<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/next/linux-next.git/drivers/hid, branch stable</title>
<subtitle>The linux-next integration testing tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=stable</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=stable'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/'/>
<updated>2026-07-08T15:43:44+00:00</updated>
<entry>
<title>Merge tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid</title>
<updated>2026-07-08T15:43:44+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-08T15:43:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=6bad2e38fe7f2da7dc982b2b80814e632832e568'/>
<id>urn:sha1:6bad2e38fe7f2da7dc982b2b80814e632832e568</id>
<content type='text'>
Pull HID fixes from Jiri Kosina:

 - OOB, UAF, NULL-deref fixes in core and picolcd, logitech, letsketch,
   appleir and multitouch drivers (Georgiy Osokin, HyeongJun An, Lee
   Jones, Manish Khadka, Maoyi Xie and Trung Nguyen)

 - fix for integer wraparound (and corresponding regression selftest) in
   hid-bpf (Yiyang Chen)

* tag 'hid-for-linus-2026070801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  selftests/hid: multitouch: test a large ContactCountMaximum
  HID: multitouch: fix out-of-bounds bit access on mt_io_flags
  selftests/hid: Cover hid_bpf_get_data() size overflow
  selftests/hid: Load only requested struct_ops maps
  HID: bpf: Fix hid_bpf_get_data() range check
  HID: lg-g15: cancel pending work on remove to fix a use-after-free
  HID: logitech-dj: Fix maxfield check in DJ short report validation
  HID: core: Fix OOB read in hid_get_report for numbered reports
  HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()
  HID: appleir: fix UAF on pending key_up_timer in remove()
  HID: letsketch: fix UAF on inrange_timer at driver unbind
</content>
</entry>
<entry>
<title>Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (c files)</title>
<updated>2026-07-03T05:38:17+00:00</updated>
<author>
<name>Uwe Kleine-König (The Capable Hub)</name>
<email>u.kleine-koenig@baylibre.com</email>
</author>
<published>2026-06-30T09:24:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=995832b2cebe6969d1b42635db698803ee31294d'/>
<id>urn:sha1:995832b2cebe6969d1b42635db698803ee31294d</id>
<content type='text'>
Replace the #include of &lt;linux/mod_devicetable.h&gt; by the more specific
&lt;linux/device-id/*.h&gt; where applicable. For most cases the include
can be dropped completely, only a few drivers need one or two headers
added.

Acked-by: Danilo Krummrich &lt;dakr@kernel.org&gt;
Acked-by: Takashi Sakamoto &lt;o-takashi@sakamocchi.jp&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Link: https://patch.msgid.link/1a3f2007c5c5dcf555c09a4035ce3ae8ef1b6c49.1782808461.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König (The Capable Hub) &lt;u.kleine-koenig@baylibre.com&gt;
</content>
</entry>
<entry>
<title>Replace &lt;linux/mod_devicetable.h&gt; by more specific &lt;linux/device-id/*.h&gt; (headers)</title>
<updated>2026-07-03T05:38:16+00:00</updated>
<author>
<name>Uwe Kleine-König (The Capable Hub)</name>
<email>u.kleine-koenig@baylibre.com</email>
</author>
<published>2026-06-30T09:24:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ecca1d63c1eadbbb38ceab82de0f7adfbc2b465d'/>
<id>urn:sha1:ecca1d63c1eadbbb38ceab82de0f7adfbc2b465d</id>
<content type='text'>
&lt;linux/mod_devicetable.h&gt; is included in a many files:

	$ git grep '&lt;linux/mod_devicetable.h&gt;' ef0c9f75a195 | wc -l
	1598

; some of them are widely used headers. To stop mixing up different and
unrelated driver( type)s let the subsystem headers only use the subset
of the recently split &lt;linux/mod_devicetable.h&gt; that are relevant for
them.

The fallout (I hope) is addressed in the previous commits that handle
sources relying on e.g. &lt;linux/i2c.h&gt; pulling in the full legacy header
and thus providing pci_device_id.

Acked-by: Danilo Krummrich &lt;dakr@kernel.org&gt;
Acked-by: Takashi Sakamoto &lt;o-takashi@sakamocchi.jp&gt;
Link: https://patch.msgid.link/199fe46b624ba07fb9bd3e0cd6ff13757932cb5f.1782808461.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König (The Capable Hub) &lt;u.kleine-koenig@baylibre.com&gt;
</content>
</entry>
<entry>
<title>HID: multitouch: fix out-of-bounds bit access on mt_io_flags</title>
<updated>2026-07-01T18:36:12+00:00</updated>
<author>
<name>Trung Nguyen</name>
<email>trungnh@cystack.net</email>
</author>
<published>2026-07-01T17:13:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=8813b0612275cc61fe9e6603d0ee019247ade6be'/>
<id>urn:sha1:8813b0612275cc61fe9e6603d0ee019247ade6be</id>
<content type='text'>
mt_io_flags is a single unsigned long, but mt_process_slot(),
mt_release_pending_palms() and mt_release_contacts() use it as a
per-slot bitmap indexed by the slot number. That slot number is only
bounded by td-&gt;maxcontacts, which is taken from the device's
ContactCountMaximum feature report and can be up to 255, not by
BITS_PER_LONG.

As a result, a multitouch device that advertises a large contact count
makes set_bit()/clear_bit() operate past the mt_io_flags word and
corrupt the adjacent members of struct mt_device. The sticky-fingers
release timer is the easiest way to reach this. mt_release_contacts()
runs

	for (i = 0; i &lt; mt-&gt;num_slots; i++)
		clear_bit(i, &amp;td-&gt;mt_io_flags);

with num_slots == maxcontacts. For maxcontacts around 250 the loop
clears the bits that overlap td-&gt;applications.next, zeroing that list
head, and the list_for_each_entry() that immediately follows then
dereferences NULL. The kernel panics from timer (softirq) context. On a
KASAN build this shows up as a general protection fault in
mt_release_contacts() with a null-ptr-deref at offset 0x58, which is
offsetof(struct mt_application, num_received).

The state is reachable from an untrusted USB or Bluetooth HID
multitouch device; no local privileges are required.

Store the per-slot active state in a separately allocated bitmap sized
for maxcontacts, the same pattern already used for pending_palm_slots,
and keep only MT_IO_FLAGS_RUNNING in mt_io_flags. The two
"mt_io_flags &amp; MT_IO_SLOTS_MASK" arming checks become
bitmap_empty(td-&gt;active_slots, td-&gt;maxcontacts).

Move MT_IO_FLAGS_RUNNING back to bit 0. It was bumped to bit 32 by the
same commit to leave the low byte for the slot bits; with the slot bits
gone it fits in bit 0 again, which also keeps it within the unsigned
long on 32-bit.

Fixes: 46f781e0d151 ("HID: multitouch: fix sticky fingers")
Cc: stable@vger.kernel.org
Signed-off-by: Trung Nguyen &lt;trungnh@cystack.net&gt;
Signed-off-by: Benjamin Tissoires &lt;bentiss@kernel.org&gt;
</content>
</entry>
<entry>
<title>HID: bpf: Fix hid_bpf_get_data() range check</title>
<updated>2026-07-01T07:55:35+00:00</updated>
<author>
<name>Yiyang Chen</name>
<email>chenyy23@mails.tsinghua.edu.cn</email>
</author>
<published>2026-06-23T06:23:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=2d044049421dd48212b28646a850749d4a2d57fa'/>
<id>urn:sha1:2d044049421dd48212b28646a850749d4a2d57fa</id>
<content type='text'>
hid_bpf_get_data() returns a pointer into the HID-BPF context data when
the caller-provided offset and size fit inside ctx-&gt;allocated_size.

The current check adds rdwr_buf_size and offset before comparing the
result against ctx-&gt;allocated_size. Since both values are unsigned, a
very large size can wrap the sum below ctx-&gt;allocated_size and make the
helper return a pointer even though the requested range is not contained
in the backing buffer.

Use check_add_overflow() to reject wrapped range ends before comparing
the requested range end against ctx-&gt;allocated_size.

Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")
Signed-off-by: Yiyang Chen &lt;chenyy23@mails.tsinghua.edu.cn&gt;
Signed-off-by: Benjamin Tissoires &lt;bentiss@kernel.org&gt;
</content>
</entry>
<entry>
<title>HID: lg-g15: cancel pending work on remove to fix a use-after-free</title>
<updated>2026-06-29T09:18:44+00:00</updated>
<author>
<name>Maoyi Xie</name>
<email>maoyixie.tju@gmail.com</email>
</author>
<published>2026-06-18T07:06:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7705b4140d188ce22656f6e541ae7ef834c7e11a'/>
<id>urn:sha1:7705b4140d188ce22656f6e541ae7ef834c7e11a</id>
<content type='text'>
lg_g15_data is allocated with devm and holds a work item. The report
handlers schedule that work straight from device input.
lg_g15_event() and lg_g15_v2_event() do it on the backlight cycle key,
and lg_g510_leds_event() does it too. The worker dereferences the
lg_g15_data back through container_of.

The driver had no remove callback and never cancelled the work. So if a
report scheduled the work and the keyboard was then unplugged, devres
freed lg_g15_data while the work was still pending or running, and the
worker touched freed memory. This is a use-after-free. It is reachable
as a race on device unplug.

Add a remove callback that cancels the work before devres frees the
state. g15-&gt;work is only initialized for the models that schedule it
(G15, G15 v2, G510). The G13 and Z-10 leave it zeroed, so guard the
cancel on g15-&gt;work.func to avoid cancelling a work that was never set
up. The g15 NULL test mirrors the one already in lg_g15_raw_event().

Fixes: 97b741aba918 ("HID: lg-g15: Add keyboard and LCD backlight control")
Cc: stable@vger.kernel.org
Suggested-by: Hans de Goede &lt;hansg@kernel.org&gt;
Signed-off-by: Maoyi Xie &lt;maoyixie.tju@gmail.com&gt;
Reviewed-by: Hans de Goede &lt;johannes.goede@oss.qualcomm.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.com&gt;
</content>
</entry>
<entry>
<title>HID: logitech-dj: Fix maxfield check in DJ short report validation</title>
<updated>2026-06-29T09:18:07+00:00</updated>
<author>
<name>HyeongJun An</name>
<email>sammiee5311@gmail.com</email>
</author>
<published>2026-06-18T06:37:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=590cc4d782487632a52f37c2171bee1eeea29627'/>
<id>urn:sha1:590cc4d782487632a52f37c2171bee1eeea29627</id>
<content type='text'>
Commit b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT
related user initiated OOB write") added validation for the DJ short
output report, but the error path dereferences rep-&gt;field[0] even when
rep-&gt;maxfield is zero.

Commit 8b9a097eb2fc ("HID: logitech-dj: fix wrong detection of bad
DJ_SHORT output report") made the check conditional on rep being present,
but a crafted descriptor can still create report ID 0x20 with only padding
output items. hid-core registers the report, ignores the padding field,
and leaves rep-&gt;maxfield as zero.

In that case the validation enters the rep-&gt;maxfield &lt; 1 branch and then
dereferences rep-&gt;field[0]-&gt;report_count while printing the error message,
causing a NULL pointer dereference during probe. This is reproducible with
uhid by emulating a Logitech receiver with a padding-only DJ short output
report:

  BUG: KASAN: null-ptr-deref in logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
  Read of size 4 at addr 0000000000000028 by task kworker/4:1/129
  ...
  Call Trace:
   logi_dj_probe+0xb1/0x754 [hid_logitech_dj]
   hid_device_probe+0x329/0x3f0 [hid]
   really_probe+0x162/0x570
   __device_attach+0x137/0x2c0
   bus_probe_device+0x38/0xc0
   device_add+0xa56/0xce0
   hid_add_device+0x19c/0x280 [hid]
   uhid_device_add_worker+0x2c/0xb0 [uhid]

Reject the zero-field report before printing the field report_count.

Fixes: b6a57912854e ("HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An &lt;sammiee5311@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.com&gt;
</content>
</entry>
<entry>
<title>HID: core: Fix OOB read in hid_get_report for numbered reports</title>
<updated>2026-06-29T09:10:23+00:00</updated>
<author>
<name>Lee Jones</name>
<email>lee@kernel.org</email>
</author>
<published>2026-06-16T11:26:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=af1a9b65ebe8a948eda805c14b78d4d0767cb1b5'/>
<id>urn:sha1:af1a9b65ebe8a948eda805c14b78d4d0767cb1b5</id>
<content type='text'>
When a caller passes a size of 0 to hid_report_raw_event() for a
numbered report, the function originally called hid_get_report() before
performing any size validation.

