[PATCH v2 1/2] HID: logitech-dj: Standardise hid_report_enum variable nomenclature

[PATCH v2 1/2] HID: logitech-dj: Standardise hid_report_enum variable nomenclature

[Lee Jones]

Since we will need to differentiate between the two report_enum types
soon, let's unify the naming conventions now to save confusion and/or
unnecessary/unrelated changes in upcoming commits.

{input,output}_report_enum is used in other places to let's conform.

Signed-off-by: Lee Jones <lee@kernel.org>
---
v1 => v2: New patch

 drivers/hid/hid-logitech-dj.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index 44b716697510..32139b2561c0 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -1858,7 +1858,7 @@ static int logi_dj_raw_event(struct hid_device *hdev,
 static int logi_dj_probe(struct hid_device *hdev,
 			 const struct hid_device_id *id)
 {
-	struct hid_report_enum *rep_enum;
+	struct hid_report_enum *input_report_enum;
 	struct hid_report *rep;
 	struct dj_receiver_dev *djrcv_dev;
 	struct usb_interface *intf;
@@ -1903,10 +1903,10 @@ static int logi_dj_probe(struct hid_device *hdev,
 		}
 	}
 
-	rep_enum = &hdev->report_enum[HID_INPUT_REPORT];
+	input_report_enum = &hdev->report_enum[HID_INPUT_REPORT];
 
 	/* no input reports, bail out */
-	if (list_empty(&rep_enum->report_list))
+	if (list_empty(&input_report_enum->report_list))
 		return -ENODEV;
 
 	/*
@@ -1914,7 +1914,7 @@ static int logi_dj_probe(struct hid_device *hdev,
 	 * Note: we should theoretically check for HID++ and DJ
 	 * collections, but this will do.
 	 */
-	list_for_each_entry(rep, &rep_enum->report_list, list) {
+	list_for_each_entry(rep, &input_report_enum->report_list, list) {
 		if (rep->application == 0xff000001)
 			has_hidpp = true;
 	}
@@ -1927,7 +1927,7 @@ static int logi_dj_probe(struct hid_device *hdev,
 		return -ENODEV;
 
 	/* get the current application attached to the node */
-	rep = list_first_entry(&rep_enum->report_list, struct hid_report, list);
+	rep = list_first_entry(&input_report_enum->report_list, struct hid_report, list);
 	djrcv_dev = dj_get_receiver_dev(hdev, id->driver_data,
 					rep->application, has_hidpp);
 	if (!djrcv_dev) {
@@ -1935,7 +1935,7 @@ static int logi_dj_probe(struct hid_device *hdev,
 		return -ENOMEM;
 	}
 
-	if (!rep_enum->numbered)
+	if (!input_report_enum->numbered)
 		djrcv_dev->unnumbered_application = rep->application;
 
 	/* Starts the usb device and connects to upper interfaces hiddev and
-- 
2.53.0.983.g0bb29b3bc5-goog

[PATCH v2 2/2] HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write

[Lee Jones]

logi_dj_recv_send_report() assumes that all incoming REPORT_ID_DJ_SHORT
reports are 14 Bytes (DJREPORT_SHORT_LENGTH - 1) long.  It uses that
assumption to load the associated field's 'value' array with 14 Bytes of
data.  However, if a malicious user only sends say 1 Byte of data,
'report_count' will be 1 and only 1 Byte of memory will be allocated to
the 'value' Byte array.  When we come to populate 'value[1-13]' we will
experience an OOB write.

