+++ /dev/null
-From 2c85c61d1332e1e16f020d76951baf167dcb6f7a Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <bentiss@kernel.org>
-Date: Mon, 4 May 2026 10:47:22 +0200
-Subject: HID: pass the buffer size to hid_report_raw_event
-
-From: Benjamin Tissoires <bentiss@kernel.org>
-
-commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a upstream.
-
-commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
-bogus memset()") enforced the provided data to be at least the size of
-the declared buffer in the report descriptor to prevent a buffer
-overflow. However, we can try to be smarter by providing both the buffer
-size and the data size, meaning that hid_report_raw_event() can make
-better decision whether we should plaining reject the buffer (buffer
-overflow attempt) or if we can safely memset it to 0 and pass it to the
-rest of the stack.
-
-Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
-Acked-by: Johan Hovold <johan@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++--
- drivers/hid/hid-core.c | 42 ++++++++++++++++++++++++-------------
- drivers/hid/hid-gfrm.c | 4 +--
- drivers/hid/hid-logitech-hidpp.c | 2 -
- drivers/hid/hid-multitouch.c | 2 -
- drivers/hid/hid-primax.c | 2 -
- drivers/hid/hid-vivaldi-common.c | 2 -
- drivers/hid/wacom_sys.c | 6 ++---
- drivers/staging/greybus/hid.c | 2 -
- include/linux/hid.h | 4 +--
- include/linux/hid_bpf.h | 14 +++++++-----
- 11 files changed, 53 insertions(+), 33 deletions(-)
-
---- a/drivers/hid/bpf/hid_bpf_dispatch.c
-+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
-@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops);
-
- u8 *
- dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data,
-- u32 *size, int interrupt, u64 source, bool from_bpf)
-+ size_t *buf_size, u32 *size, int interrupt, u64 source,
-+ bool from_bpf)
- {
- struct hid_bpf_ctx_kern ctx_kern = {
- .ctx = {
-@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid
- *size = ret;
- }
-
-+ *buf_size = ctx_kern.ctx.allocated_size;
- return ctx_kern.data;
- }
- EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event);
-@@ -508,7 +510,7 @@ __hid_bpf_input_report(struct hid_bpf_ct
- if (ret)
- return ret;
-
-- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true,
-+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true,
- lock_already_taken);
- }
-
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -2029,24 +2029,32 @@ out:
- }
- EXPORT_SYMBOL_GPL(__hid_request);
-
--int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
-- int interrupt)
-+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt)
- {
- struct hid_report_enum *report_enum = hid->report_enum + type;
- struct hid_report *report;
- struct hid_driver *hdrv;
- int max_buffer_size = HID_MAX_BUFFER_SIZE;
- u32 rsize, csize = size;
-+ size_t bsize = bufsize;
- u8 *cdata = data;
- int ret = 0;
-
- report = hid_get_report(report_enum, data);
- if (!report)
-- goto out;
-+ return 0;
-+
-+ if (unlikely(bsize < csize)) {
-+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
-+ report->id, csize, bsize);
-+ return -EINVAL;
-+ }
-
- if (report_enum->numbered) {
- cdata++;
- csize--;
-+ bsize--;
- }
-
- rsize = hid_compute_report_size(report);
-@@ -2059,11 +2067,16 @@ int hid_report_raw_event(struct hid_devi
- else if (rsize > max_buffer_size)
- rsize = max_buffer_size;
-
-+ if (bsize < rsize) {
-+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
-+ report->id, rsize, bsize);
-+ return -EINVAL;
-+ }
-+
- if (csize < rsize) {
-- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
-- report->id, rsize, csize);
-- ret = -EINVAL;
-- goto out;
-+ dbg_hid("report %d is too short, (%d < %d)\n", report->id,
-+ csize, rsize);
-+ memset(cdata + csize, 0, rsize - csize);
- }
-
- if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
-@@ -2071,7 +2084,7 @@ int hid_report_raw_event(struct hid_devi
- if (hid->claimed & HID_CLAIMED_HIDRAW) {
- ret = hidraw_report_event(hid, data, size);
- if (ret)
-- goto out;
-+ return ret;
- }
-
- if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
-@@ -2083,15 +2096,15 @@ int hid_report_raw_event(struct hid_devi
-
- if (hid->claimed & HID_CLAIMED_INPUT)
- hidinput_report_event(hid, report);
--out:
-+
- return ret;
- }
- EXPORT_SYMBOL_GPL(hid_report_raw_event);
