hid-pidff.c: null-pointer deref if optional HID reports are not present

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

(This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.)

When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference.

I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6.

I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones.

Thank you,
Nolan Nicholson
[  382.674995] usb 1-2: new full-speed USB device number 5 using xhci_hcd
[  383.181913] usb 1-2: New USB device found, idVendor=cafe, idProduct=4004, bcdDevice= 1.00
[  383.181931] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  383.181938] usb 1-2: Product: Picowinder
[  383.181944] usb 1-2: Manufacturer: Nolbinsoft
[  383.181949] usb 1-2: SerialNumber: E6616408433B582B
[  383.260525] usbcore: registered new interface driver usbhid
[  383.260535] usbhid: USB HID core driver
[  383.280100] input: Nolbinsoft Picowinder as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:CAFE:4004.0001/input/input18
[  383.280496] BUG: kernel NULL pointer dereference, address: 0000000000000848
[  383.280509] #PF: supervisor read access in kernel mode
[  383.280516] #PF: error_code(0x0000) - not-present page
[  383.280524] PGD 0 P4D 0 
[  383.280537] Oops: 0000 [#1] PREEMPT SMP PTI
[  383.280547] CPU: 4 PID: 6827 Comm: (udev-worker) Not tainted 6.8.0-48-generic #48-Ubuntu
[  383.280558] Hardware name: LENOVO 20KG0022US/20KG0022US, BIOS N23ET71W (1.46 ) 02/20/2020
[  383.280566] RIP: 0010:pidff_find_fields+0x2c/0x320 [usbhid]
[  383.280595] Code: 44 00 00 55 48 63 c1 49 89 fa 48 89 e5 41 57 49 89 f7 41 56 41 55 49 89 d5 41 54 53 48 83 ec 30 44 89 45 b4 48 89 45 c8 31 c0 <41> 8b 95 48 08 00 00 89 45 d0 45 31 f6 48 89 c3 4d 89 d4 85 d2 75
[  383.280602] RSP: 0018:ffff9b2f008df708 EFLAGS: 00010246
[  383.280611] RAX: 0000000000000000 RBX: ffff8e31889f4800 RCX: 0000000000000005
[  383.280616] RDX: 0000000000000000 RSI: ffffffffc1d605a8 RDI: ffff8e31889f48e0
[  383.280621] RBP: ffff9b2f008df760 R08: 0000000000000001 R09: 0000000000000000
[  383.280626] R10: ffff8e31889f48e0 R11: 0000000000000000 R12: ffff8e3240e1a000
[  383.280631] R13: 0000000000000000 R14: ffff8e3240e1a000 R15: ffffffffc1d605a8
[  383.280636] FS:  00007fe07066d8c0(0000) GS:ffff8e3512600000(0000) knlGS:0000000000000000
[  383.280642] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  383.280648] CR2: 0000000000000848 CR3: 0000000273cda003 CR4: 00000000003706f0
[  383.280654] Call Trace:
[  383.280659]  <TASK>
[  383.280666]  ? show_regs+0x6d/0x80
[  383.280678]  ? __die+0x24/0x80
[  383.280686]  ? page_fault_oops+0x99/0x1b0
[  383.280698]  ? do_user_addr_fault+0x2e2/0x670
[  383.280708]  ? exc_page_fault+0x83/0x1b0
[  383.280720]  ? asm_exc_page_fault+0x27/0x30
[  383.280734]  ? pidff_find_fields+0x2c/0x320 [usbhid]
[  383.280753]  ? device_create+0x51/0x80
[  383.280765]  pidff_init_fields+0xe0/0x460 [usbhid]
[  383.280783]  hid_pidff_init+0x117/0x4d0 [usbhid]
