Re: [PATCH v2] HID: ft260: validate report size and payload length in raw_event

Next message: Ostrowski, Rafal: "Re: kernel panic when resuming from hibernate in next-20260406 with PREEMPT_RT"
Previous message: Vasily Gorbik: "Re: BUG: workqueue lockup - SRCU schedules work on not-online CPUs during size transition"
In reply to: Jiri Kosina: "Re: [PATCH v2] HID: ft260: validate report size and payload length in raw_event"
Next in thread: Michael Zaidman: "[PATCH] HID: ft260: validate i2c input report length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Zaidman

Date: Thu Apr 09 2026 - 15:18:01 EST

On Thu, Apr 9, 2026 at 9:29 PM Jiri Kosina <jikos@xxxxxxxxxx> wrote:
>
> On Thu, 9 Apr 2026, Michael Zaidman wrote:
>
> > The FT260 uses different report IDs (0xD0 through 0xDE) for different payload
> > lengths, with each report ID defining a different report size in the HID
> > descriptor. So yes, the device can legitimately send reports shorter than
> > FT260_REPORT_MAX_LENGTH, and a blanket size < 64 check would break valid
> > short transfers.
>
> Perfect, thanks a lot for the detailed writeup! I was rather suspicious
> about the bold statement in the changelog.
>
> Similarly to other Sebastián's fixes to various other drivers. This will
> need more thorough check.
>
> Thanks,
>
> --
> Jiri Kosina
> SUSE Labs
>

Hi Jiri,

Indeed. The original patch would have been easily caught by testing on actual
FT260 hardware - short transfers using report IDs 0xD0 through 0xD3 carry well
under 64 bytes and are part of normal I2C operation. A blanket size < 64 check
would break them immediately.

I'll submit a proper fix with per-report-ID capacity validation based on the
HID descriptor.