From nobody Tue Oct 7 13:07:52 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 258722E613B; Wed, 9 Jul 2025 14:52:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072735; cv=none; b=VPG8Qu0IBJKpK7m/XBddMwRF9GrFiDLMx+Nfu/wU8OCv60EUsBbe4tYtYur4SL7j1VaylDTV0SC5/BijgeGgSd6EVCveHqiRQvwbsaLMppmSNJoeL4wNG0W0QjLA5V6NW/yI/RZ5Z+Q+wQgK66vle5KGkx2NHwGQMia+g7Ow7vk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072735; c=relaxed/simple; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bMzgBXUdo44ftRERwx43yMdvMMLXqhkdN5udsh23ofb5RE/OJsVGCWxyhfCwzJrc4AjVnFZKFN39trx1w+XasfbFthlw9R6Zabdih3MJn3RqKjZvnrsVCyokYY/ZWW/Aa3WDaifOHqxKdNODlHm+dDKF806gNvUUH51Fshy59sc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=u7T7qeHJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="u7T7qeHJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76F32C4CEF1; Wed, 9 Jul 2025 14:52:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752072734; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=u7T7qeHJtm6VWzh+p8yGDGcajVSx5tcDnYvaGlmVLWad65v3KnoY9GPLcxFP7X0fX vFnECyZ3JQ7UGULyuwv6cAIsjHf1Z6T9zJRFQDrgx3KwQjishOFI9O19YiiXJ9AWIL JuRaKgUepYDWanPtSJ66uSaJojEMzuJswxKQqp63vxj1V1kSm6+33SCOdQwFgK0OPD YdmQQ1WABAKgYE9V0HrXLw42knmEcaqyQUDfxYJVafrAdLYadoSj8ZOX7sPt7n8v1o Y2DvEMFwojWcbhSbqinSd1Bw6EDdJNwNPDv2yzPbYGtwjD2ozkuuOQeQdlP4VcKjOP fzACJ06xaDW4w== From: Benjamin Tissoires Date: Wed, 09 Jul 2025 16:51:46 +0200 Subject: [PATCH 1/3] HID: core: ensure the allocated report buffer can contain the reserved report ID Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250709-report-size-null-v1-1-194912215cbc@kernel.org> References: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> In-Reply-To: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> To: Jiri Kosina , Alan Stern Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Benjamin Tissoires , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752072731; l=1423; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=Co8as0JEy3sYgEqTMquGxvLRQOzjREC6NPEM+EJDGaA=; b=Nk5/yIxxw6yiM6a65iHvoutmTvlBIDC86BFeY/LcUl0qr0/5MO9AqI0xl9PLLrYtBiZuk4Rp5 vovKumZBHSMChQjbCR4N81Os3V93hKkFSSjIzsC0xQWyGEzuwY8xUrG X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Suggested-by: Alan Stern Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index b348d0464314ca331da073128f0ec4e0a6a91ed1..1a231dd9e4bc83202f2cbcd8b3a= 21e8c82b9deec 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1883,9 +1883,12 @@ u8 *hid_alloc_report_buf(struct hid_report *report, = gfp_t flags) /* * 7 extra bytes are necessary to achieve proper functionality * of implement() working on 8 byte chunks + * 1 extra byte for the report ID if it is null (not used) so + * we can reserve that extra byte in the first position of the buffer + * when sending it to .raw_request() */ =20 - u32 len =3D hid_report_len(report) + 7; + u32 len =3D hid_report_len(report) + 7 + (report->id =3D=3D 0); =20 return kzalloc(len, flags); } --=20 2.49.0 From nobody Tue Oct 7 13:07:52 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0AA82E5B0E; Wed, 9 Jul 2025 14:52:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072736; cv=none; b=JTns3YtutWHPtB1E5MU345362JDwTQYTQXw6+aWDQO2sQPMTrtIseP129EpCa5JULG9ToFzMy1r4SHXlDxMBKZQeL5QnGaX4ov4hkAMa4A7ZwoZ8Dy7QCoz/jlf8Vkmxz69RGkyRtQRpQVeuK96H09q96JEUa+8aAJIZyFuZTbA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072736; c=relaxed/simple; bh=8ysK06Mh0q67zu9jPJHCYvc8Mf8NlktKJvCmhrbYGrw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OfOKQQdlDbBnEK2Q5DBl987jN2vtclh5pYPM0FeRbY6ZZpUHUq4RAyiGwLUItC6EX3RD58W+3YerHmwYDr3BUI+3UDwgFan0MD1/w3etAVNDzw7sORWp83Jug+aGPWhJGZzVRrY5VzVYaTgaxNXNgx8HYmmYampNb8rQW/6TqPQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=J8Ur71R7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="J8Ur71R7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FB50C4CEF4; Wed, 9 Jul 2025 14:52:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752072736; bh=8ysK06Mh0q67zu9jPJHCYvc8Mf8NlktKJvCmhrbYGrw=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=J8Ur71R7Nlf4oHTHmGd2sglLinbZ6yfw/kx3xyFx+gtOcksGjZwmtwWpXUMDsfEuC pwF+/XAtUaZUjc2L3AX8lh+Vv+b2QfsLfo6JIVlrU8gmdjwbz2Ermdxt/IIcoCk8qV QqRjjhaQuY/PbuA6XywJDvgaMiqI8FcPMUHgQEEmjCtlEwGDYrfpb2Uz0frqr7+CcS INchWD2aYSBZouOwHXvW6KodqjbAKOuhUsvhjL4QI44z+rkK7VZW5uJ6N/rDHQ+IFO OKHKW6fguOOkQdqBtwN7AaPHyWYPBMHd1P2YYhmIDcaZwKujTYIWiQtN+HPl/tm70W 9HBBR1m5PzWXQ== From: Benjamin Tissoires Date: Wed, 09 Jul 2025 16:51:47 +0200 Subject: [PATCH 2/3] HID: core: ensure __hid_request reserves the report ID as the first