Hello,
(This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.)
When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference.
I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6.
I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones.
Thank you, Nolan Nicholson
Cc Anssi
On 05. 11. 24, 1:30, Nolan Nicholson wrote:
Hello,
(This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.)
When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference.
I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6.
I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones.
Indeed. The code checks the required ones in pidff_reports_ok(). But the optional ones are not checked at all and are directly accessed in both pidff_init_fields() and also likely pidff_find_special_fields().
thanks,
On Tue, 5 Nov 2024, Jiri Slaby wrote:
(This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.)
When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference.
I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6.
I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones.
Indeed. The code checks the required ones in pidff_reports_ok(). But the optional ones are not checked at all and are directly accessed in both pidff_init_fields() and also likely pidff_find_special_fields().
Thanks for the report.
Nolan, will you be willing to create a patch implement a proper checking, test it with your device that's triggering it, and submit it in order to be applied?
Thanks,
linux-stable-mirror@lists.linaro.org
-
Jiri Kosina -
Jiri Slaby -
Nolan Nicholson