Inside hid_get_report(), if the report is numbered (report_enum-&gt;numbered
is true), it unconditionally dereferences data[0] to extract the report ID.
With a size of 0, this results in an out-of-bounds read or kernel panic.

Fix this by moving the numbered report size validation check before the
call to hid_get_report(), ensuring that size is at least 1 before
dereferencing the data pointer.

Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Signed-off-by: Lee Jones &lt;lee@kernel.org&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.com&gt;
</content>
</entry>
<entry>
<title>HID: picolcd: prevent NULL pointer dereference in picolcd_send_and_wait()</title>
<updated>2026-06-29T08:46:13+00:00</updated>
<author>
<name>Georgiy Osokin</name>
<email>g.osokin@auroraos.dev</email>
</author>
<published>2026-05-17T12:06:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0021eb09041f021c079be1022934a280f7f176c0'/>
<id>urn:sha1:0021eb09041f021c079be1022934a280f7f176c0</id>
<content type='text'>
In picolcd_send_and_wait(), an integer overflow of the signed loop counter
'k' can theoretically lead to a NULL pointer dereference of 'raw_data'.
If the loop executes more than INT_MAX times, 'k' becomes negative,
making the condition 'k &lt; size' true even when 'size' is 0.

Change the type of 'k' to 'unsigned int' to prevent the overflow and
eliminate the out-of-bounds access.

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

[jkosina@suse.com: extended hash length]
Fixes: fabdbf2fd22fa17 ("HID: picoLCD: split driver code")
Signed-off-by: Georgiy Osokin &lt;g.osokin@auroraos.dev&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.com&gt;
</content>
</entry>
<entry>
<title>HID: appleir: fix UAF on pending key_up_timer in remove()</title>
<updated>2026-06-29T08:44:12+00:00</updated>
<author>
<name>Manish Khadka</name>
<email>maskmemanish@gmail.com</email>
</author>
<published>2026-05-15T17:32:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=75fe87e19d8aff81eb2c64d15d244ab8da4de945'/>
<id>urn:sha1:75fe87e19d8aff81eb2c64d15d244ab8da4de945</id>
<content type='text'>
appleir_remove() runs hid_hw_stop() before timer_delete_sync().
hid_hw_stop() synchronously unregisters the HID input device via
hid_disconnect() -&gt; hidinput_disconnect() -&gt; input_unregister_device(),
which drops the last reference and frees the underlying input_dev when
no userspace handle holds it open.

key_up_tick() reads appleir-&gt;input_dev and calls input_report_key() /
input_sync() on it.  The timer is armed from appleir_raw_event() with
a HZ/8 (~125 ms) timeout on every keydown and key-repeat report.  If a
key was pressed shortly before the device is disconnected, the timer
can fire after hid_hw_stop() has freed input_dev but before the
teardown drains it.

A simple reorder is not sufficient.  Putting the timer drain first
still leaves a window where a USB URB completion (raw_event) running
during hid_hw_stop() can call mod_timer() and re-arm the timer, which
then fires after hidinput_disconnect() has freed input_dev.  The same
URB-completion window also lets raw_event() reach key_up(), key_down()
and battery_flat() directly, all of which dereference
appleir-&gt;input_dev.

Introduce a 'removing' flag on struct appleir, gated by the existing
spinlock.  appleir_remove() sets the flag under the lock and then
shuts down the timer with timer_shutdown_sync(), which both drains any
in-flight callback and permanently disables further mod_timer() calls.
appleir_raw_event() and key_up_tick() bail out early if the flag is
set, so no path can arm or run the timer, or dereference
appleir-&gt;input_dev, after remove() has started tearing down.

The keyrepeat and flatbattery branches of appleir_raw_event()
previously called into the input layer without holding the spinlock;
take it now so the flag check is well-defined.  This incidentally
closes a pre-existing read-side race on appleir-&gt;current_key in the
keyrepeat branch.

This bug is structurally a sibling of commit 4db2af929279 ("HID:
appletb-kbd: fix UAF in inactivity-timer cleanup path") and has been
present since the driver was introduced.

Fixes: 9a4a5574ce42 ("HID: appleir: add support for Apple ir devices")
Cc: stable@vger.kernel.org
Signed-off-by: Manish Khadka &lt;maskmemanish@gmail.com&gt;
Signed-off-by: Jiri Kosina &lt;jkosina@suse.com&gt;
</content>
</entry>
</feed>