byte Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250709-report-size-null-v1-2-194912215cbc@kernel.org> References: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> In-Reply-To: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> To: Jiri Kosina , Alan Stern Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Benjamin Tissoires , syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com, stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752072731; l=1924; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=8ysK06Mh0q67zu9jPJHCYvc8Mf8NlktKJvCmhrbYGrw=; b=6h2D8OVKehkcfNkvo9uNHeylA3EFV+jzVXnHd/5FvH563ga1h8JoyKBQSGaIcZD+NegaCiOlN y3qmh3bY7sUBalMQwm3pqrWifWE/lDaZTifF5iAccIFFpud81r9AcmJ X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D8258d5439c49d4c35f43 Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 1a231dd9e4bc83202f2cbcd8b3a21e8c82b9deec..320887c365f7a36f7376556ffd1= 9f99e52b7d732 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1976,7 +1976,7 @@ static struct hid_report *hid_get_report(struct hid_r= eport_enum *report_enum, int __hid_request(struct hid_device *hid, struct hid_report *report, enum hid_class_request reqtype) { - char *buf; + char *buf, *data_buf; int ret; u32 len; =20 @@ -1984,10 +1984,17 @@ int __hid_request(struct hid_device *hid, struct hi= d_report *report, if (!buf) return -ENOMEM; =20 + data_buf =3D buf; len =3D hid_report_len(report); =20 + if (report->id =3D=3D 0) { + /* reserve the first byte for the report ID */ + data_buf++; + len++; + } + if (reqtype =3D=3D HID_REQ_SET_REPORT) - hid_output_report(report, buf); + hid_output_report(report, data_buf); =20 ret =3D hid->ll_driver->raw_request(hid, report->id, buf, len, report->type, reqtype); --=20 2.49.0 From nobody Tue Oct 7 13:07:52 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73F682E716D; Wed, 9 Jul 2025 14:52:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072738; cv=none; b=fwVuwdZoCTr+3YSn1yYQjRntZUVr1mGrpzMlbY7KgRmYu0qoma2mjaFpOV0UtYL9eJCopR3YvmWvNOG0vLWUVXWlgsq+smQY+s5Ac0suBErgYpWXc+cruWj5MdER8X6+6othQgPohEEawabCZGvDCe7Xi98BPZtfkgYK83101Us= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752072738; c=relaxed/simple; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Hv7idOAvJuEpBBHqLjqbBns9uqx5GfCEmOYORnwJILSaVgdJADmA3t/RfJI1XHL+2cI2b+1MQ2h2GP1VDNgX3CdT9XSyL1nZb56ittjNYoitqGEdp/Rg8zbpUUBtYvrre6UZLCrqMWRx1ffDMLNcT2AZwlE1liYsERQ1HfBps+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=T9Ek7Pgz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="T9Ek7Pgz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C4F90C4CEF6; Wed, 9 Jul 2025 14:52:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752072737; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=T9Ek7PgzKNjVD3CkxCMxj/2J5HkWInbtFNGUozv/0HX2Mx2WfJd5VafZPKwu0U9jd Zhl5dNzqjXf6wPi6XJ0HKBB3ru1vj++EkyxdccBuFm+uqABELz4jDcy/tTUgXO4D7X idvf2hhuacbz/sC2tQLnQ7aqAXQw/cq+XRArk4iu3GZ+SZhGMfG6fkxwpDE8Av/4vq C74gWDUYlyj/urzuLN8zo50iOEobtG3H2PE2Kod0Oq1c8SNS4YUPQeLPskJgTvOwiN p8fC19bmE7WMdn6dLUclYJmc/VK8tSWMn3E5JJ0pIPxSiktWkPi5W5uyRD4vCBEs6d 6uf1OC+gGl8Ow== From: Benjamin Tissoires Date: Wed, 09 Jul 2025 16:51:48 +0200 Subject: [PATCH 3/3] HID: core: do not bypass hid_hw_raw_request Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250709-report-size-null-v1-3-194912215cbc@kernel.org> References: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> In-Reply-To: <20250709-report-size-null-v1-0-194912215cbc@kernel.org> To: Jiri Kosina , Alan Stern Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Benjamin Tissoires , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1752072731; l=1215; i=bentiss@kernel.org; s=20230215; h=from:subject:message-id; bh=ln3XynQ38sbyzJkbc6ukGWTXFvmEi9JBe++zC7jvuHA=; b=BuBg+3WPYhrI6CwtVtA9byh4pHRvIQs9zPGPXK8kHBp9B3UA0B6tunbYuskoA5Bav/Ht/0KyA YBIrUuFptjKDk3HPGlj7wRum5G4DWxkiIZoD97U1XyHStvjfw8Gqr/C X-Developer-Key: i=bentiss@kernel.org; a=ed25519; pk=7D1DyAVh6ajCkuUTudt/chMuXWIJHlv2qCsRkIizvFw= hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea= 97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 320887c365f7a36f7376556ffd19f99e52b7d732..b31b8a2fd540bd5ed6659902082= 4726e69d10d75 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1996,8 +1996,7 @@ int __hid_request(struct hid_device *hid, struct hid_= report *report, if (reqtype =3D=3D HID_REQ_SET_REPORT) hid_output_report(report, data_buf); =20 - ret =3D hid->ll_driver->raw_request(hid, report->id, buf, len, - report->type, reqtype); + ret =3D hid_hw_raw_request(hid, report->id, buf, len, report->type, reqty= pe); if (ret < 0) { dbg_hid("unable to complete request: %d\n", ret); goto out; --=20 2.49.0