Re: [PATCH] HID: uhid: convert to hid_safe_input_report()

Next message: bot+bpf-ci: "Re: [PATCH bpf] bpf, sockmap: take the socket lock in udp_bpf_recvmsg()"
Previous message: Jeff Layton: "Re: [PATCH v5 10/21] nfsd: add notification handlers for dir events"
In reply to: Lee Jones: "Re: [PATCH] HID: uhid: convert to hid_safe_input_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Wed Jun 10 2026 - 14:33:42 EST

On Sat, 6 Jun 2026, Carlos Llamas wrote:

> Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
> bogus memset()"), added a check in hid_report_raw_event() to reject
> reports if the received data size is smaller than expected. This was
> intended to prevent OOB errors by no longer allowing zeroing-out of
> shorter reports due to the lack of buffer size information.
>
> However, this leads to regressions in hid_report_raw_event(), where
> shorter than expected reports are rejected, even though their buffers
> are sufficiently large to be zero-padded.
>
> To solve this issue, Benjamin introduced a safer alternative in commit
> 206342541fc8 ("HID: core: introduce hid_safe_input_report()"), which
> forwards the buffer size and allows hid_report_raw_event() to safely
> zero-pad the data.
>
> Convert uhid to use hid_safe_input_report() and pass UHID_DATA_MAX as
> the buffer size. This prevents the reported regressions [1], allowing
> hid core to zero-pad the shorter reports safely as expected.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
> Closes: https://lore.kernel.org/all/ahsh0UtTX6e0ZeHa@xxxxxxxxxx/ [1]
> Signed-off-by: Carlos Llamas <cmllamas@xxxxxxxxxx>

Applied, thanks.

--
Jiri Kosina
SUSE Labs