[PATCH] HID: pidff: Fix possible null pointer dereference

[PATCH] HID: pidff: Fix possible null pointer dereference

[Tomasz Pakuła]

As reported by Dan Carpenter, if the axes_enable field wasn't found,
trying to find the axes themselves will result in a null pointer
dereference. This could only occur with a broken PID descriptor, but
it's worth protecting from.

Exit early if the axes_enable wasn't found AND add a gate to the
pidff_find_special_keys to exit early if the passed HID field is null.
This will protect again null dereferencing in the future and properly
return 0 found special keys.

Fixes:
Commit 1d72e7bd340b ("HID: pidff: Add support for AXES_ENABLE field")
Made on top of for-6.18/pidff

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
---
 drivers/hid/usbhid/hid-pidff.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 0342c0a3f476..edd61ef50e16 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -1194,6 +1194,9 @@ static int pidff_find_special_keys(int *keys, struct hid_field *fld,
 {
 	int found = 0;
 
+	if (!fld)
+		return 0;
+
 	for (int i = 0; i < count; i++) {
 		keys[i] = pidff_find_usage(fld, usage_page | usagetable[i]) + 1;
 		if (keys[i])
@@ -1299,11 +1302,13 @@ static int pidff_find_special_fields(struct pidff_device *pidff)
 		return -1;
 	}
 
-	if (!pidff->axes_enable)
+	if (!pidff->axes_enable) {
 		hid_info(pidff->hid, "axes enable field not found!\n");
-	else
-		hid_dbg(pidff->hid, "axes enable report count: %u\n",
-			pidff->axes_enable->report_count);
+		return 0;
+	}
+
+	hid_dbg(pidff->hid, "axes enable report count: %u\n",
+		pidff->axes_enable->report_count);
 
 	uint found = PIDFF_FIND_GENERAL_DESKTOP(direction_axis_id, axes_enable,
 						direction_axis);
@@ -1311,7 +1316,7 @@ static int pidff_find_special_fields(struct pidff_device *pidff)
 	pidff->axis_count = found;
 	hid_dbg(pidff->hid, "found direction axes: %u", found);
 
-	for (int i = 0; i < sizeof(pidff_direction_axis); i++) {
+	for (int i = 0; i < ARRAY_SIZE(pidff_direction_axis); i++) {
 		if (!pidff->direction_axis_id[i])
 			continue;
 
-- 
2.50.1

Re: [PATCH] HID: pidff: Fix possible null pointer dereference

[Jiri Kosina]

On Sat, 23 Aug 2025, Tomasz Pakuła wrote:

> As reported by Dan Carpenter, if the axes_enable field wasn't found,
> trying to find the axes themselves will result in a null pointer
> dereference. This could only occur with a broken PID descriptor, but
> it's worth protecting from.
> 
> Exit early if the axes_enable wasn't found AND add a gate to the
> pidff_find_special_keys to exit early if the passed HID field is null.
> This will protect again null dereferencing in the future and properly
> return 0 found special keys.
> 
> Fixes:
> Commit 1d72e7bd340b ("HID: pidff: Add support for AXES_ENABLE field")
> Made on top of for-6.18/pidff
> 
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>

Applied to hid.git#for-6.18/pidff, thanks.

-- 
Jiri Kosina
SUSE Labs