From d927909d4d7a57fc27684e0761fa7ca1991ba115 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tomasz=20Paku=C5=82a?= Date: Sat, 23 Aug 2025 21:45:16 +0200 Subject: [PATCH] HID: pidff: Fix possible null pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit As reported by Dan Carpenter, if the axes_enable field wasn't found, trying to find the axes themselves will result in a null pointer dereference. This could only occur with a broken PID descriptor, but it's worth protecting from. Exit early if the axes_enable wasn't found AND add a gate to the pidff_find_special_keys to exit early if the passed HID field is null. This will protect again null dereferencing in the future and properly return 0 found special keys. Fixes: 1d72e7bd340b ("HID: pidff: Add support for AXES_ENABLE field") Reported-by: Dan Carpenter Signed-off-by: Tomasz Pakuła Signed-off-by: Jiri Kosina --- drivers/hid/usbhid/hid-pidff.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c index 0342c0a3f476..edd61ef50e16 100644 --- a/drivers/hid/usbhid/hid-pidff.c +++ b/drivers/hid/usbhid/hid-pidff.c @@ -1194,6 +1194,9 @@ static int pidff_find_special_keys(int *keys, struct hid_field *fld, { int found = 0; + if (!fld) + return 0; + for (int i = 0; i < count; i++) { keys[i] = pidff_find_usage(fld, usage_page | usagetable[i]) + 1; if (keys[i]) @@ -1299,11 +1302,13 @@ static int pidff_find_special_fields(struct pidff_device *pidff) return -1; } - if (!pidff->axes_enable) + if (!pidff->axes_enable) { hid_info(pidff->hid, "axes enable field not found!\n"); - else - hid_dbg(pidff->hid, "axes enable report count: %u\n", - pidff->axes_enable->report_count); + return 0; + } + + hid_dbg(pidff->hid, "axes enable report count: %u\n", + pidff->axes_enable->report_count); uint found = PIDFF_FIND_GENERAL_DESKTOP(direction_axis_id, axes_enable, direction_axis); @@ -1311,7 +1316,7 @@ static int pidff_find_special_fields(struct pidff_device *pidff) pidff->axis_count = found; hid_dbg(pidff->hid, "found direction axes: %u", found); - for (int i = 0; i < sizeof(pidff_direction_axis); i++) { + for (int i = 0; i < ARRAY_SIZE(pidff_direction_axis); i++) { if (!pidff->direction_axis_id[i]) continue; -- 2.47.3