-
-
- static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
-- bool lock_already_taken)
-+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
-+ bool from_bpf, bool lock_already_taken)
- {
- struct hid_report_enum *report_enum;
- struct hid_driver *hdrv;
-@@ -2116,7 +2129,8 @@ static int __hid_input_report(struct hid
- report_enum = hid->report_enum + type;
- hdrv = hid->driver;
-
-- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf);
-+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt,
-+ source, from_bpf);
- if (IS_ERR(data)) {
- ret = PTR_ERR(data);
- goto unlock;
-@@ -2145,7 +2159,7 @@ static int __hid_input_report(struct hid
- goto unlock;
- }
-
-- ret = hid_report_raw_event(hid, type, data, size, interrupt);
-+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
-
- unlock:
- if (!lock_already_taken)
-@@ -2167,7 +2181,7 @@ unlock:
- int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
- {
-- return __hid_input_report(hid, type, data, size, interrupt, 0,
-+ return __hid_input_report(hid, type, data, size, size, interrupt, 0,
- false, /* from_bpf */
- false /* lock_already_taken */);
- }
---- a/drivers/hid/hid-gfrm.c
-+++ b/drivers/hid/hid-gfrm.c
-@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_dev
- switch (data[1]) {
- case GFRM100_SEARCH_KEY_DOWN:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
-- sizeof(search_key_dn), 1);
-+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
- break;
-
- case GFRM100_SEARCH_KEY_AUDIO_DATA:
-@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_dev
-
- case GFRM100_SEARCH_KEY_UP:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
-- sizeof(search_key_up), 1);
-+ sizeof(search_key_up), sizeof(search_key_up), 1);
- break;
-
- default:
---- a/drivers/hid/hid-logitech-hidpp.c
-+++ b/drivers/hid/hid-logitech-hidpp.c
-@@ -3664,7 +3664,7 @@ static int hidpp10_consumer_keys_raw_eve
- memcpy(&consumer_report[1], &data[3], 4);
- /* We are called from atomic context */
- hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
-- consumer_report, 5, 1);
-+ consumer_report, sizeof(consumer_report), 5, 1);
-
- return 1;
- }
---- a/drivers/hid/hid-multitouch.c
-+++ b/drivers/hid/hid-multitouch.c
-@@ -531,7 +531,7 @@ static void mt_get_feature(struct hid_de
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
-- size, 0);
-+ size, size, 0);
- if (ret)
- dev_warn(&hdev->dev, "failed to report feature\n");
- }
---- a/drivers/hid/hid-primax.c
-+++ b/drivers/hid/hid-primax.c
-@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_devic
- data[0] |= (1 << (data[idx] - 0xE0));
- data[idx] = 0;
- }
-- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
-+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
- return 1;
-
- default: /* unknown report */
---- a/drivers/hid/hid-vivaldi-common.c
-+++ b/drivers/hid/hid-vivaldi-common.c
-@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
-- report_len, 0);
-+ report_len, report_len, 0);
- if (ret) {
- dev_warn(&hdev->dev, "failed to report feature %d\n",
- field->report->id);
---- a/drivers/hid/wacom_sys.c
-+++ b/drivers/hid/wacom_sys.c
-@@ -90,7 +90,7 @@ static void wacom_wac_queue_flush(struct
- kfree(buf);
- continue;
- }
-- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
-+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
- if (err) {
- hid_warn(hdev, "%s: unable to flush event due to error %d\n",
- __func__, err);
-@@ -334,7 +334,7 @@ static void wacom_feature_mapping(struct
- data, n, WAC_CMD_RETRIES);
- if (ret == n && features->type == HID_GENERIC) {
- ret = hid_report_raw_event(hdev,
-- HID_FEATURE_REPORT, data, n, 0);
-+ HID_FEATURE_REPORT, data, n, n, 0);
- } else if (ret == 2 && features->type != HID_GENERIC) {
- features->touch_max = data[1];
- } else {
-@@ -395,7 +395,7 @@ static void wacom_feature_mapping(struct
- data, n, WAC_CMD_RETRIES);
- if (ret == n) {
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
-- data, n, 0);
-+ data, n, n, 0);
- } else {
- hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
- __func__);
---- a/drivers/staging/greybus/hid.c
-+++ b/drivers/staging/greybus/hid.c
-@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb
- * we just need to setup the input fields, so using
- * hid_report_raw_event is safe.
- */
-- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
-+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
- }
-
- static void gb_hid_init_reports(struct gb_hid *ghid)
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -1258,8 +1258,8 @@ static inline u32 hid_report_len(struct
- return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
- }
-
--int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
-- int interrupt);
-+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt);
-
- /* HID quirks API */
- unsigned long hid_lookup_quirk(const struct hid_device *hdev);
---- a/include/linux/hid_bpf.h
-+++ b/include/linux/hid_bpf.h
-@@ -72,8 +72,8 @@ struct hid_ops {
- int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len,
- u64 source, bool from_bpf);
- int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
-- bool lock_already_taken);
-+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
-+ bool from_bpf, bool lock_already_taken);
- struct module *owner;
- const struct bus_type *bus_type;
- };
-@@ -200,7 +200,8 @@ struct hid_bpf {
-
- #ifdef CONFIG_HID_BPF
- u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-- u32 *size, int interrupt, u64 source, bool from_bpf);
-+ size_t *buf_size, u32 *size, int interrupt, u64 source,
-+ bool from_bpf);
- int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
- unsigned char reportnum, __u8 *buf,
- u32 size, enum hid_report_type rtype,
-@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_devic
- const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size);
- #else /* CONFIG_HID_BPF */
- static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 *size, int interrupt,
-- u64 source, bool from_bpf) { return data; }
-+ u8 *data, size_t *buf_size, u32 *size,
-+ int interrupt, u64 source, bool from_bpf)
-+{
-+ return data;
-+}
- static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
- unsigned char reportnum, u8 *buf,
- u32 size, enum hid_report_type rtype,
hid-playstation-clamp-num_touch_reports.patch
hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch
hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch
-hid-pass-the-buffer-size-to-hid_report_raw_event.patch
hid-core-introduce-hid_safe_input_report.patch
hid-pidff-fix-integer-overflow-in-pidff_rescale.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
+++ /dev/null
-From 2c85c61d1332e1e16f020d76951baf167dcb6f7a Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <bentiss@kernel.org>
-Date: Mon, 4 May 2026 10:47:22 +0200
-Subject: HID: pass the buffer size to hid_report_raw_event
-
-From: Benjamin Tissoires <bentiss@kernel.org>
-
-commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a upstream.
-
-commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
-bogus memset()") enforced the provided data to be at least the size of
-the declared buffer in the report descriptor to prevent a buffer
-overflow. However, we can try to be smarter by providing both the buffer
-size and the data size, meaning that hid_report_raw_event() can make
-better decision whether we should plaining reject the buffer (buffer
-overflow attempt) or if we can safely memset it to 0 and pass it to the
-rest of the stack.
-
-Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
-Acked-by: Johan Hovold <johan@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++--
- drivers/hid/hid-core.c | 42 ++++++++++++++++++++++++-------------
- drivers/hid/hid-gfrm.c | 4 +--
- drivers/hid/hid-logitech-hidpp.c | 2 -
- drivers/hid/hid-multitouch.c | 2 -
- drivers/hid/hid-primax.c | 2 -
- drivers/hid/hid-vivaldi-common.c | 2 -
- drivers/hid/wacom_sys.c | 6 ++---
- drivers/staging/greybus/hid.c | 2 -
- include/linux/hid.h | 4 +--
- include/linux/hid_bpf.h | 14 +++++++-----
- 11 files changed, 53 insertions(+), 33 deletions(-)
-
---- a/drivers/hid/bpf/hid_bpf_dispatch.c
-+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
-@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops);
-
- u8 *
- dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data,
-- u32 *size, int interrupt, u64 source, bool from_bpf)
-+ size_t *buf_size, u32 *size, int interrupt, u64 source,
-+ bool from_bpf)
- {
- struct hid_bpf_ctx_kern ctx_kern = {
- .ctx = {
-@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid
- *size = ret;
- }
-
-+ *buf_size = ctx_kern.ctx.allocated_size;
- return ctx_kern.data;
- }
- EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event);
-@@ -505,7 +507,7 @@ __hid_bpf_input_report(struct hid_bpf_ct
- if (ret)
- return ret;
-
-- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true,
-+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true,
- lock_already_taken);
- }
-
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -2029,24 +2029,32 @@ out:
- }
- EXPORT_SYMBOL_GPL(__hid_request);
-
--int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
-- int interrupt)
-+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt)
- {
- struct hid_report_enum *report_enum = hid->report_enum + type;
- struct hid_report *report;
- struct hid_driver *hdrv;
- int max_buffer_size = HID_MAX_BUFFER_SIZE;
- u32 rsize, csize = size;
-+ size_t bsize = bufsize;
- u8 *cdata = data;
- int ret = 0;
-
- report = hid_get_report(report_enum, data);
- if (!report)
-- goto out;
-+ return 0;
-+
-+ if (unlikely(bsize < csize)) {
-+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
-+ report->id, csize, bsize);
-+ return -EINVAL;
-+ }
-
- if (report_enum->numbered) {
- cdata++;
- csize--;
-+ bsize--;
- }
-
- rsize = hid_compute_report_size(report);
-@@ -2059,11 +2067,16 @@ int hid_report_raw_event(struct hid_devi
- else if (rsize > max_buffer_size)
- rsize = max_buffer_size;
-
-+ if (bsize < rsize) {
-+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
-+ report->id, rsize, bsize);
-+ return -EINVAL;
-+ }
-+
- if (csize < rsize) {
-- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
-- report->id, rsize, csize);
-- ret = -EINVAL;
-- goto out;
-+ dbg_hid("report %d is too short, (%d < %d)\n", report->id,
-+ csize, rsize);
-+ memset(cdata + csize, 0, rsize - csize);
- }
-
- if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
-@@ -2071,7 +2084,7 @@ int hid_report_raw_event(struct hid_devi
- if (hid->claimed & HID_CLAIMED_HIDRAW) {
- ret = hidraw_report_event(hid, data, size);
- if (ret)
-- goto out;
-+ return ret;
- }
-
- if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
-@@ -2083,15 +2096,15 @@ int hid_report_raw_event(struct hid_devi
-
- if (hid->claimed & HID_CLAIMED_INPUT)
- hidinput_report_event(hid, report);
--out:
-+
- return ret;
- }
- EXPORT_SYMBOL_GPL(hid_report_raw_event);
-
-
- static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
-- bool lock_already_taken)
-+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
-+ bool from_bpf, bool lock_already_taken)
- {
- struct hid_report_enum *report_enum;
- struct hid_driver *hdrv;
-@@ -2116,7 +2129,8 @@ static int __hid_input_report(struct hid
- report_enum = hid->report_enum + type;
- hdrv = hid->driver;
-
-- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf);
-+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt,
-+ source, from_bpf);
- if (IS_ERR(data)) {
- ret = PTR_ERR(data);
- goto unlock;
-@@ -2145,7 +2159,7 @@ static int __hid_input_report(struct hid
- goto unlock;
- }
-
-- ret = hid_report_raw_event(hid, type, data, size, interrupt);
-+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
-
- unlock:
- if (!lock_already_taken)
-@@ -2167,7 +2181,7 @@ unlock:
- int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
- {
-- return __hid_input_report(hid, type, data, size, interrupt, 0,
-+ return __hid_input_report(hid, type, data, size, size, interrupt, 0,
- false, /* from_bpf */
- false /* lock_already_taken */);
- }
---- a/drivers/hid/hid-gfrm.c
-+++ b/drivers/hid/hid-gfrm.c
-@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_dev
- switch (data[1]) {
- case GFRM100_SEARCH_KEY_DOWN:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
-- sizeof(search_key_dn), 1);
-+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
- break;
-
- case GFRM100_SEARCH_KEY_AUDIO_DATA:
-@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_dev
-
- case GFRM100_SEARCH_KEY_UP:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
-- sizeof(search_key_up), 1);
-+ sizeof(search_key_up), sizeof(search_key_up), 1);
- break;
-
- default:
---- a/drivers/hid/hid-logitech-hidpp.c
-+++ b/drivers/hid/hid-logitech-hidpp.c
-@@ -3665,7 +3665,7 @@ static int hidpp10_consumer_keys_raw_eve
- memcpy(&consumer_report[1], &data[3], 4);
- /* We are called from atomic context */
- hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
-- consumer_report, 5, 1);
-+ consumer_report, sizeof(consumer_report), 5, 1);
-
- return 1;
- }
---- a/drivers/hid/hid-multitouch.c
-+++ b/drivers/hid/hid-multitouch.c
-@@ -533,7 +533,7 @@ static void mt_get_feature(struct hid_de
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
-- size, 0);
-+ size, size, 0);
- if (ret)
- dev_warn(&hdev->dev, "failed to report feature\n");
- }
---- a/drivers/hid/hid-primax.c
-+++ b/drivers/hid/hid-primax.c
-@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_devic
- data[0] |= (1 << (data[idx] - 0xE0));
- data[idx] = 0;
- }
-- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
-+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
- return 1;
-
- default: /* unknown report */
---- a/drivers/hid/hid-vivaldi-common.c
-+++ b/drivers/hid/hid-vivaldi-common.c
-@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
-- report_len, 0);
-+ report_len, report_len, 0);
- if (ret) {
- dev_warn(&hdev->dev, "failed to report feature %d\n",
- field->report->id);
---- a/drivers/hid/wacom_sys.c
-+++ b/drivers/hid/wacom_sys.c
-@@ -90,7 +90,7 @@ static void wacom_wac_queue_flush(struct
- kfree(buf);
- continue;
- }
-- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
-+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
- if (err) {
- hid_warn(hdev, "%s: unable to flush event due to error %d\n",
- __func__, err);
-@@ -334,7 +334,7 @@ static void wacom_feature_mapping(struct
- data, n, WAC_CMD_RETRIES);
- if (ret == n && features->type == HID_GENERIC) {
- ret = hid_report_raw_event(hdev,
-- HID_FEATURE_REPORT, data, n, 0);
-+ HID_FEATURE_REPORT, data, n, n, 0);
- } else if (ret == 2 && features->type != HID_GENERIC) {
- features->touch_max = data[1];
- } else {
-@@ -395,7 +395,7 @@ static void wacom_feature_mapping(struct
- data, n, WAC_CMD_RETRIES);
- if (ret == n) {
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
-- data, n, 0);
-+ data, n, n, 0);
- } else {
- hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
- __func__);
---- a/drivers/staging/greybus/hid.c
-+++ b/drivers/staging/greybus/hid.c
-@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb
- * we just need to setup the input fields, so using
- * hid_report_raw_event is safe.
- */
-- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
-+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
- }
-
- static void gb_hid_init_reports(struct gb_hid *ghid)
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -1266,8 +1266,8 @@ static inline u32 hid_report_len(struct
- return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
- }
-
--int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
-- int interrupt);
-+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt);
-
- /* HID quirks API */
- unsigned long hid_lookup_quirk(const struct hid_device *hdev);
---- a/include/linux/hid_bpf.h
-+++ b/include/linux/hid_bpf.h
-@@ -72,8 +72,8 @@ struct hid_ops {
- int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len,
- u64 source, bool from_bpf);
- int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
-- bool lock_already_taken);
-+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
-+ bool from_bpf, bool lock_already_taken);
- struct module *owner;
- const struct bus_type *bus_type;
- };
-@@ -200,7 +200,8 @@ struct hid_bpf {
-
- #ifdef CONFIG_HID_BPF
- u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
-- u32 *size, int interrupt, u64 source, bool from_bpf);
-+ size_t *buf_size, u32 *size, int interrupt, u64 source,
-+ bool from_bpf);
- int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
- unsigned char reportnum, __u8 *buf,
- u32 size, enum hid_report_type rtype,
-@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_devic
- const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size);
- #else /* CONFIG_HID_BPF */
- static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type,
-- u8 *data, u32 *size, int interrupt,
-- u64 source, bool from_bpf) { return data; }
-+ u8 *data, size_t *buf_size, u32 *size,
-+ int interrupt, u64 source, bool from_bpf)
-+{
-+ return data;
-+}
- static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
- unsigned char reportnum, u8 *buf,
- u32 size, enum hid_report_type rtype,
hid-playstation-clamp-num_touch_reports.patch
hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch
hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch
-hid-pass-the-buffer-size-to-hid_report_raw_event.patch
hid-core-introduce-hid_safe_input_report.patch
hid-pidff-fix-integer-overflow-in-pidff_rescale.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
