Download raw body.
imt(4)/umt(4): finding HID report IDs
Anybody?
On 7/2/25 01:37, Ulf Brosziewski wrote:
> The way imt(4) and umt(4) search for report IDs is broken. Depending
> on the structure and distribution of IDs in a report descriptor, it might
> succeed, or fail with wrong ID values (as has been reported by Thomas
> Dettbarn, see https://marc.info/?l=openbsd-tech&m=174841257723328&w=2 ).
>
> The hid_*_collection functions only provide partial information, which,
> in isolation, may be useless if you aren't lucky and deal with simple,
> uniform descriptors.
>
> The patch adds another helper function to hid.c, which permits searching
> for several report items at once, and filters out "unknown" collections
> (see the comment in the diff). It doesn't put further constraints on the
> search and the structure of the descriptor, but the heuristic might be
> safe enough for most practical purposes. However, my experience with the
> real HID world is limited, comments and hints would be appreciated.
>
> The patch moves the search for "PTP" reports to hidmt, and adapts imt
> and umt accordingly. Please note that it also contains a fix for another
> bug in hidmt (see https://marc.info/?l=openbsd-tech&m=175101436027656&w=2 ).
> It may be hidden by the faulty report search; that's why for tests, it
> makes sense to combine the patches.
>
> Tests, comments, and OKs would be welcome.
>
>
> Index: dev/hid/hid.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/hid/hid.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 hid.c
> --- dev/hid/hid.c 10 May 2024 10:49:10 -0000 1.7
> +++ dev/hid/hid.c 1 Jul 2025 20:11:57 -0000
> @@ -706,3 +706,70 @@ hid_get_id_of_collection(const void *des
> hid_end_parse(hd);
> return -1;
> }
> +
> +/*
> + * Find the first report that contains each of the given "usages"
> + * and belongs to a top-level collection with the 'top_usage' type.
> + * The size of the 'usages' array must be in the range [1..32].
> + *
> + * If 'coll_usages' is NULL, the search will skip collections with
> + * usages from vendor pages (0xFF00 - 0xFFFF).
> + *
> + * If 'coll_usages' is non-NULL, it must point to a 0-terminated
> + * sequence of collection usages, and the search will skip collections
> + * with usages not present in this set. (It isn't necessary to include
> + * the top-level usage here).
> + *
> + * Return Values:
> + * -1: No match
> + * 0: Success (single report without an ID)
> + * [1..255]: Report ID
> + */
> +int
> +hid_find_report(const void *desc, int len, enum hid_kind kind,
> + int32_t top_usage, int n_usages, int32_t *usages, int32_t *coll_usages)
> +{
> + struct hid_data *hd;
> + struct hid_item h;
> + uint32_t matches;
> + int i, cur_id, skip;
> +
> + hd = hid_start_parse(desc, len, hid_all);
> + for (cur_id = -1, skip = 0; hid_get_item(hd, &h); ) {
> + if (cur_id != h.report_ID) {
> + matches = 0;
> + cur_id = h.report_ID;
> + }
> + if (h.kind == hid_collection) {
> + if (skip)
> + continue;
> + if (h.collevel == 1) {
> + if (h.usage != top_usage)
> + skip = 1;
> + } else if (coll_usages != NULL) {
> + for (i = 0; coll_usages[i] != h.usage; i++)
> + if (coll_usages[i] == 0) {
> + skip = h.collevel;
> + break;
> + }
> + } else if (((h.usage >> 16) & 0xffff) >= 0xff00) {
> + skip = h.collevel;
> + }
