From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: sashiko-reviews@lists.linux.dev
Cc: Jinmo Yang <jinmo44.yang@gmail.com>, linux-input@vger.kernel.org
Subject: Re: [PATCH v2] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
Date: Fri, 29 May 2026 14:33:36 -0700 [thread overview]
Message-ID: <ahoFk5Ox-TMtgKHM@google.com> (raw)
In-Reply-To: <20260528184231.1F0581F000E9@smtp.kernel.org>
On Thu, May 28, 2026 at 06:42:29PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] wacom_wac_queue_flush() allocates memory with GFP_KERNEL while executing in an atomic context, leading to a 'scheduling while atomic' panic.
> --
>
> commit 70e9615b93de485ba1816f95e27e25b054df4b6a
> Author: Jinmo Yang <jinmo44.yang@gmail.com>
>
> HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
>
> This commit fixes a slab-out-of-bounds write in wacom_wac_queue_insert().
> It prevents kfifo_skip() from operating on an empty fifo and validates
> the return value of kfifo_in().
>
> > diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
> > index a32320b351e3e..489ca68f1560f 100644
> > --- a/drivers/hid/wacom_sys.c
> > +++ b/drivers/hid/wacom_sys.c
>
> [ ... ]
>
> > @@ -62,7 +62,9 @@ static void wacom_wac_queue_insert(struct hid_device *hdev,
> > kfifo_skip(fifo);
> > }
> >
> > - kfifo_in(fifo, raw_data, size);
> > + if (!kfifo_in(fifo, raw_data, size))
> > + hid_warn_ratelimited(hdev, "%s: report is too large (%d)\n",
> > + __func__, size);
> > }
> >
> > static void wacom_wac_queue_flush(struct hid_device *hdev,
> > struct kfifo_rec_ptr_2 *fifo)
> > {
> > while (!kfifo_is_empty(fifo)) {
> > int size = kfifo_peek_len(fifo);
> > u8 *buf;
> > unsigned int count;
> > int err;
> >
> > buf = kzalloc(size, GFP_KERNEL);
>
> [Severity: High]
> This is a pre-existing issue, but is it safe to use GFP_KERNEL here?
>
> Looking at the call chain, wacom_wac_queue_flush() is invoked via
> wacom_wac_pen_serial_enforce() from the driver's .raw_event callback,
> wacom_raw_event().
>
> For USB HID devices, this callback is typically triggered by hid_irq_in(),
> which is an URB completion handler that runs in an atomic context.
>
> Since using GFP_KERNEL allows the allocator to sleep, could this lead to a
> scheduling while atomic panic? Would it be better to use GFP_ATOMIC instead?
>
This looks like valid analysis. Would you be willing to send a
[completely separate] patch?
Thanks.
--
Dmitry
next prev parent reply other threads:[~2026-05-29 21:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 13:52 [PATCH 0/1] HID: wacom: fix slab-out-of-bounds write in kfifo_copy_in Jinmo Yang
2026-05-24 13:52 ` [PATCH 1/1] HID: wacom: validate report size before kfifo insert Jinmo Yang
2026-05-24 14:31 ` sashiko-bot
2026-05-27 19:47 ` Dmitry Torokhov
2026-05-27 21:41 ` Dmitry Torokhov
2026-05-28 17:59 ` [PATCH v2] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert Jinmo Yang
2026-05-28 18:42 ` sashiko-bot
2026-05-29 21:33 ` Dmitry Torokhov [this message]
2026-05-29 21:34 ` Dmitry Torokhov
2026-06-03 12:24 ` Jiri Kosina
2026-06-01 18:19 ` [PATCH 0/1] HID: wacom: fix slab-out-of-bounds write in kfifo_copy_in Benjamin Tissoires
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahoFk5Ox-TMtgKHM@google.com \
--to=dmitry.torokhov@gmail.com \
--cc=jinmo44.yang@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.