5.15-stable patches

added patches:
	hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch

diff --git a/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch b/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch
new file mode 100644 (file)
index 0000000..299f176
--- /dev/null
+++ b/queue-5.15/hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch
@@ -0,0 +1,60 @@
+From 64f2657b579343cf923aa933f08074e6258eb07b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 31 Dec 2024 14:23:12 -0500
+Subject: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 64f2657b579343cf923aa933f08074e6258eb07b upstream.
+
+A report in 2019 by the syzbot fuzzer was found to be connected to two
+errors in the HID core associated with Resolution Multipliers.  One of
+the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop
+in hid_apply_multiplier."), but the other has not been fixed.
+
+This error arises because hid_apply_multipler() assumes that every
+Resolution Multiplier control is contained in a Logical Collection,
+i.e., there's no way the routine can ever set multiplier_collection to
+NULL.  This is in spite of the fact that the function starts with a
+big comment saying:
+
+        * "The Resolution Multiplier control must be contained in the same
+        * Logical Collection as the control(s) to which it is to be applied.
+          ...
+        *  If no Logical Collection is
+        * defined, the Resolution Multiplier is associated with all
+        * controls in the report."
+        * HID Usage Table, v1.12, Section 4.3.1, p30
+        *
+        * Thus, search from the current collection upwards until we find a
+        * logical collection...
+
+The comment and the code overlook the possibility that none of the
+collections found may be a Logical Collection.
+
+The fix is to set the multiplier_collection pointer to NULL if the
+collection found isn't a Logical Collection.
+
+Reported-by: syzbot+ec5f884c4a135aa0dbb9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000109c040597dc5843@google.com/
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: Peter Hutterer <peter.hutterer@who-t.net>
+Fixes: 5a4abb36f312 ("HID: core: process the Resolution Multiplier")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1124,6 +1124,8 @@ static void hid_apply_multiplier(struct
+       while (multiplier_collection->parent_idx != -1 &&
+              multiplier_collection->type != HID_COLLECTION_LOGICAL)
+               multiplier_collection = &hid->collection[multiplier_collection->parent_idx];
++      if (multiplier_collection->type != HID_COLLECTION_LOGICAL)
++              multiplier_collection = NULL;
+ 
+       effective_multiplier = hid_calculate_multiplier(hid, multiplier);
+