> + } else if (h.kind == hid_endcollection) {
> + if (h.collevel < skip)
> + skip = 0;
> + }
> + if (h.kind != kind || skip)
> + continue;
> + for (i = 0; i < n_usages; i++)
> + if (h.usage == usages[i] && !(matches & (1 << i))) {
> + matches |= (1 << i);
> + if (matches != (1 << n_usages) - 1)
> + break;
> + hid_end_parse(hd);
> + return (h.report_ID);
> + }
> + }
> + hid_end_parse(hd);
> + return (-1);
> +}
> Index: dev/hid/hid.h
> ===================================================================
> RCS file: /cvs/src/sys/dev/hid/hid.h,v
> retrieving revision 1.11
> diff -u -p -r1.11 hid.h
> --- dev/hid/hid.h 12 Aug 2023 20:47:06 -0000 1.11
> +++ dev/hid/hid.h 1 Jul 2025 20:11:57 -0000
> @@ -95,6 +95,8 @@ uint32_t hid_get_udata(const uint8_t *bu
> int hid_is_collection(const void *, int, uint8_t, int32_t);
> struct hid_data *hid_get_collection_data(const void *, int, int32_t, uint32_t);
> int hid_get_id_of_collection(const void *, int, int32_t, uint32_t);
> +int hid_find_report(const void *, int len, enum hid_kind, int32_t,
> + int, int32_t *, int32_t *);
>
> #endif /* _KERNEL */
>
> Index: dev/hid/hidmt.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/hid/hidmt.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 hidmt.c
> --- dev/hid/hidmt.c 16 Oct 2022 20:17:08 -0000 1.13
> +++ dev/hid/hidmt.c 1 Jul 2025 20:11:57 -0000
> @@ -42,6 +42,9 @@
> #define DPRINTF(x)
> #endif
>
> +#define IS_TOP_LEVEL_USAGE(u) ((((u) >> 16) & 0xffff) == HUP_BUTTON || \
> + (u) == HID_USAGE2(HUP_DIGITIZERS, HUD_CONTACTCOUNT))
> +
> #define HID_UNIT_CM 0x11
> #define HID_UNIT_INCH 0x13
>
> @@ -373,7 +376,7 @@ hidmt_input(struct hidmt *mt, uint8_t *d
>
> bzero(&hc, sizeof(struct hidmt_contact));
> }
> - else if (!firstu)
> + else if (!firstu && !IS_TOP_LEVEL_USAGE(hi->usage))
> firstu = hi->usage;
>
> switch (hi->usage) {
> @@ -530,4 +533,41 @@ void
> hidmt_disable(struct hidmt *mt)
> {
> mt->sc_enabled = 0;
> +}
> +
> +int
> +hidmt_find_winptp_reports(const void *desc, int len, int *input_rid,
> + int *config_rid, int *cap_rid)
> +{
> + static int32_t ptp_collections[] = {
> + HID_USAGE2(HUP_DIGITIZERS, HUD_FINGER), 0
> + };
> + static int32_t input_usages[] = {
> + /* top-level */
> + HID_USAGE2(HUP_DIGITIZERS, HUD_CONTACTCOUNT),
> + /* contact-level */
> + HID_USAGE2(HUP_GENERIC_DESKTOP, HUG_X),
> + HID_USAGE2(HUP_GENERIC_DESKTOP, HUG_Y),
> + HID_USAGE2(HUP_DIGITIZERS, HUD_CONFIDENCE),
> + HID_USAGE2(HUP_DIGITIZERS, HUD_TIP_SWITCH),
> + HID_USAGE2(HUP_DIGITIZERS, HUD_CONTACTID),
> + };
> + static int32_t cfg_usages[] = {
> + HID_USAGE2(HUP_DIGITIZERS, HUD_INPUT_MODE),
> + };
> + static int32_t cap_usages[] = {
> + HID_USAGE2(HUP_DIGITIZERS, HUD_CONTACT_MAX),
> + };
> +
> + *input_rid = hid_find_report(desc, len, hid_input,
> + HID_USAGE2(HUP_DIGITIZERS, HUD_TOUCHPAD),
> + nitems(input_usages), input_usages, ptp_collections);
> + *config_rid = hid_find_report(desc, len, hid_feature,
> + HID_USAGE2(HUP_DIGITIZERS, HUD_CONFIG),
> + nitems(cfg_usages), cfg_usages, ptp_collections);
> + *cap_rid = hid_find_report(desc, len, hid_feature,
> + HID_USAGE2(HUP_DIGITIZERS, HUD_TOUCHPAD),
> + nitems(cap_usages), cap_usages, ptp_collections);
> +
> + return (*input_rid > 0 && *config_rid > 0 && *cap_rid > 0);
> }
> Index: dev/hid/hidmtvar.h
