[PATCH] HID: pidff: Fix possible null pointer dereference
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Date: 2025-08-23 19:45:25
Subsystem:
hid core layer, the rest, usb hid pid drivers (usb wheelbases, joysticks, rudders, ...), usb hid/hidbp drivers (usb keyboards, mice, remote controls, ...) · Maintainers:
Jiri Kosina, Benjamin Tissoires, Linus Torvalds, Tomasz Pakuła, Oleg Makarenko
As reported by Dan Carpenter, if the axes_enable field wasn't found,
trying to find the axes themselves will result in a null pointer
dereference. This could only occur with a broken PID descriptor, but
it's worth protecting from.
Exit early if the axes_enable wasn't found AND add a gate to the
pidff_find_special_keys to exit early if the passed HID field is null.
This will protect again null dereferencing in the future and properly
return 0 found special keys.
Fixes:
Commit 1d72e7bd340b ("HID: pidff: Add support for AXES_ENABLE field")
Made on top of for-6.18/pidff
Reported-by: Dan Carpenter <redacted>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
---
drivers/hid/usbhid/hid-pidff.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 0342c0a3f476..edd61ef50e16 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c@@ -1194,6 +1194,9 @@ static int pidff_find_special_keys(int *keys, struct hid_field *fld, { int found = 0; + if (!fld) + return 0; + for (int i = 0; i < count; i++) { keys[i] = pidff_find_usage(fld, usage_page | usagetable[i]) + 1; if (keys[i])
@@ -1299,11 +1302,13 @@ static int pidff_find_special_fields(struct pidff_device *pidff) return -1; } - if (!pidff->axes_enable) + if (!pidff->axes_enable) { hid_info(pidff->hid, "axes enable field not found!\n"); - else - hid_dbg(pidff->hid, "axes enable report count: %u\n", - pidff->axes_enable->report_count); + return 0; + } + + hid_dbg(pidff->hid, "axes enable report count: %u\n", + pidff->axes_enable->report_count); uint found = PIDFF_FIND_GENERAL_DESKTOP(direction_axis_id, axes_enable, direction_axis);
@@ -1311,7 +1316,7 @@ static int pidff_find_special_fields(struct pidff_device *pidff) pidff->axis_count = found; hid_dbg(pidff->hid, "found direction axes: %u", found); - for (int i = 0; i < sizeof(pidff_direction_axis); i++) { + for (int i = 0; i < ARRAY_SIZE(pidff_direction_axis); i++) { if (!pidff->direction_axis_id[i]) continue;
--
2.50.1