Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE7BEC64ED8 for ; Wed, 15 Feb 2023 20:47:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230035AbjBOUrm (ORCPT ); Wed, 15 Feb 2023 15:47:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229930AbjBOUrB (ORCPT ); Wed, 15 Feb 2023 15:47:01 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 210A243474; Wed, 15 Feb 2023 12:46:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6008FB823B7; Wed, 15 Feb 2023 20:46:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DCFCCC4339E; Wed, 15 Feb 2023 20:46:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676493981; bh=31LUiSWRRqRWPJrcSH165zxbffsBpNzPCUysg4JzK1E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FSlwOiWcdXtC1XbAETipbJj8PJb8ajT7sUWckploP/daQXFQIYLYsWdviRuLvrRA8 5sWQvChv5kzytbsCTDOIVCcifBmyg5wsRXJMaRatVZ0X5v2YL06TaACPnJDKh3LSws B+yB5LGTPi6yNu3CN1kB5u1JOfUwYb5W0z71JyyXHzIzwSnjV713uZDWc3zyFIibBg /DjbK0WmCS3GuI0LQN4+CUZnSGmSR7NZ10jdeboVO64vy+dg3Plv60qXbCUk24Te5W z9wW4mV8KGWK974KtOKvyivTocaxAUAENJTj0Bddj5bEctBaiwJzW1SDEM3TqwCdhf +vC3XLBp/RRjg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Xin Zhao , Benjamin Tissoires , Sasha Levin , jikos@kernel.org, linux-input@vger.kernel.org Subject: [PATCH AUTOSEL 6.1 19/24] HID: core: Fix deadloop in hid_apply_multiplier. Date: Wed, 15 Feb 2023 15:45:42 -0500 Message-Id: <20230215204547.2760761-19-sashal@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230215204547.2760761-1-sashal@kernel.org> References: <20230215204547.2760761-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Zhao [ Upstream commit ea427a222d8bdf2bc1a8a6da3ebe247f7dced70c ] The initial value of hid->collection[].parent_idx if 0. When Report descriptor doesn't contain "HID Collection", the value remains as 0. In the meanwhile, when the Report descriptor fullfill all following conditions, it will trigger hid_apply_multiplier function call. 1. Usage page is Generic Desktop Ctrls (0x01) 2. Usage is RESOLUTION_MULTIPLIER (0x48) 3. Contain any FEATURE items The while loop in hid_apply_multiplier will search the top-most collection by searching parent_idx == -1. Because all parent_idx is 0. The loop will run forever. There is a Report Descriptor triggerring the deadloop 0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x48, // Usage (0x48) 0x95, 0x01, // Report Count (1) 0x75, 0x08, // Report Size (8) 0xB1, 0x01, // Feature Signed-off-by: Xin Zhao Link: https://lore.kernel.org/r/20230130212947.1315941-1-xnzhao@google.com Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin --- drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 3e1803592bd4a..5c72aef3d3dd5 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1202,6 +1202,7 @@ int hid_open_report(struct hid_device *device) __u8 *end; __u8 *next; int ret; + int i; static int (*dispatch_type[])(struct hid_parser *parser, struct hid_item *item) = { hid_parser_main, @@ -1252,6 +1253,8 @@ int hid_open_report(struct hid_device *device) goto err; } device->collection_size = HID_DEFAULT_NUM_COLLECTIONS; + for (i = 0; i < HID_DEFAULT_NUM_COLLECTIONS; i++) + device->collection[i].parent_idx = -1; ret = -EINVAL; while ((next = fetch_item(start, end, &item)) != NULL) { -- 2.39.0