> ===================================================================
> RCS file: /cvs/src/sys/dev/hid/hidmtvar.h,v
> retrieving revision 1.8
> diff -u -p -r1.8 hidmtvar.h
> --- dev/hid/hidmtvar.h 8 Nov 2019 01:20:22 -0000 1.8
> +++ dev/hid/hidmtvar.h 1 Jul 2025 20:11:57 -0000
> @@ -77,3 +77,4 @@ int hidmt_enable(struct hidmt *);
> void hidmt_input(struct hidmt *, uint8_t *, u_int);
> int hidmt_ioctl(struct hidmt *, u_long, caddr_t, int, struct proc *);
> int hidmt_setup(struct device *, struct hidmt *, void *, int);
> +int hidmt_find_winptp_reports(const void *, int, int *, int *, int *);
> Index: dev/i2c/imt.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/i2c/imt.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 imt.c
> --- dev/i2c/imt.c 13 May 2024 01:15:50 -0000 1.6
> +++ dev/i2c/imt.c 1 Jul 2025 20:11:57 -0000
> @@ -56,8 +56,6 @@ const struct wsmouse_accessops imt_acces
> };
>
> int imt_match(struct device *, void *, void *);
> -int imt_find_winptp_reports(struct ihidev_softc *, void *, int,
> - struct imt_softc *);
> void imt_attach(struct device *, struct device *, void *);
> int imt_hidev_get_report(struct device *, int, int, void *, int);
> int imt_hidev_set_report(struct device *, int, int, void *, int);
> @@ -78,16 +76,17 @@ int
> imt_match(struct device *parent, void *match, void *aux)
> {
> struct ihidev_attach_arg *iha = (struct ihidev_attach_arg *)aux;
> - struct imt_softc sc;
> + int input_rid, conf_rid, cap_rid;
> int size;
> void *desc;
>
> if (iha->reportid == IHIDEV_CLAIM_MULTIPLEID) {
> ihidev_get_report_desc(iha->parent, &desc, &size);
> - if (imt_find_winptp_reports(iha->parent, desc, size, &sc)) {
> - iha->claims[0] = sc.sc_rep_input;
> - iha->claims[1] = sc.sc_rep_config;
> - iha->claims[2] = sc.sc_rep_cap;
> + if (hidmt_find_winptp_reports(desc, size,
> + &input_rid, &conf_rid, &cap_rid)) {
> + iha->claims[0] = input_rid;
> + iha->claims[1] = conf_rid;
> + iha->claims[2] = cap_rid;
> iha->nclaims = 3;
> return (IMATCH_DEVCLASS_DEVSUBCLASS);
> }
> @@ -96,49 +95,6 @@ imt_match(struct device *parent, void *m
> return (IMATCH_NONE);
> }
>
> -int
> -imt_find_winptp_reports(struct ihidev_softc *parent, void *desc, int size,
> - struct imt_softc *sc)
> -{
> - int repid;
> - int input = 0, conf = 0, cap = 0;
> -
> - if (sc != NULL) {
> - sc->sc_rep_input = -1;
> - sc->sc_rep_config = -1;
> - sc->sc_rep_cap = -1;
> - }
> -
> - for (repid = 0; repid < parent->sc_nrepid; repid++) {
> - if (hid_report_size(desc, size, hid_input, repid) == 0 &&
> - hid_report_size(desc, size, hid_output, repid) == 0 &&
> - hid_report_size(desc, size, hid_feature, repid) == 0)
> - continue;
> -
> - if (hid_is_collection(desc, size, repid,
> - HID_USAGE2(HUP_DIGITIZERS, HUD_TOUCHPAD))) {
> - input = 1;
> - if (sc != NULL && sc->sc_rep_input == -1)
> - sc->sc_rep_input = repid;
> - } else if (hid_is_collection(desc, size, repid,
> - HID_USAGE2(HUP_DIGITIZERS, HUD_CONFIG))) {
> - conf = 1;
> - if (sc != NULL && sc->sc_rep_config == -1)
> - sc->sc_rep_config = repid;
> - }
> -
> - /* capabilities report could be anywhere */
> - if (hid_locate(desc, size, HID_USAGE2(HUP_DIGITIZERS,
> - HUD_CONTACT_MAX), repid, hid_feature, NULL, NULL)) {
> - cap = 1;
> - if (sc != NULL && sc->sc_rep_cap == -1)
> - sc->sc_rep_cap = repid;
> - }
> - }
> -