[  383.280804]  hid_connect+0x181/0x440 [hid]
[  383.280850]  hid_hw_start+0x4c/0x70 [hid]
[  383.280886]  hid_generic_probe+0x2d/0x40 [hid_generic]
[  383.280905]  hid_device_probe+0x12d/0x1b0 [hid]
[  383.280935]  really_probe+0x1c4/0x410
[  383.280946]  __driver_probe_device+0x8c/0x180
[  383.280957]  driver_probe_device+0x24/0xd0
[  383.280968]  __driver_attach+0x10b/0x210
[  383.280977]  ? __pfx___driver_attach+0x10/0x10
[  383.280987]  bus_for_each_dev+0x8a/0xf0
[  383.281000]  driver_attach+0x1e/0x30
[  383.281012]  bus_add_driver+0x14e/0x290
[  383.281026]  driver_register+0x5e/0x130
[  383.281036]  ? __pfx_hid_generic_init+0x10/0x10 [hid_generic]
[  383.281054]  __hid_register_driver+0x4f/0xa0 [hid]
[  383.281088]  ? __pfx_hid_generic_init+0x10/0x10 [hid_generic]
[  383.281106]  hid_generic_init+0x23/0xff0 [hid_generic]
[  383.281123]  do_one_initcall+0x5b/0x340
[  383.281139]  do_init_module+0x97/0x290
[  383.281148]  load_module+0xba1/0xcf0
[  383.281162]  init_module_from_file+0x96/0x100
[  383.281169]  ? init_module_from_file+0x96/0x100
[  383.281182]  idempotent_init_module+0x11c/0x2b0
[  383.281194]  __x64_sys_finit_module+0x64/0xd0
[  383.281202]  x64_sys_call+0x1d6e/0x25c0
[  383.281209]  do_syscall_64+0x7f/0x180
[  383.281220]  ? syscall_exit_to_user_mode+0x86/0x260
[  383.281231]  ? do_syscall_64+0x8c/0x180
[  383.281240]  ? do_syscall_64+0x8c/0x180
[  383.281248]  ? __fput+0x15e/0x2e0
[  383.281257]  ? __seccomp_filter+0x368/0x570
[  383.281270]  ? ext4_llseek+0xc3/0x130
[  383.281279]  ? ksys_lseek+0x7d/0xd0
[  383.281290]  ? syscall_exit_to_user_mode+0x86/0x260
[  383.281300]  ? do_syscall_64+0x8c/0x180
[  383.281309]  ? irqentry_exit+0x43/0x50
[  383.281315]  ? exc_page_fault+0x94/0x1b0
[  383.281325]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  383.281332] RIP: 0033:0x7fe07052725d
[  383.281368] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8b bb 0d 00 f7 d8 64 89 01 48
[  383.281375] RSP: 002b:00007ffea80dc678 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  383.281385] RAX: ffffffffffffffda RBX: 000056ae4d5823b0 RCX: 00007fe07052725d
[  383.281393] RDX: 0000000000000004 RSI: 00007fe07084a07d RDI: 0000000000000013
[  383.281401] RBP: 00007ffea80dc730 R08: 0000000000000040 R09: 00007ffea80dc6c0
[  383.281406] R10: 00007fe070603b20 R11: 0000000000000246 R12: 00007fe07084a07d
[  383.281411] R13: 0000000000020000 R14: 000056ae4d77ab00 R15: 000056ae4d6965e0
[  383.281422]  </TASK>
[  383.281426] Modules linked in: hid_generic(+) usbhid ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_hda_codec_hdmi qrtr cmac algif_hash algif_skcipher af_alg bnep snd_ctl_led snd_hda_codec_realtek rmi_smbus snd_hda_codec_generic rmi_core intel_uncore_frequency intel_uncore_frequency_common snd_sof_pci_intel_skl snd_sof_intel_hda_common soundwire_intel snd_sof_intel_hda_mlink intel_tcc_cooling soundwire_cadence snd_sof_intel_hda x86_pkg_temp_thermal intel_powerclamp snd_sof_pci coretemp binfmt_misc snd_sof_xtensa_dsp snd_sof snd_sof_utils kvm_intel soundwire_generic_allocation soundwire_bus snd_soc_avs snd_soc_hda_codec kvm nls_iso8859_1 snd_soc_skl snd_soc_hdac_hda snd_hda_ext_core snd_soc_sst_ipc irqbypass snd_soc_sst_dsp crct10dif_pclmul snd_soc_acpi_intel_match polyval_clmulni snd_soc_acpi polyval_generic ghash_clmulni_intel sha256_ssse3 snd_soc_core iwlmvm sha1_ssse3 snd_compress aesni_intel mei_hdcp intel_rapl_msr mei_pxp i915 ac97_bus crypto_simd
