it will default to
yes when the profile is accepted.
|
| |
|
|
|
| |
HOG UUID is defined at multiple places in the code. Move that
definition to lib/uuid.h where all other UUIDs are defined.
|
| |
|
|
|
|
|
|
|
|
|
| |
If the intr channel was disconnected by the other party, then they
are also responsible to close the ctrl channel. Such disconnection
message would have the G_IO_ERR flag set, as opposed to it being
unset if the disconnection is initiated by us.
There doesn't seem to be an explicit rule in the specification
about this behavior, but this is enforced in the PTS qualification
tool.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to bluetooth HID Profile spec Ver 1.0, section 7.2.2, A
host or device shall always complete the disconnection of the
interrupt channel before disconnecting the control channel.
However, the current implementation disconnects them both
simultaneously.
This patch postpone the disconnection of control channel to the
callback of interrupt watch, which shall be called upon receiving
interrupt channel disconnection response.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Set the the correct vendor and product ids for all UHID/HoG
devices when they are unknown at HoG creation time.
Before this change, when connecting a BT device with multiple HoG
services for the first time, only the first HoG instance's vendor,
product and version fields would be set by the DIS callback. This meant
that all HoG instances except the first would be left with unset values
and their UHID devices would then be created with '0000:0000' as their
vendor:product ids.
|
| |
|
|
|
|
|
|
|
|
| |
To avoid a double hog free, need to add a ref
when adding the hog to the slist.
This bug has been reproduced with gamepad-8718
which was connecting/disconnecting frantically.
Fix also a typo in the method hog_attach_instance
|
| |
|
|
|
|
|
|
|
|
|
|
| |
LEAutoSecurity can be used to enable/disable automatic upgrades of
security for LE devices, by default it is enabled so existing devices
that did not require security and were not bonded will automatically
upgrade the security.
Note: Platforms disabling this setting would require users to manually
bond the device which may require changes to the user interface to
always force bonding for input devices as APIs such as Device.Connect
will no longer work which maybe perceived as a regression.
|
| |
|
|
|
|
|
|
| |
This attempts to set the security if the device is not bonded, the
kernel will block any communication on the ATT socket while bumping
the security and if that fails the device will be disconnected which
is better than having the device dangling around without being able to
communicate with it until it is properly bonded.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change adds a configuration for platforms to choose a more secure
posture for the HID profile. While some older mice are known to not
support pairing or encryption, some platform may choose a more secure
posture by requiring the device to be bonded and require the
connection to be encrypted when bonding is required.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
|
| |
|
|
|
|
|
| |
HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
Reference:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
|
| |
|
|
|
|
| |
Update uhid and uinput devices with lowercase addresses (to match how
kernel prints it via %pMR). Also update uinput to include the phys
attribute and correctly set the vendor/product/version during init.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When the Bluetooth LE device disconnects, make sure to also destroy the
uHID device so that we don't have a lingering HID device accessible from
user-space.
This also fixes the input subsystem never seeing the device reattaching,
causing settings that should be applied on connection not to be applied.
https://bugzilla.kernel.org/show_bug.cgi?id=202909
Tested-by: Bastien Nocera <hadess@hadess.net>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following error:
profiles/input/device.c: In function ‘hidp_add_connection’:
profiles/input/device.c:677:47: error: ‘%s’ directive output may be truncated writing up to 127 bytes into a region of size between 0 and 127 [-Werror=format-truncation=]
snprintf(req->name, sizeof(req->name), "%s %s",
^~
pname, sdesc);
~~~~~
profiles/input/device.c:677:4: note: ‘snprintf’ output between 2 and 256 bytes into a destination of size 128
snprintf(req->name, sizeof(req->name), "%s %s",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pname, sdesc);
|
| | |
|
| | |
|
