Re: [PATCH] HID: logitech-dj: Fix maxfield check in DJ short report validation

[Jiri Kosina]

On Thu, 18 Jun 2026, HyeongJun An wrote:

> Commit b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT
> related user initiated OOB write") added validation for the DJ short
> output report, but the error path dereferences rep->field[0] even when
> rep->maxfield is zero.
> 
> Commit 8b9a097eb2fc ("HID: logitech-dj: fix wrong detection of bad
> DJ_SHORT output report") made the check conditional on rep being present,
> but a crafted descriptor can still create report ID 0x20 with only padding
> output items. hid-core registers the report, ignores the padding field,
> and leaves rep->maxfield as zero.
> 
> In that case the validation enters the rep->maxfield < 1 branch and then
> dereferences rep->field[0]->report_count while printing the error message,
> causing a NULL pointer dereference during probe. This is reproducible with
> uhid by emulating a Logitech receiver with a padding-only DJ short output
> report:
> 
>   BUG: KASAN: null-ptr-deref in logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
>   Read of size 4 at addr 0000000000000028 by task kworker/4:1/129
>   ...
>   Call Trace:
>    logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
>    hid_device_probe+0x329/0x3f0 [hid]
>    really_probe+0x162/0x570
>    __device_attach+0x137/0x2c0
>    bus_probe_device+0x38/0xc0
>    device_add+0xa56/0xce0
>    hid_add_device+0x19c/0x280 [hid]
>    uhid_device_add_worker+0x2c/0xb0 [uhid]
> 
> Reject the zero-field report before printing the field report_count.
> 
> Fixes: b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@xxxxxxxxx>

Applied, thanks.

-- 
Jiri Kosina
SUSE Labs