From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4ADBCC64EC7 for ; Wed, 15 Feb 2023 20:49:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230129AbjBOUtA (ORCPT ); Wed, 15 Feb 2023 15:49:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbjBOUrz (ORCPT ); Wed, 15 Feb 2023 15:47:55 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97F3C4393D; Wed, 15 Feb 2023 12:47:05 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2ACA1B823AF; Wed, 15 Feb 2023 20:47:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEBA9C433A1; Wed, 15 Feb 2023 20:46:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676494019; bh=xWiBm3pBG5NVnAAakp26jQxQYisVm+/bppgU9pWx1QY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TcqardLG3mV1DrTTM/OQB+IiGAYl0hja5Fg0wnbRLItLzo3fR94IQGKRVEecR/sBp wCTS9sJx9a4uFpeZ5qIcWyv+TfUI3pDf9bAdX3HFLUSJI70cwZNl/KQT2S/aTWxQsx gYHwPC70ayBblfpAAZMDTcp+yqae8cFbFjTlIh+WGYYRgS2rn0m/Jhkw3ZtxSx8AUb 36PCsJBcTIGFqvows0jMwv7h1WTvX8W94ukkyCnCcOOMfd69qKMY0BVxAqlWJEuCik /bUzqV050Eq/vNaePo1S05bzeI9YKovrFg5U2E+EOjRGRsnDMSAduGGuR8843jLjb3 fFeZGPbkoRjEA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Xin Zhao , Benjamin Tissoires , Sasha Levin , jikos@kernel.org, linux-input@vger.kernel.org Subject: [PATCH AUTOSEL 5.10 8/8] HID: core: Fix deadloop in hid_apply_multiplier. Date: Wed, 15 Feb 2023 15:46:49 -0500 Message-Id: <20230215204649.2761225-8-sashal@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230215204649.2761225-1-sashal@kernel.org> References: <20230215204649.2761225-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org From: Xin Zhao [ Upstream commit ea427a222d8bdf2bc1a8a6da3ebe247f7dced70c ] The initial value of hid->collection[].parent_idx if 0. When Report descriptor doesn't contain "HID Collection", the value remains as 0. In the meanwhile, when the Report descriptor fullfill all following conditions, it will trigger hid_apply_multiplier function call. 1. Usage page is Generic Desktop Ctrls (0x01) 2. Usage is RESOLUTION_MULTIPLIER (0x48) 3. Contain any FEATURE items The while loop in hid_apply_multiplier will search the top-most collection by searching parent_idx == -1. Because all parent_idx is 0. The loop will run forever. There is a Report Descriptor triggerring the deadloop 0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x48, // Usage (0x48) 0x95, 0x01, // Report Count (1) 0x75, 0x08, // Report Size (8) 0xB1, 0x01, // Feature Signed-off-by: Xin Zhao Link: https://lore.kernel.org/r/20230130212947.1315941-1-xnzhao@google.com Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin --- drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index baadead947c8b..5f9ec1d1464a2 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1197,6 +1197,7 @@ int hid_open_report(struct hid_device *device) __u8 *end; __u8 *next; int ret; + int i; static int (*dispatch_type[])(struct hid_parser *parser, struct hid_item *item) = { hid_parser_main, @@ -1247,6 +1248,8 @@ int hid_open_report(struct hid_device *device) goto err; } device->collection_size = HID_DEFAULT_NUM_COLLECTIONS; + for (i = 0; i < HID_DEFAULT_NUM_COLLECTIONS; i++) + device->collection[i].parent_idx = -1; ret = -EINVAL; while ((next = fetch_item(start, end, &item)) != NULL) { -- 2.39.0