From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E11D2D4B68; Wed, 4 Feb 2026 15:05:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770217509; cv=none; b=L7eDZXGtN43z8EmYzbaksmtsxtE+vmsg8gwsJD64EVbq+lN+SUmbSk/jlGgyKkCIBXP+ypNjHX/5GDTf8Oci4oLnwgNctX4sVILHowTa1gks0GmJMr2st4J9GAS9i2Pn6ab37N2RL5soO52ZkOsiYYRoQgCqYma2vxEzzMBXKwE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770217509; c=relaxed/simple; bh=M4dCb/kzILVuuuLjZPiDzdYQq+86eVYpulxUvudIuLA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ePwee7dMBXL/Kw3AYy7p45d5E9DIGYC+/ETyUCVariP53zxD2IxAe0ful77WVbClaNsCAkLjv9G/3u840xNjXxectH22LndeC7qdhQBcnFrwz9QlpNm3VCmsUHgmKaPYKkIb7Rsh4iIBazSdvBBlYVMmKTPK2Wuj6rZ11FtOAaM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=EagK698F; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="EagK698F" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1C5ACC4CEF7; Wed, 4 Feb 2026 15:05:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1770217509; bh=M4dCb/kzILVuuuLjZPiDzdYQq+86eVYpulxUvudIuLA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EagK698FPGzGHy0tu58bZMlb87SdQ969Pfxlysmo4bWOGSNmhyMqFyU1+vU3ODLjm 4sFvd/nrAcCnLNIhxbUH0wYer4XEdPz64Lg2yr9lJtl2Jr75KJsFIQkB20TDQU8ITz N4vZexWSWO79jtR10EWoMPqHoAXIhR7l5q3Spd10= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Benjamin Tissoires , Salvatore Bonaccorso Subject: [PATCH 6.1 036/280] HID: usbhid: paper over wrong bNumDescriptor field Date: Wed, 4 Feb 2026 15:36:50 +0100 Message-ID: <20260204143910.936899859@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260204143909.614719725@linuxfoundation.org> References: <20260204143909.614719725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Benjamin Tissoires commit f28beb69c51517aec7067dfb2074e7c751542384 upstream. Some faulty devices (ZWO EFWmini) have a wrong optional HID class descriptor count compared to the provided length. Given that we plainly ignore those optional descriptor, we can attempt to fix the provided number so we do not lock out those devices. Signed-off-by: Benjamin Tissoires Cc: Salvatore Bonaccorso Signed-off-by: Greg Kroah-Hartman --- drivers/hid/usbhid/hid-core.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -983,6 +983,7 @@ static int usbhid_parse(struct hid_devic struct usb_device *dev = interface_to_usbdev (intf); struct hid_descriptor *hdesc; struct hid_class_descriptor *hcdesc; + __u8 fixed_opt_descriptors_size; u32 quirks = 0; unsigned int rsize = 0; char *rdesc; @@ -1013,7 +1014,21 @@ static int usbhid_parse(struct hid_devic (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) { dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n", hdesc->bLength, hdesc->bNumDescriptors); - return -EINVAL; + + /* + * Some devices may expose a wrong number of descriptors compared + * to the provided length. + * However, we ignore the optional hid class descriptors entirely + * so we can safely recompute the proper field. + */ + if (hdesc->bLength >= sizeof(*hdesc)) { + fixed_opt_descriptors_size = hdesc->bLength - sizeof(*hdesc); + + hid_warn(intf, "fixing wrong optional hid class descriptors count\n"); + hdesc->bNumDescriptors = fixed_opt_descriptors_size / sizeof(*hcdesc) + 1; + } else { + return -EINVAL; + } } hid->version = le16_to_cpu(hdesc->bcdHID);