samsung_sm8750/android_kernel_samsung_sm8750
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HID: core: do not bypass hid_hw_raw_request

Browse Source 
commit c2ca42f190b6714d6c481dfd3d9b62ea091c946b upstream.

hid_hw_raw_request() is actually useful to ensure the provided buffer
and length are valid. Directly calling in the low level transport driver
function bypassed those checks and allowed invalid paramto be used.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Benjamin Tissoires
2025-07-10 16:01:35 +02:00
committed by Greg Kroah-Hartman
parent a1c0b87b76
commit 0e5017d84d
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/hid/hid-core.c
View File

@@ -1961,8 +1961,7 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
if (reqtype == HID_REQ_SET_REPORT) if (reqtype == HID_REQ_SET_REPORT)
hid_output_report(report, data_buf); hid_output_report(report, data_buf);
ret = hid->ll_driver->raw_request(hid, report->id, buf, len, ret = hid_hw_raw_request(hid, report->id, buf, len, report->type, reqtype);
report->type, reqtype);
if (ret < 0) { if (ret < 0) {
dbg_hid("unable to complete request: %d\n", ret); dbg_hid("unable to complete request: %d\n", ret);
goto out; goto out;