From: Benjamin Tissoires Date: Thu, 10 Jul 2025 14:01:35 +0000 (+0200) Subject: HID: core: do not bypass hid_hw_raw_request X-Git-Tag: v5.10.241~513 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=40e25aa7e4e0f2440c73a683ee448e41c7c344ed;p=thirdparty%2Fkernel%2Fstable.git HID: core: do not bypass hid_hw_raw_request commit c2ca42f190b6714d6c481dfd3d9b62ea091c946b upstream. hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.org Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 54ae12d4e80a5..89aa7a0e51dee 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1750,8 +1750,7 @@ int __hid_request(struct hid_device *hid, struct hid_report *report, if (reqtype == HID_REQ_SET_REPORT) hid_output_report(report, data_buf); - ret = hid->ll_driver->raw_request(hid, report->id, buf, len, - report->type, reqtype); + ret = hid_hw_raw_request(hid, report->id, buf, len, report->type, reqtype); if (ret < 0) { dbg_hid("unable to complete request: %d\n", ret); goto out;