From: Benjamin Tissoires <bentiss@kernel.org> mainline inclusion from mainline-v6.16-rc7 commit c2ca42f190b6714d6c481dfd3d9b62ea091c946b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICPD1S CVE: CVE-2025-38494 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Reported-by: Alan Stern <stern@rowland.harvard.edu> Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@row... Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.... Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Conflicts: drivers/hid/hid-core.c [The conflicts are contextual conflicts caused by the absence of the commit: 0d0777ccaa2d ("HID: core: ensure __hid_request reserves the report ID as the first byte").] Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com> --- drivers/hid/hid-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 7dd30deceda4..c0446ee3d4a0 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1536,8 +1536,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report, if (reqtype == HID_REQ_SET_REPORT) hid_output_report(report, buf); - ret = hid->ll_driver->raw_request(hid, report->id, buf, len, - report->type, reqtype); + ret = hid_hw_raw_request(hid, report->id, buf, len, report->type, reqtype); if (ret < 0) { dbg_hid("unable to complete request: %d\n", ret); goto out; -- 2.34.1