> - return (conf && input && cap);
> -}
> -
> void
> imt_attach(struct device *parent, struct device *self, void *aux)
> {
> @@ -152,7 +108,8 @@ imt_attach(struct device *parent, struct
> sc->sc_hdev.sc_parent = iha->parent;
>
> ihidev_get_report_desc(iha->parent, &desc, &size);
> - imt_find_winptp_reports(iha->parent, desc, size, sc);
> + hidmt_find_winptp_reports(desc, size, &sc->sc_rep_input,
> + &sc->sc_rep_config, &sc->sc_rep_cap);
>
> memset(mt, 0, sizeof(sc->sc_mt));
>
> Index: dev/usb/umt.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/umt.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 umt.c
> --- dev/usb/umt.c 26 May 2024 20:06:27 -0000 1.8
> +++ dev/usb/umt.c 1 Jul 2025 20:11:57 -0000
> @@ -60,8 +60,6 @@ const struct wsmouse_accessops umt_acces
> };
>
> int umt_match(struct device *, void *, void *);
> -int umt_find_winptp_reports(struct uhidev_softc *, void *, int, int *,
> - int *, int *);
> void umt_attach(struct device *, struct device *, void *);
> int umt_hidev_get_report(struct device *, int, int, void *, int);
> int umt_hidev_set_report(struct device *, int, int, void *, int);
> @@ -88,7 +86,7 @@ umt_match(struct device *parent, void *m
>
> if (UHIDEV_CLAIM_MULTIPLE_REPORTID(uha)) {
> uhidev_get_report_desc(uha->parent, &desc, &size);
> - if (umt_find_winptp_reports(uha->parent, desc, size, &input,
> + if (hidmt_find_winptp_reports(desc, size, &input,
> &conf, &cap)) {
> uha->claimed[input] = 1;
> uha->claimed[conf] = 1;
> @@ -100,50 +98,6 @@ umt_match(struct device *parent, void *m
> return (UMATCH_NONE);
> }
>
> -int
> -umt_find_winptp_reports(struct uhidev_softc *parent, void *desc, int size,
> - int *input, int *config, int *cap)
> -{
> - int repid;
> - int finput = 0, fconf = 0, fcap = 0;
> -
> - if (input != NULL)
> - *input = -1;
> - if (config != NULL)
> - *config = -1;
> - if (cap != NULL)
> - *cap = -1;
> -
> - for (repid = 0; repid < parent->sc_nrepid; repid++) {
> - if (hid_report_size(desc, size, hid_input, repid) == 0 &&
> - hid_report_size(desc, size, hid_output, repid) == 0 &&
> - hid_report_size(desc, size, hid_feature, repid) == 0)
> - continue;
> -
> - if (hid_is_collection(desc, size, repid,
> - HID_USAGE2(HUP_DIGITIZERS, HUD_TOUCHPAD))) {
> - finput = 1;
> - if (input != NULL && *input == -1)
> - *input = repid;
> - } else if (hid_is_collection(desc, size, repid,
> - HID_USAGE2(HUP_DIGITIZERS, HUD_CONFIG))) {
> - fconf = 1;
> - if (config != NULL && *config == -1)
> - *config = repid;
> - }
> -
> - /* capabilities report could be anywhere */
> - if (hid_locate(desc, size, HID_USAGE2(HUP_DIGITIZERS,
> - HUD_CONTACT_MAX), repid, hid_feature, NULL, NULL)) {
> - fcap = 1;
> - if (cap != NULL && *cap == -1)
> - *cap = repid;
> - }
> - }
> -
> - return (fconf && finput && fcap);
> -}
> -
> void
> umt_attach(struct device *parent, struct device *self, void *aux)
> {
> @@ -163,7 +117,7 @@ umt_attach(struct device *parent, struct
> sc->sc_quirks = usbd_get_quirks(sc->sc_hdev.sc_udev)->uq_flags;
>
> uhidev_get_report_desc(uha->parent, &desc, &size);
> - umt_find_winptp_reports(uha->parent, desc, size, &sc->sc_rep_input,
> + hidmt_find_winptp_reports(desc, size, &sc->sc_rep_input,
> &sc->sc_rep_config, &sc->sc_rep_cap);
>
> memset(mt, 0, sizeof(sc->sc_mt));
>
imt(4)/umt(4): finding HID report IDs