[PATCH v2 11/12] HID: hid-core: sanitize user input in 'new_id_store'

Next message: Vladimir Oltean: "[PATCH v5 phy-next 07/16] phy: lynx-28g: provide default lynx_lane_supports_mode() implementation"
Previous message: Nguyen Minh Tien: "[PATCH 1/2] dt-bindings: iio: adc: Add TI ADS1220"
In reply to: Pawel Zalewski (The Capable Hub): "[PATCH v2 01/12] HID: hid-input: use named initializer for 'hid_battery_quirks[]'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pawel Zalewski (The Capable Hub)

Date: Wed Jun 10 2026 - 11:26:12 EST

Only accept 'driver_data' values that match an existing 'id_table'
entry within the driver. This makes the field mandatory if the
'id_table' is defined in the HID module and disallows overriding
pre-defined values within the driver module with arbitrary entries
from the command line.

Signed-off-by: Pawel Zalewski (The Capable Hub) <pzalewski@xxxxxxxxxxxxxxxxxxxx>
---
drivers/hid/hid-core.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 41a79e43c82b..e060e5ec4ea6 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2647,6 +2647,8 @@ static ssize_t new_id_store(struct device_driver *drv, const char *buf,
size_t count)
{
struct hid_driver *hdrv = to_hid_driver(drv);
+ const struct hid_device_id *ids = hdrv->id_table;
+
struct hid_dynid *dynid;
__u32 bus, vendor, product;
unsigned long driver_data = 0;
@@ -2657,6 +2659,22 @@ static ssize_t new_id_store(struct device_driver *drv, const char *buf,
if (ret < 3)
return -EINVAL;

+ /* Only accept driver_data values that match an
+ * existing id_table entry
+ */
+ if (ids) {
+ ret = -EINVAL;
+ while (ids->bus) {
+ if (driver_data == ids->driver_data) {
+ ret = 0;
+ break;
+ }
+ ids++;
+ }
+ if (ret) /* No match */
+ return ret;
+ }
+
dynid = kzalloc_obj(*dynid);
if (!dynid)
return -ENOMEM;

--
2.43.0