New version (unchanged for patches 1-3), with a test added so we can detect this.
Followup of https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@row...
This initial series attempt at fixing the various bugs discovered by Alan regarding __hid_request().
Syzbot managed to create a report descriptor which presents a feature request of size 0 (still trying to extract it) and this exposed the fact that __hid_request() was incorrectly handling the case when the report ID is not used.
Send a first batch of fixes now so we get the feedback from syzbot ASAP.
Note: in the series, I also mentioned that the report of size 0 should be stripped out of the HID device, but I'm not entirely sure this would be a good idea in the end.
Signed-off-by: Benjamin Tissoires bentiss@kernel.org --- Changes in v2: - added Tested-by from syzbot (https://lore.kernel.org/r/686e9113.050a0220.385921.0008.GAE@google.com) - added a python test for it - Link to v1: https://lore.kernel.org/r/20250709-report-size-null-v1-0-194912215cbc@kernel...
--- Benjamin Tissoires (4): HID: core: ensure the allocated report buffer can contain the reserved report ID HID: core: ensure __hid_request reserves the report ID as the first byte HID: core: do not bypass hid_hw_raw_request selftests/hid: add a test case for the recent syzbot underflow
drivers/hid/hid-core.c | 19 +++++-- tools/testing/selftests/hid/tests/test_mouse.py | 70 +++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 5 deletions(-) --- base-commit: 1f988d0788f50d8464f957e793fab356e2937369 change-id: 20250709-report-size-null-37619ea20288
Best regards,