From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94BF03DB625 for ; Fri, 3 Jul 2026 14:25:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783088728; cv=none; b=etemoHwEf3lo4OQQdw8gHflp27yS+lzyO0UVowKcjkw2WSIGMA0EJjHsrbZbV4f+sq/uk9IShCsIXra/0akhpuktAIZGcXLad1911OvwE+hAv15kLBsrxvKWPJNwPARoJPU+lrikcnTx5s7GDMDA6VPWPZNH4O5RJ9EoWmUTTuU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783088728; c=relaxed/simple; bh=zZxZbH6595Xq322X5wWbuLYwtAjMqlVtcthEp/oj7us=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=HJj0i1GtbgRMTlIEQiaGx6LR9aZcvK4d5EpE2tEGmLlNDyGwFhCwMkaehEvlLjDyzCTaV6BotWShRzGTklP739XNRYGzePgeyZ2YzX0ujpSvIHVd1k8dhoYpOW/IMyR4ircNW/gJNutXawR+8mH2Zgfd4pgIoo5yM+k9XtJvxS0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=nxlshdFc; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nxlshdFc" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4921eed3fa2so4509515e9.0 for ; Fri, 03 Jul 2026 07:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1783088725; x=1783693525; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=JUk3WyCzjRTJDLUduYl8EcNRLI38i6zEbMJ49FtDSSw=; b=nxlshdFcqsWDXhGlicbEVQY0100PbOBUyOAnyX4Jc7UFgjTIr1BBhkI3YXGgX3XoaM OhkgkEZZuMJrrGcPqXF7VtbClvrJP1hqKNvErCAdDepJ0AHufk/lTIuYZ3yEmL2tgKMV bcfqym3DBPC3NXwNsTVF6Sg7WcLFIXzpV5ODkb5Cyp0yB2nSVEbRhWG/oqOWP2S8kOjQ 1Y4bYCaoSSAT1v/fc5dGJpn8BSHQe36+B0vnyqP4nGvfGZb1xHotZSbwkoTXlWSbNmJR QCYwJ80vkGL9UZo9NIY5zT4VHb9XYzGOBvepQ/M5yDNs19e7tHR13uZ5JkdlCt67kzZ3 zVeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783088725; x=1783693525; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JUk3WyCzjRTJDLUduYl8EcNRLI38i6zEbMJ49FtDSSw=; b=hzElpVPyDvP2wup59zixgs/p8F7nxE4W+xtald8dvP5xJxc5YVJFindcfRc2MoIv65 HDzZPON4+kTYVZCcE2fP8f/ELfoGaO3mzp4IcP/K8N4D6GK0LNm2TNkb6ty1K1OrnKMq EqZG0Kc+5a5nA6nXrAd+GTAJmoLqnEkE0UThWH9DwFI+bfeo2OSuBGOPdhkEA+SnBKPp q3FPUeG0KJopzONTqjhGbSkmE7iGbaGOM3FFT0fwVXbd484b0LS+fm+r190nez+XrDgk +HKQ0i/PKljzNnbsHkNizg/5Veyw71f7zQgErbkJcijjPNUprtsHdAp20isAmgB5x2dP UfoQ== X-Forwarded-Encrypted: i=1; AFNElJ9QLcUIz7k9shNtWOwNJZjnuVmHOFJKzM01CV5mtRyl2P/OVdIJmPxHBe0PBnH3To26HSB3eJVICg0AO5A=@vger.kernel.org X-Gm-Message-State: AOJu0YwfT3dwATWoB8y3YaP8oC24h2DUR9jIcGI55LriLKkOvwaJD/Oa Njb2oBecWQFQhhSMdz8SqU/uh99A5Ru50paIlxfYvH42u+oOJrl+nZtsyCU7xk3ucA== X-Gm-Gg: AfdE7ckaPgG2gUNEYpwZXWrJx9/d+AjlZTaBugvlYH6jHSO+MB6tohU/IzXJBXmPUw/ Pop2yldxw5ThLbnM7LU43ibLdgrkFPXQCh1JATHLzuCNwYgylrCETPLdyi82UFlXKt5URTh3cOk aBOxfsSlE1Pe9IX3SuwAlwTFSTDsFOQILfhpR29TeIM6U6GdlNddyk3QZYgJDEpUfpeA1f1/+0X ES+VfAtgGZlL12gujCuNjlVggpIT2aB6RCqERDFeTazYRKsCTX/tuah1lYLH8bMH7PRM7/J+OvR MKUWR2hV5fOO3G+BLyNThl6YgrtpLYv/lWsRSvo23fft9wGTIGwEHqRHTEo8+tpArWOTIisk0QS cE8lMEAeE0BAbsA9k+hJConpEz5L/iOPJooRsdUnDEiiDZVy6/oyJ5yI23p2Bfd0Scb68ifALll n6Hw261Z6ajIYqyKUjFrPCsAXswRIABFmtQiHIPt5FYpUsyNyJmWqNqw== X-Received: by 2002:a05:600c:154f:b0:493:c453:600f with SMTP id 5b1f17b1804b1-493d0f096a3mr1332665e9.6.1783088724566; Fri, 03 Jul 2026 07:25:24 -0700 (PDT) Received: from google.com ([2a00:79e0:288a:8:26a3:e133:527c:310f]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493ccd9d607sm72829725e9.2.2026.07.03.07.25.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jul 2026 07:25:23 -0700 (PDT) Date: Fri, 3 Jul 2026 16:25:18 +0200 From: =?utf-8?Q?G=C3=BCnther?= Noack To: "Derek J. Clark" Cc: Jiri Kosina , Benjamin Tissoires , "Pierre-Loup A . Griffais" , Lee Jones , Lambert Fan , Zhouwang Huang , linux-input@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4 0/5] Add OneXPlayer Configuration HID Driver Message-ID: References: <20260419042624.625746-1-derekjohn.clark@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260419042624.625746-1-derekjohn.clark@gmail.com> Hello Derek! On Sat, Apr 18, 2026 at 09:26:19PM -0700, Derek J. Clark wrote: > Adds an HID driver for OneXPlayer HID configuration devices. There are > currently 2 generations of OneXPlayer HID protocol. The first (OneXPlayer > F1 series) only provides an RGB control interface over HID. The Second > (X1 mini series, G1 series, AOKZOE A1X) also includes a hardware level > button mapping interface, vibration intensity settings, and the ability > to switch output between xinput and a debug mode that can be used to debug > the button mapping. Some devices (G1 Series, APEX) use a hybrid of Gen1 > RGB control and Gen 2 controller settings. To ensure there is no conflicts > when the driver is loaded, we skip creating the RGB interface for Gen 2 > devices if there is a DMI match. > > I'll also add a note that Gen 1 devices also have an interface for > setting the key map and debug mode, but that is done entirely over a > serial TTY device so it is not able to be added to this driver. There > are also some "Gen 0" devices (OneXPlayer 2 Series) also use it, but > the TTY interface also handles the RGB control so no support is > provided by this driver for those interfaces. > > Signed-off-by: Derel J. Clark Sorry I am late to this review, but here are two issues I discovered when looking at the code: (1) The functions oxp_hid_raw_event_gen_1() and oxp_hid_raw_event_gen_2() are both forgetting to do bounds checks against the "size" argument. For real devices, which send a real report descriptor, these buffers will be large enough, but a device that sends a faked report descriptor can provoke an out-of-bounds-read here by underspecifying the size for these reports. (2) oxp_hid_probe() and other functions are populating drvdata, and drvdata is a static variable. If you plug in two of these devices at the same time, they will step on each other's toes, and this leads to all kinds of memory corruption problems when they do. I believe the right way to go about this is to allocate a separate piece of memory for each device that you are plugging in. Other device drivers do this uing devm_kzalloc(). Disclaimer: I found these through code inspection and curiosity but have not tried to reproduce the crashes. Per Linux's official threat model[1], these are not considered security vulnerabilities. An attacker who impersonates a USB device and gains illegitimate access to the USB port might be able to provoke these bugs though, and I wouldn't be surprised if (2) also just leads to system crashes when using two of these devices at the same time. —Günther [1] https://docs.kernel.org/process/threat-model.html