Commit e716edafedad for kernel

commit e716edafedad4952fe3a4a273d2e039a84e8681a
Author: Lee Jones <lee@kernel.org>
Date:   Fri Feb 27 16:30:25 2026 +0000

    HID: multitouch: Check to ensure report responses match the request

    It is possible for a malicious (or clumsy) device to respond to a
    specific report's feature request using a completely different report
    ID.  This can cause confusion in the HID core resulting in nasty
    side-effects such as OOB writes.

    Add a check to ensure that the report ID in the response, matches the
    one that was requested.  If it doesn't, omit reporting the raw event and
    return early.

    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index b8a748bbf0fd..e82a3c4e5b44 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -526,12 +526,19 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
 		dev_warn(&hdev->dev, "failed to fetch feature %d\n",
 			 report->id);
 	} else {
+		/* The report ID in the request and the response should match */
+		if (report->id != buf[0]) {
+			hid_err(hdev, "Returned feature report did not match the request\n");
+			goto free;
+		}
+
 		ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
 					   size, 0);
 		if (ret)
 			dev_warn(&hdev->dev, "failed to report feature\n");
 	}

+free:
 	kfree(buf);
 }