HIDïpanic in hid-betopff.c
From: Chen Yu
Date: Mon Nov 13 2017 - 05:08:42 EST
Hiï
There is a possible panic in function hid_betopff_play():
static int hid_betopff_play(struct input_dev *dev, void *data,
struct ff_effect *effect)
{
struct hid_device *hid = input_get_drvdata(dev);
struct betopff_device *betopff = data;
__u16 left, right;
left = effect->u.rumble.strong_magnitude;
right = effect->u.rumble.weak_magnitude;
betopff->report->field[2]->value[0] = left / 256; /// betopff->report->field[2] could be NULL
betopff->report->field[3]->value[0] = right / 256; /// so as betopff->report->field[3]
hid_hw_request(hid, betopff->report, HID_REQ_SET_REPORT);
return 0;
}
In function betopff_init(), calculation of "field_count" seems wrong:
static int betopff_init(struct hid_device *hid)
{
struct betopff_device *betopff;
struct hid_report *report;
struct hid_input *hidinput =
list_first_entry(&hid->inputs, struct hid_input, list);
struct list_head *report_list =
&hid->report_enum[HID_OUTPUT_REPORT].report_list;
struct input_dev *dev = hidinput->input;
int field_count = 0;
int error;
int i, j;
if (list_empty(report_list)) {
hid_err(hid, "no output reports found\n");
return -ENODEV;
}
report = list_first_entry(report_list, struct hid_report, list);
/*
* Actually there are 4 fields for 4 Bytes as below:
* -----------------------------------------
* Byte0 Byte1 Byte2 Byte3
* 0x00 0x00 left_motor right_motor
* -----------------------------------------
* Do init them with default value.
*/
for (i = 0; i < report->maxfield; i++) {
for (j = 0; j < report->field[i]->report_count; j++) {
report->field[i]->value[j] = 0x00;
field_count++; /// this line should out of this loop
}
}
if (field_count < 4) {
hid_err(hid, "not enough fields in the report: %d\n",
field_count);
return -ENODEV;
}
Do I misunderstand the code here?
Thanks and Regards
Yu Chen