This is a note to let you know that I've just added the patch titled HID: betop: fix slab-out-of-bounds Write in betop_probe to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 Mon Sep 17 00:00:00 2001 From: "F.A.Sulaiman" <asha.16@xxxxxxxxxxxxxxx> Date: Tue, 24 Aug 2021 20:37:30 +0530 Subject: HID: betop: fix slab-out-of-bounds Write in betop_probe From: F.A.Sulaiman <asha.16@xxxxxxxxxxxxxxx> commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream. Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. Reported-by: syzbot+07efed3bc5a1407bd742@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: F.A. SULAIMAN <asha.16@xxxxxxxxxxxxxxx> Reviewed-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Signed-off-by: Jiri Kosina <jkosina@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/hid/hid-betopff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/drivers/hid/hid-betopff.c +++ b/drivers/hid/hid-betopff.c @@ -59,15 +59,22 @@ static int betopff_init(struct hid_devic { struct betopff_device *betopff; struct hid_report *report; - struct hid_input *hidinput = - list_first_entry(&hid->inputs, struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int field_count = 0; int error; int i, j; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; Patches currently in stable-queue which might be from asha.16@xxxxxxxxxxxxxxx are queue-4.4/hid-betop-fix-slab-out-of-bounds-write-in-betop_probe.patch