Signed-off-by: Lee Jones <lee@kernel.org>
---
v1 => v2: Move handling to .probe()

 drivers/hid/hid-logitech-dj.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
index 32139b2561c0..a8082199d13d 100644
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -1859,6 +1859,7 @@ static int logi_dj_probe(struct hid_device *hdev,
 			 const struct hid_device_id *id)
 {
 	struct hid_report_enum *input_report_enum;
+	struct hid_report_enum *output_report_enum;
 	struct hid_report *rep;
 	struct dj_receiver_dev *djrcv_dev;
 	struct usb_interface *intf;
@@ -1903,6 +1904,15 @@ static int logi_dj_probe(struct hid_device *hdev,
 		}
 	}
 
+	output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
+	rep = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
+
+	if (rep->maxfield < 1 || rep->field[0]->report_count != DJREPORT_SHORT_LENGTH - 1) {
+		hid_err(hdev, "Expected size of DJ short report is %d, but got %d",
+			DJREPORT_SHORT_LENGTH - 1, rep->field[0]->report_count);
+		return -EINVAL;
+	}
+
 	input_report_enum = &hdev->report_enum[HID_INPUT_REPORT];
 
 	/* no input reports, bail out */
-- 
2.53.0.983.g0bb29b3bc5-goog

Re: [PATCH v2 1/2] HID: logitech-dj: Standardise hid_report_enum variable nomenclature

[Lee Jones]

On Tue, 24 Mar 2026, Lee Jones wrote:

> Since we will need to differentiate between the two report_enum types
> soon, let's unify the naming conventions now to save confusion and/or
> unnecessary/unrelated changes in upcoming commits.
> 
> {input,output}_report_enum is used in other places to let's conform.
> 
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
> v1 => v2: New patch
> 
>  drivers/hid/hid-logitech-dj.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)

During a previous submission you indicated that you preferred pings over
[RESEND]s - so this is it.

This submission was posted 2 weeks ago.  Could someone take a look please?

> diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
> index 44b716697510..32139b2561c0 100644
> --- a/drivers/hid/hid-logitech-dj.c
> +++ b/drivers/hid/hid-logitech-dj.c
> @@ -1858,7 +1858,7 @@ static int logi_dj_raw_event(struct hid_device *hdev,
>  static int logi_dj_probe(struct hid_device *hdev,
>  			 const struct hid_device_id *id)
>  {
> -	struct hid_report_enum *rep_enum;
> +	struct hid_report_enum *input_report_enum;
>  	struct hid_report *rep;
>  	struct dj_receiver_dev *djrcv_dev;
>  	struct usb_interface *intf;
> @@ -1903,10 +1903,10 @@ static int logi_dj_probe(struct hid_device *hdev,
>  		}
>  	}
>  
> -	rep_enum = &hdev->report_enum[HID_INPUT_REPORT];
> +	input_report_enum = &hdev->report_enum[HID_INPUT_REPORT];
>  
>  	/* no input reports, bail out */
> -	if (list_empty(&rep_enum->report_list))
> +	if (list_empty(&input_report_enum->report_list))
>  		return -ENODEV;
>  
>  	/*
> @@ -1914,7 +1914,7 @@ static int logi_dj_probe(struct hid_device *hdev,
>  	 * Note: we should theoretically check for HID++ and DJ
>  	 * collections, but this will do.
>  	 */
> -	list_for_each_entry(rep, &rep_enum->report_list, list) {
> +	list_for_each_entry(rep, &input_report_enum->report_list, list) {
>  		if (rep->application == 0xff000001)
>  			has_hidpp = true;
>  	}
> @@ -1927,7 +1927,7 @@ static int logi_dj_probe(struct hid_device *hdev,
>  		return -ENODEV;
>  
>  	/* get the current application attached to the node */
> -	rep = list_first_entry(&rep_enum->report_list, struct hid_report, list);
> +	rep = list_first_entry(&input_report_enum->report_list, struct hid_report, list);
>  	djrcv_dev = dj_get_receiver_dev(hdev, id->driver_data,
>  					rep->application, has_hidpp);
>  	if (!djrcv_dev) {
> @@ -1935,7 +1935,7 @@ static int logi_dj_probe(struct hid_device *hdev,
>  		return -ENOMEM;
>  	}
>  
> -	if (!rep_enum->numbered)
> +	if (!input_report_enum->numbered)
>  		djrcv_dev->unnumbered_application = rep->application;
>  
>  	/* Starts the usb device and connects to upper interfaces hiddev and
> -- 
> 2.53.0.983.g0bb29b3bc5-goog
> 

-- 
Lee Jones [李琼斯]