Re: [PATCH 1/1] HID: wacom: validate report size before kfifo insert

Next message: xur: "[PATCH v3 0/2] kconfig: Remove the architecture specific config for AutoFDO and Propeller"
Previous message: Dave Hansen: "Re: [PATCH v5 2/7] x86/msr: add wrmsrq_on_cpus helper"
In reply to: Dmitry Torokhov: "Re: [PATCH 1/1] HID: wacom: validate report size before kfifo insert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Wed May 27 2026 - 17:41:41 EST

On Wed, May 27, 2026 at 12:47:03PM -0700, Dmitry Torokhov wrote:
> On Sun, May 24, 2026 at 10:52:03PM +0900, Jinmo Yang wrote:
> > wacom_wac_queue_insert() passes the report size directly to kfifo_in()
> > without checking whether the report fits in the kfifo buffer.
> >
> > Since commit 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX
> > limit"), the kfifo is sized dynamically as min(PAGE_SIZE, 10 * pktlen),
> > which can be as small as 256 bytes. However, reports received via
> > UHID_INPUT2 can be up to UHID_DATA_MAX (4096) bytes. When such an
> > oversized report reaches wacom_wac_queue_insert(), the existing
> > kfifo_avail() loop cannot make room for a record larger than the total
> > buffer, causing kfifo_copy_in() to memcpy up to 3840 bytes past the
> > slab allocation.
>
> Does it? Or maybe spins there indefinitely? Also, doesn't
> kfifo_copy_in() return 0 if a record it too big and not copy anything?

OK, so the root cause is that kfifo_skip() must not be called on an
empty fifo. I think you want the code to look something like this:

static void wacom_wac_queue_insert(struct hid_device *hdev,
struct kfifo_rec_ptr_2 *fifo,
u8 *raw_data, int size)
{
bool warned = false;

while (kfifo_avail(fifo) < size && !kfifo_is_empty(fifo)) {
if (!warned)
hid_warn(hdev, "%s: kfifo has filled, starting to drop events\n", __func__);
warned = true;

kfifo_skip(fifo);
}

if (!kfifo_in(fifo, raw_data, size))
hid_warn_ratelimited(hdev, "%s: report is too large (%d)\n",
__func__, size);
}

Thanks.

--
Dmitry