Web lists-archives.com

HID:panic in hid-betopff.c




Hi,

There is a possible panic in function hid_betopff_play():

static int hid_betopff_play(struct input_dev *dev, void *data,
                         struct ff_effect *effect)
{
        struct hid_device *hid = input_get_drvdata(dev);
        struct betopff_device *betopff = data;
        __u16 left, right;

        left = effect->u.rumble.strong_magnitude;
        right = effect->u.rumble.weak_magnitude;

        betopff->report->field[2]->value[0] = left / 256;  /// betopff->report->field[2] could be NULL
        betopff->report->field[3]->value[0] = right / 256; /// so as betopff->report->field[3]

        hid_hw_request(hid, betopff->report, HID_REQ_SET_REPORT);

        return 0;
}

In function betopff_init(), calculation of "field_count" seems wrong:

static int betopff_init(struct hid_device *hid)
{
        struct betopff_device *betopff;
        struct hid_report *report;
        struct hid_input *hidinput =
                        list_first_entry(&hid->inputs, struct hid_input, list);
        struct list_head *report_list =
                        &hid->report_enum[HID_OUTPUT_REPORT].report_list;
        struct input_dev *dev = hidinput->input;
        int field_count = 0;
        int error;
        int i, j;

        if (list_empty(report_list)) {
                hid_err(hid, "no output reports found\n");
                return -ENODEV;
        }

        report = list_first_entry(report_list, struct hid_report, list);
        /*
         * Actually there are 4 fields for 4 Bytes as below:
         * -----------------------------------------
         * Byte0  Byte1  Byte2    Byte3
         * 0x00   0x00   left_motor right_motor
         * -----------------------------------------
         * Do init them with default value.
         */
        for (i = 0; i < report->maxfield; i++) {
                for (j = 0; j < report->field[i]->report_count; j++) {
                        report->field[i]->value[j] = 0x00;
                        field_count++;                      /// this line should out of this loop
                }
        }

        if (field_count < 4) {
                hid_err(hid, "not enough fields in the report: %d\n",
                                field_count);
                return -ENODEV;
        }

Do I misunderstand the code here?

Thanks and Regards
Yu Chen