[  383.281575]  mac80211 snd_pcm_dmaengine cryptd uvcvideo btusb videobuf2_vmalloc rapl btrtl uvc btintel videobuf2_memops btbcm videobuf2_v4l2 processor_thermal_device_pci_legacy snd_hda_intel btmtk uas libarc4 intel_cstate processor_thermal_device videodev snd_intel_dspcfg bluetooth processor_thermal_wt_hint iwlwifi snd_intel_sdw_acpi processor_thermal_rfim videobuf2_common processor_thermal_rapl snd_hda_codec intel_rapl_common drm_buddy mc usb_storage processor_thermal_wt_req ttm snd_hda_core think_lmi ecdh_generic wmi_bmof intel_wmi_thunderbolt ecc firmware_attributes_class drm_display_helper snd_hwdep i2c_i801 processor_thermal_power_floor cfg80211 i2c_smbus cec snd_pcm processor_thermal_mbox mei_me rc_core intel_soc_dts_iosf i2c_algo_bit snd_timer intel_xhci_usb_role_switch mei intel_pch_thermal intel_pmc_core int3403_thermal thinkpad_acpi int340x_thermal_zone nvram intel_vsec int3400_thermal pmt_telemetry input_leds joydev acpi_pad pmt_class acpi_thermal_rel serio_raw mac_hid sch_fq_codel msr parport_pc ppdev lp
[  383.281738]  parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 snd nvme soundcore ucsi_acpi crc32_pclmul nvme_core typec_ucsi video psmouse thunderbolt xhci_pci e1000e typec nvme_auth xhci_pci_renesas i2c_hid_acpi i2c_hid ledtrig_audio platform_profile hid wmi
[  383.281801] CR2: 0000000000000848
[  383.281807] ---[ end trace 0000000000000000 ]---
[  383.629385] RIP: 0010:pidff_find_fields+0x2c/0x320 [usbhid]
[  383.629420] Code: 44 00 00 55 48 63 c1 49 89 fa 48 89 e5 41 57 49 89 f7 41 56 41 55 49 89 d5 41 54 53 48 83 ec 30 44 89 45 b4 48 89 45 c8 31 c0 <41> 8b 95 48 08 00 00 89 45 d0 45 31 f6 48 89 c3 4d 89 d4 85 d2 75
[  383.629425] RSP: 0018:ffff9b2f008df708 EFLAGS: 00010246
[  383.629430] RAX: 0000000000000000 RBX: ffff8e31889f4800 RCX: 0000000000000005
[  383.629434] RDX: 0000000000000000 RSI: ffffffffc1d605a8 RDI: ffff8e31889f48e0
[  383.629437] RBP: ffff9b2f008df760 R08: 0000000000000001 R09: 0000000000000000
[  383.629440] R10: ffff8e31889f48e0 R11: 0000000000000000 R12: ffff8e3240e1a000
[  383.629443] R13: 0000000000000000 R14: ffff8e3240e1a000 R15: ffffffffc1d605a8
[  383.629446] FS:  00007fe07066d8c0(0000) GS:ffff8e3512600000(0000) knlGS:0000000000000000
[  383.629450] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  383.629453] CR2: 0000000000000848 CR3: 0000000273cda003 CR4: 00000000003706f0
[  383.629457] note: (udev-worker)[6827] exited with irqs disabled
[  407.615177] usb 1-2: USB disconnect, device number 5
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux