* [PATCH v2] HID: core: demote warning to debug level
@ 2026-05-23 10:55 Matteo Croce
2026-05-23 11:04 ` sashiko-bot
0 siblings, 1 reply; 3+ messages in thread
From: Matteo Croce @ 2026-05-23 10:55 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires, Lee Jones
Cc: linux-input, linux-kernel, Matteo Croce
From: Matteo Croce <teknoraver@meta.com>
The log level for short messages was changed from debug to warning,
flooding syslog on systems with devices that regularly send
short reports, in my case an UPS:
$ dmesg |grep -c 'Event data for report .* was too short'
35
Demote it back to debug level.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Signed-off-by: Matteo Croce <teknoraver@meta.com>
---
drivers/hid/hid-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 41a79e43c82b..503b9bfa5d37 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2072,8 +2072,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
rsize = max_buffer_size;
if (bsize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
- report->id, rsize, bsize);
+ hid_dbg_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
+ report->id, rsize, bsize);
return -EINVAL;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] HID: core: demote warning to debug level
2026-05-23 10:55 [PATCH v2] HID: core: demote warning to debug level Matteo Croce
@ 2026-05-23 11:04 ` sashiko-bot
2026-05-23 12:11 ` Matteo Croce
0 siblings, 1 reply; 3+ messages in thread
From: sashiko-bot @ 2026-05-23 11:04 UTC (permalink / raw)
To: Matteo Croce; +Cc: linux-input, dmitry.torokhov
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Demoting the `bsize < rsize` warning to debug level masks legacy API misuse and silently drops valid short reports.
--
commit c89b6cb8fc074729ec292f2ffe95d958722d1447
Author: Matteo Croce <teknoraver@meta.com>
HID: core: demote warning to debug level
This commit demotes the "Event data for report was too short" message from
a warning to a debug log to prevent syslog flooding from devices that
regularly send short reports.
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 41a79e43c82b3..503b9bfa5d379 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -2072,8 +2072,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
> rsize = max_buffer_size;
>
> if (bsize < rsize) {
> - hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
> - report->id, rsize, bsize);
> + hid_dbg_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
> + report->id, rsize, bsize);
> return -EINVAL;
> }
[Severity: High]
Does demoting this warning to debug level mask legacy API misuse and silently
drop valid short reports?
The bsize < rsize check correctly returns -EINVAL to reject events where the
allocated buffer is too small, preventing out-of-bounds memory accesses.
If the UPS device triggers this warning because a core API or legacy driver
incorrectly uses the old hid_input_report() function, the legacy API
implicitly sets the allocated buffer size (bsize) equal to the received
payload size (csize). When the device sends a valid short report
(csize < rsize), bsize also becomes less than rsize, causing the HID core
to incorrectly conclude the buffer is too small, drop the report, and print
the warning.
Silencing this warning fails to fix the root cause. The valid short reports
are still incorrectly dropped, but now they are dropped silently, potentially
leaving the device broken. Furthermore, demoting this warning hides genuine
buffer under-allocation vulnerabilities in other HID drivers.
Should the caller be updated to use hid_safe_input_report() with the actual
allocated buffer length, so the short reports can be successfully processed
via zero-padding instead of returning -EINVAL?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260523105545.68079-1-technoboy85@gmail.com?part=1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] HID: core: demote warning to debug level
2026-05-23 11:04 ` sashiko-bot
@ 2026-05-23 12:11 ` Matteo Croce
0 siblings, 0 replies; 3+ messages in thread
From: Matteo Croce @ 2026-05-23 12:11 UTC (permalink / raw)
To: sashiko-reviews; +Cc: linux-input, dmitry.torokhov
Il giorno sab 23 mag 2026 alle ore 13:04 <sashiko-bot@kernel.org> ha scritto:
>
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Demoting the `bsize < rsize` warning to debug level masks legacy API misuse and silently drops valid short reports.
> --
>
> commit c89b6cb8fc074729ec292f2ffe95d958722d1447
> Author: Matteo Croce <teknoraver@meta.com>
>
> HID: core: demote warning to debug level
>
> This commit demotes the "Event data for report was too short" message from
> a warning to a debug log to prevent syslog flooding from devices that
> regularly send short reports.
>
> > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> > index 41a79e43c82b3..503b9bfa5d379 100644
> > --- a/drivers/hid/hid-core.c
> > +++ b/drivers/hid/hid-core.c
> > @@ -2072,8 +2072,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
> > rsize = max_buffer_size;
> >
> > if (bsize < rsize) {
> > - hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
> > - report->id, rsize, bsize);
> > + hid_dbg_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
> > + report->id, rsize, bsize);
> > return -EINVAL;
> > }
>
> [Severity: High]
> Does demoting this warning to debug level mask legacy API misuse and silently
> drop valid short reports?
>
> The bsize < rsize check correctly returns -EINVAL to reject events where the
> allocated buffer is too small, preventing out-of-bounds memory accesses.
>
> If the UPS device triggers this warning because a core API or legacy driver
> incorrectly uses the old hid_input_report() function, the legacy API
> implicitly sets the allocated buffer size (bsize) equal to the received
> payload size (csize). When the device sends a valid short report
> (csize < rsize), bsize also becomes less than rsize, causing the HID core
> to incorrectly conclude the buffer is too small, drop the report, and print
> the warning.
>
> Silencing this warning fails to fix the root cause. The valid short reports
> are still incorrectly dropped, but now they are dropped silently, potentially
> leaving the device broken. Furthermore, demoting this warning hides genuine
> buffer under-allocation vulnerabilities in other HID drivers.
>
> Should the caller be updated to use hid_safe_input_report() with the actual
> allocated buffer length, so the short reports can be successfully processed
> via zero-padding instead of returning -EINVAL?
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260523105545.68079-1-technoboy85@gmail.com?part=1
Commit 0a3fe972a7cb changed the level from debug to warning.
This is too noisy, I'm just reverting to the original behaviour.
--
Matteo Croce
perl -e 'for($t=0;;$t++){print chr($t*($t>>8|$t>>13)&255)}' |aplay
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-23 12:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-23 10:55 [PATCH v2] HID: core: demote warning to debug level Matteo Croce
2026-05-23 11:04 ` sashiko-bot
2026-05-23 12:11 ` Matteo Croce
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox