From: Sasha Levin Date: Sat, 16 May 2026 11:17:12 +0000 (-0400) Subject: Drop hid-pass-the-buffer-size-to-hid_report_raw_event.patch X-Git-Tag: v6.6.140~1^2~2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=3bb1066d4749a63c883cd6c8299281b3f0cebaee;p=thirdparty%2Fkernel%2Fstable-queue.git Drop hid-pass-the-buffer-size-to-hid_report_raw_event.patch Signed-off-by: Sasha Levin --- diff --git a/queue-6.18/hid-pass-the-buffer-size-to-hid_report_raw_event.patch b/queue-6.18/hid-pass-the-buffer-size-to-hid_report_raw_event.patch deleted file mode 100644 index eaffe66a29..0000000000 --- a/queue-6.18/hid-pass-the-buffer-size-to-hid_report_raw_event.patch +++ /dev/null @@ -1,337 +0,0 @@ -From 2c85c61d1332e1e16f020d76951baf167dcb6f7a Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Mon, 4 May 2026 10:47:22 +0200 -Subject: HID: pass the buffer size to hid_report_raw_event - -From: Benjamin Tissoires - -commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a upstream. - -commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing -bogus memset()") enforced the provided data to be at least the size of -the declared buffer in the report descriptor to prevent a buffer -overflow. However, we can try to be smarter by providing both the buffer -size and the data size, meaning that hid_report_raw_event() can make -better decision whether we should plaining reject the buffer (buffer -overflow attempt) or if we can safely memset it to 0 and pass it to the -rest of the stack. - -Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires -Acked-by: Johan Hovold -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Jiri Kosina -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++-- - drivers/hid/hid-core.c | 42 ++++++++++++++++++++++++------------- - drivers/hid/hid-gfrm.c | 4 +-- - drivers/hid/hid-logitech-hidpp.c | 2 - - drivers/hid/hid-multitouch.c | 2 - - drivers/hid/hid-primax.c | 2 - - drivers/hid/hid-vivaldi-common.c | 2 - - drivers/hid/wacom_sys.c | 6 ++--- - drivers/staging/greybus/hid.c | 2 - - include/linux/hid.h | 4 +-- - include/linux/hid_bpf.h | 14 +++++++----- - 11 files changed, 53 insertions(+), 33 deletions(-) - ---- a/drivers/hid/bpf/hid_bpf_dispatch.c -+++ b/drivers/hid/bpf/hid_bpf_dispatch.c -@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops); - - u8 * - dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data, -- u32 *size, int interrupt, u64 source, bool from_bpf) -+ size_t *buf_size, u32 *size, int interrupt, u64 source, -+ bool from_bpf) - { - struct hid_bpf_ctx_kern ctx_kern = { - .ctx = { -@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid - *size = ret; - } - -+ *buf_size = ctx_kern.ctx.allocated_size; - return ctx_kern.data; - } - EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event); -@@ -508,7 +510,7 @@ __hid_bpf_input_report(struct hid_bpf_ct - if (ret) - return ret; - -- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true, -+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true, - lock_already_taken); - } - ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -2029,24 +2029,32 @@ out: - } - EXPORT_SYMBOL_GPL(__hid_request); - --int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, -- int interrupt) -+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -+ size_t bufsize, u32 size, int interrupt) - { - struct hid_report_enum *report_enum = hid->report_enum + type; - struct hid_report *report; - struct hid_driver *hdrv; - int max_buffer_size = HID_MAX_BUFFER_SIZE; - u32 rsize, csize = size; -+ size_t bsize = bufsize; - u8 *cdata = data; - int ret = 0; - - report = hid_get_report(report_enum, data); - if (!report) -- goto out; -+ return 0; -+ -+ if (unlikely(bsize < csize)) { -+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", -+ report->id, csize, bsize); -+ return -EINVAL; -+ } - - if (report_enum->numbered) { - cdata++; - csize--; -+ bsize--; - } - - rsize = hid_compute_report_size(report); -@@ -2059,11 +2067,16 @@ int hid_report_raw_event(struct hid_devi - else if (rsize > max_buffer_size) - rsize = max_buffer_size; - -+ if (bsize < rsize) { -+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", -+ report->id, rsize, bsize); -+ return -EINVAL; -+ } -+ - if (csize < rsize) { -- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n", -- report->id, rsize, csize); -- ret = -EINVAL; -- goto out; -+ dbg_hid("report %d is too short, (%d < %d)\n", report->id, -+ csize, rsize); -+ memset(cdata + csize, 0, rsize - csize); - } - - if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event) -@@ -2071,7 +2084,7 @@ int hid_report_raw_event(struct hid_devi - if (hid->claimed & HID_CLAIMED_HIDRAW) { - ret = hidraw_report_event(hid, data, size); - if (ret) -- goto out; -+ return ret; - } - - if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { -@@ -2083,15 +2096,15 @@ int hid_report_raw_event(struct hid_devi - - if (hid->claimed & HID_CLAIMED_INPUT) - hidinput_report_event(hid, report); --out: -+ - return ret; - } - EXPORT_SYMBOL_GPL(hid_report_raw_event); - - - static int __hid_input_report(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf, -- bool lock_already_taken) -+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source, -+ bool from_bpf, bool lock_already_taken) - { - struct hid_report_enum *report_enum; - struct hid_driver *hdrv; -@@ -2116,7 +2129,8 @@ static int __hid_input_report(struct hid - report_enum = hid->report_enum + type; - hdrv = hid->driver; - -- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf); -+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt, -+ source, from_bpf); - if (IS_ERR(data)) { - ret = PTR_ERR(data); - goto unlock; -@@ -2145,7 +2159,7 @@ static int __hid_input_report(struct hid - goto unlock; - } - -- ret = hid_report_raw_event(hid, type, data, size, interrupt); -+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt); - - unlock: - if (!lock_already_taken) -@@ -2167,7 +2181,7 @@ unlock: - int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, - int interrupt) - { -- return __hid_input_report(hid, type, data, size, interrupt, 0, -+ return __hid_input_report(hid, type, data, size, size, interrupt, 0, - false, /* from_bpf */ - false /* lock_already_taken */); - } ---- a/drivers/hid/hid-gfrm.c -+++ b/drivers/hid/hid-gfrm.c -@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_dev - switch (data[1]) { - case GFRM100_SEARCH_KEY_DOWN: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn, -- sizeof(search_key_dn), 1); -+ sizeof(search_key_dn), sizeof(search_key_dn), 1); - break; - - case GFRM100_SEARCH_KEY_AUDIO_DATA: -@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_dev - - case GFRM100_SEARCH_KEY_UP: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up, -- sizeof(search_key_up), 1); -+ sizeof(search_key_up), sizeof(search_key_up), 1); - break; - - default: ---- a/drivers/hid/hid-logitech-hidpp.c -+++ b/drivers/hid/hid-logitech-hidpp.c -@@ -3664,7 +3664,7 @@ static int hidpp10_consumer_keys_raw_eve - memcpy(&consumer_report[1], &data[3], 4); - /* We are called from atomic context */ - hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT, -- consumer_report, 5, 1); -+ consumer_report, sizeof(consumer_report), 5, 1); - - return 1; - } ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -531,7 +531,7 @@ static void mt_get_feature(struct hid_de - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, -- size, 0); -+ size, size, 0); - if (ret) - dev_warn(&hdev->dev, "failed to report feature\n"); - } ---- a/drivers/hid/hid-primax.c -+++ b/drivers/hid/hid-primax.c -@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_devic - data[0] |= (1 << (data[idx] - 0xE0)); - data[idx] = 0; - } -- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0); -+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0); - return 1; - - default: /* unknown report */ ---- a/drivers/hid/hid-vivaldi-common.c -+++ b/drivers/hid/hid-vivaldi-common.c -@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_ - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data, -- report_len, 0); -+ report_len, report_len, 0); - if (ret) { - dev_warn(&hdev->dev, "failed to report feature %d\n", - field->report->id); ---- a/drivers/hid/wacom_sys.c -+++ b/drivers/hid/wacom_sys.c -@@ -90,7 +90,7 @@ static void wacom_wac_queue_flush(struct - kfree(buf); - continue; - } -- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false); -+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false); - if (err) { - hid_warn(hdev, "%s: unable to flush event due to error %d\n", - __func__, err); -@@ -334,7 +334,7 @@ static void wacom_feature_mapping(struct - data, n, WAC_CMD_RETRIES); - if (ret == n && features->type == HID_GENERIC) { - ret = hid_report_raw_event(hdev, -- HID_FEATURE_REPORT, data, n, 0); -+ HID_FEATURE_REPORT, data, n, n, 0); - } else if (ret == 2 && features->type != HID_GENERIC) { - features->touch_max = data[1]; - } else { -@@ -395,7 +395,7 @@ static void wacom_feature_mapping(struct - data, n, WAC_CMD_RETRIES); - if (ret == n) { - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, -- data, n, 0); -+ data, n, n, 0); - } else { - hid_warn(hdev, "%s: could not retrieve sensor offsets\n", - __func__); ---- a/drivers/staging/greybus/hid.c -+++ b/drivers/staging/greybus/hid.c -@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb - * we just need to setup the input fields, so using - * hid_report_raw_event is safe. - */ -- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1); -+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1); - } - - static void gb_hid_init_reports(struct gb_hid *ghid) ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -1258,8 +1258,8 @@ static inline u32 hid_report_len(struct - return DIV_ROUND_UP(report->size, 8) + (report->id > 0); - } - --int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, -- int interrupt); -+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -+ size_t bufsize, u32 size, int interrupt); - - /* HID quirks API */ - unsigned long hid_lookup_quirk(const struct hid_device *hdev); ---- a/include/linux/hid_bpf.h -+++ b/include/linux/hid_bpf.h -@@ -72,8 +72,8 @@ struct hid_ops { - int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len, - u64 source, bool from_bpf); - int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf, -- bool lock_already_taken); -+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source, -+ bool from_bpf, bool lock_already_taken); - struct module *owner; - const struct bus_type *bus_type; - }; -@@ -200,7 +200,8 @@ struct hid_bpf { - - #ifdef CONFIG_HID_BPF - u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -- u32 *size, int interrupt, u64 source, bool from_bpf); -+ size_t *buf_size, u32 *size, int interrupt, u64 source, -+ bool from_bpf); - int dispatch_hid_bpf_raw_requests(struct hid_device *hdev, - unsigned char reportnum, __u8 *buf, - u32 size, enum hid_report_type rtype, -@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_devic - const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size); - #else /* CONFIG_HID_BPF */ - static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 *size, int interrupt, -- u64 source, bool from_bpf) { return data; } -+ u8 *data, size_t *buf_size, u32 *size, -+ int interrupt, u64 source, bool from_bpf) -+{ -+ return data; -+} - static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev, - unsigned char reportnum, u8 *buf, - u32 size, enum hid_report_type rtype, diff --git a/queue-6.18/series b/queue-6.18/series index 2a9c42435f..0174eef60a 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -1,7 +1,6 @@ hid-playstation-clamp-num_touch_reports.patch hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch -hid-pass-the-buffer-size-to-hid_report_raw_event.patch hid-core-introduce-hid_safe_input_report.patch hid-pidff-fix-integer-overflow-in-pidff_rescale.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch diff --git a/queue-7.0/hid-pass-the-buffer-size-to-hid_report_raw_event.patch b/queue-7.0/hid-pass-the-buffer-size-to-hid_report_raw_event.patch deleted file mode 100644 index 53a61b37bc..0000000000 --- a/queue-7.0/hid-pass-the-buffer-size-to-hid_report_raw_event.patch +++ /dev/null @@ -1,337 +0,0 @@ -From 2c85c61d1332e1e16f020d76951baf167dcb6f7a Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Mon, 4 May 2026 10:47:22 +0200 -Subject: HID: pass the buffer size to hid_report_raw_event - -From: Benjamin Tissoires - -commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a upstream. - -commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing -bogus memset()") enforced the provided data to be at least the size of -the declared buffer in the report descriptor to prevent a buffer -overflow. However, we can try to be smarter by providing both the buffer -size and the data size, meaning that hid_report_raw_event() can make -better decision whether we should plaining reject the buffer (buffer -overflow attempt) or if we can safely memset it to 0 and pass it to the -rest of the stack. - -Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires -Acked-by: Johan Hovold -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Jiri Kosina -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++-- - drivers/hid/hid-core.c | 42 ++++++++++++++++++++++++------------- - drivers/hid/hid-gfrm.c | 4 +-- - drivers/hid/hid-logitech-hidpp.c | 2 - - drivers/hid/hid-multitouch.c | 2 - - drivers/hid/hid-primax.c | 2 - - drivers/hid/hid-vivaldi-common.c | 2 - - drivers/hid/wacom_sys.c | 6 ++--- - drivers/staging/greybus/hid.c | 2 - - include/linux/hid.h | 4 +-- - include/linux/hid_bpf.h | 14 +++++++----- - 11 files changed, 53 insertions(+), 33 deletions(-) - ---- a/drivers/hid/bpf/hid_bpf_dispatch.c -+++ b/drivers/hid/bpf/hid_bpf_dispatch.c -@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops); - - u8 * - dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data, -- u32 *size, int interrupt, u64 source, bool from_bpf) -+ size_t *buf_size, u32 *size, int interrupt, u64 source, -+ bool from_bpf) - { - struct hid_bpf_ctx_kern ctx_kern = { - .ctx = { -@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid - *size = ret; - } - -+ *buf_size = ctx_kern.ctx.allocated_size; - return ctx_kern.data; - } - EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event); -@@ -505,7 +507,7 @@ __hid_bpf_input_report(struct hid_bpf_ct - if (ret) - return ret; - -- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true, -+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true, - lock_already_taken); - } - ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -2029,24 +2029,32 @@ out: - } - EXPORT_SYMBOL_GPL(__hid_request); - --int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, -- int interrupt) -+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -+ size_t bufsize, u32 size, int interrupt) - { - struct hid_report_enum *report_enum = hid->report_enum + type; - struct hid_report *report; - struct hid_driver *hdrv; - int max_buffer_size = HID_MAX_BUFFER_SIZE; - u32 rsize, csize = size; -+ size_t bsize = bufsize; - u8 *cdata = data; - int ret = 0; - - report = hid_get_report(report_enum, data); - if (!report) -- goto out; -+ return 0; -+ -+ if (unlikely(bsize < csize)) { -+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", -+ report->id, csize, bsize); -+ return -EINVAL; -+ } - - if (report_enum->numbered) { - cdata++; - csize--; -+ bsize--; - } - - rsize = hid_compute_report_size(report); -@@ -2059,11 +2067,16 @@ int hid_report_raw_event(struct hid_devi - else if (rsize > max_buffer_size) - rsize = max_buffer_size; - -+ if (bsize < rsize) { -+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", -+ report->id, rsize, bsize); -+ return -EINVAL; -+ } -+ - if (csize < rsize) { -- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n", -- report->id, rsize, csize); -- ret = -EINVAL; -- goto out; -+ dbg_hid("report %d is too short, (%d < %d)\n", report->id, -+ csize, rsize); -+ memset(cdata + csize, 0, rsize - csize); - } - - if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event) -@@ -2071,7 +2084,7 @@ int hid_report_raw_event(struct hid_devi - if (hid->claimed & HID_CLAIMED_HIDRAW) { - ret = hidraw_report_event(hid, data, size); - if (ret) -- goto out; -+ return ret; - } - - if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { -@@ -2083,15 +2096,15 @@ int hid_report_raw_event(struct hid_devi - - if (hid->claimed & HID_CLAIMED_INPUT) - hidinput_report_event(hid, report); --out: -+ - return ret; - } - EXPORT_SYMBOL_GPL(hid_report_raw_event); - - - static int __hid_input_report(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf, -- bool lock_already_taken) -+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source, -+ bool from_bpf, bool lock_already_taken) - { - struct hid_report_enum *report_enum; - struct hid_driver *hdrv; -@@ -2116,7 +2129,8 @@ static int __hid_input_report(struct hid - report_enum = hid->report_enum + type; - hdrv = hid->driver; - -- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf); -+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt, -+ source, from_bpf); - if (IS_ERR(data)) { - ret = PTR_ERR(data); - goto unlock; -@@ -2145,7 +2159,7 @@ static int __hid_input_report(struct hid - goto unlock; - } - -- ret = hid_report_raw_event(hid, type, data, size, interrupt); -+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt); - - unlock: - if (!lock_already_taken) -@@ -2167,7 +2181,7 @@ unlock: - int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, - int interrupt) - { -- return __hid_input_report(hid, type, data, size, interrupt, 0, -+ return __hid_input_report(hid, type, data, size, size, interrupt, 0, - false, /* from_bpf */ - false /* lock_already_taken */); - } ---- a/drivers/hid/hid-gfrm.c -+++ b/drivers/hid/hid-gfrm.c -@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_dev - switch (data[1]) { - case GFRM100_SEARCH_KEY_DOWN: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn, -- sizeof(search_key_dn), 1); -+ sizeof(search_key_dn), sizeof(search_key_dn), 1); - break; - - case GFRM100_SEARCH_KEY_AUDIO_DATA: -@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_dev - - case GFRM100_SEARCH_KEY_UP: - ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up, -- sizeof(search_key_up), 1); -+ sizeof(search_key_up), sizeof(search_key_up), 1); - break; - - default: ---- a/drivers/hid/hid-logitech-hidpp.c -+++ b/drivers/hid/hid-logitech-hidpp.c -@@ -3665,7 +3665,7 @@ static int hidpp10_consumer_keys_raw_eve - memcpy(&consumer_report[1], &data[3], 4); - /* We are called from atomic context */ - hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT, -- consumer_report, 5, 1); -+ consumer_report, sizeof(consumer_report), 5, 1); - - return 1; - } ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -533,7 +533,7 @@ static void mt_get_feature(struct hid_de - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, -- size, 0); -+ size, size, 0); - if (ret) - dev_warn(&hdev->dev, "failed to report feature\n"); - } ---- a/drivers/hid/hid-primax.c -+++ b/drivers/hid/hid-primax.c -@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_devic - data[0] |= (1 << (data[idx] - 0xE0)); - data[idx] = 0; - } -- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0); -+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0); - return 1; - - default: /* unknown report */ ---- a/drivers/hid/hid-vivaldi-common.c -+++ b/drivers/hid/hid-vivaldi-common.c -@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_ - } - - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data, -- report_len, 0); -+ report_len, report_len, 0); - if (ret) { - dev_warn(&hdev->dev, "failed to report feature %d\n", - field->report->id); ---- a/drivers/hid/wacom_sys.c -+++ b/drivers/hid/wacom_sys.c -@@ -90,7 +90,7 @@ static void wacom_wac_queue_flush(struct - kfree(buf); - continue; - } -- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false); -+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false); - if (err) { - hid_warn(hdev, "%s: unable to flush event due to error %d\n", - __func__, err); -@@ -334,7 +334,7 @@ static void wacom_feature_mapping(struct - data, n, WAC_CMD_RETRIES); - if (ret == n && features->type == HID_GENERIC) { - ret = hid_report_raw_event(hdev, -- HID_FEATURE_REPORT, data, n, 0); -+ HID_FEATURE_REPORT, data, n, n, 0); - } else if (ret == 2 && features->type != HID_GENERIC) { - features->touch_max = data[1]; - } else { -@@ -395,7 +395,7 @@ static void wacom_feature_mapping(struct - data, n, WAC_CMD_RETRIES); - if (ret == n) { - ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, -- data, n, 0); -+ data, n, n, 0); - } else { - hid_warn(hdev, "%s: could not retrieve sensor offsets\n", - __func__); ---- a/drivers/staging/greybus/hid.c -+++ b/drivers/staging/greybus/hid.c -@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb - * we just need to setup the input fields, so using - * hid_report_raw_event is safe. - */ -- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1); -+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1); - } - - static void gb_hid_init_reports(struct gb_hid *ghid) ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -1266,8 +1266,8 @@ static inline u32 hid_report_len(struct - return DIV_ROUND_UP(report->size, 8) + (report->id > 0); - } - --int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, -- int interrupt); -+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -+ size_t bufsize, u32 size, int interrupt); - - /* HID quirks API */ - unsigned long hid_lookup_quirk(const struct hid_device *hdev); ---- a/include/linux/hid_bpf.h -+++ b/include/linux/hid_bpf.h -@@ -72,8 +72,8 @@ struct hid_ops { - int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len, - u64 source, bool from_bpf); - int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf, -- bool lock_already_taken); -+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source, -+ bool from_bpf, bool lock_already_taken); - struct module *owner; - const struct bus_type *bus_type; - }; -@@ -200,7 +200,8 @@ struct hid_bpf { - - #ifdef CONFIG_HID_BPF - u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data, -- u32 *size, int interrupt, u64 source, bool from_bpf); -+ size_t *buf_size, u32 *size, int interrupt, u64 source, -+ bool from_bpf); - int dispatch_hid_bpf_raw_requests(struct hid_device *hdev, - unsigned char reportnum, __u8 *buf, - u32 size, enum hid_report_type rtype, -@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_devic - const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size); - #else /* CONFIG_HID_BPF */ - static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, -- u8 *data, u32 *size, int interrupt, -- u64 source, bool from_bpf) { return data; } -+ u8 *data, size_t *buf_size, u32 *size, -+ int interrupt, u64 source, bool from_bpf) -+{ -+ return data; -+} - static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev, - unsigned char reportnum, u8 *buf, - u32 size, enum hid_report_type rtype, diff --git a/queue-7.0/series b/queue-7.0/series index 2201ce3c96..e3d29b18d5 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1,7 +1,6 @@ hid-playstation-clamp-num_touch_reports.patch hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch -hid-pass-the-buffer-size-to-hid_report_raw_event.patch hid-core-introduce-hid_safe_input_report.patch hid-pidff-fix-integer-overflow-in-pidff_rescale.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch