Patch "HID: core: Fix deadloop in hid_apply_multiplier." has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 26 Feb 2023 10:48:19 -0500

This is a note to let you know that I've just added the patch titled

    HID: core: Fix deadloop in hid_apply_multiplier.

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hid-core-fix-deadloop-in-hid_apply_multiplier.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5a083de227679a8ab69234e09b888804e012d916
Author: Xin Zhao <xnzhao@xxxxxxxxxx>
Date:   Mon Jan 30 21:29:47 2023 +0000

    HID: core: Fix deadloop in hid_apply_multiplier.
    
    [ Upstream commit ea427a222d8bdf2bc1a8a6da3ebe247f7dced70c ]
    
    The initial value of hid->collection[].parent_idx if 0. When
    Report descriptor doesn't contain "HID Collection", the value
    remains as 0.
    
    In the meanwhile, when the Report descriptor fullfill
    all following conditions, it will trigger hid_apply_multiplier
    function call.
    1. Usage page is Generic Desktop Ctrls (0x01)
    2. Usage is RESOLUTION_MULTIPLIER (0x48)
    3. Contain any FEATURE items
    
    The while loop in hid_apply_multiplier will search the top-most
    collection by searching parent_idx == -1. Because all parent_idx
    is 0. The loop will run forever.
    
    There is a Report Descriptor triggerring the deadloop
    0x05, 0x01,        // Usage Page (Generic Desktop Ctrls)
    0x09, 0x48,        // Usage (0x48)
    0x95, 0x01,        // Report Count (1)
    0x75, 0x08,        // Report Size (8)
    0xB1, 0x01,        // Feature
    
    Signed-off-by: Xin Zhao <xnzhao@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230130212947.1315941-1-xnzhao@xxxxxxxxxx
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index baadead947c8b..5f9ec1d1464a2 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1197,6 +1197,7 @@ int hid_open_report(struct hid_device *device)
 	__u8 *end;
 	__u8 *next;
 	int ret;
+	int i;
 	static int (*dispatch_type[])(struct hid_parser *parser,
 				      struct hid_item *item) = {
 		hid_parser_main,
@@ -1247,6 +1248,8 @@ int hid_open_report(struct hid_device *device)
 		goto err;
 	}
 	device->collection_size = HID_DEFAULT_NUM_COLLECTIONS;
+	for (i = 0; i < HID_DEFAULT_NUM_COLLECTIONS; i++)
+		device->collection[i].parent_idx = -1;
 
 	ret = -EINVAL;
 	while ((next = fetch_item(start, end, &item)) != NULL) {






