[PATCH] HID: core: downgrade short report warning to debug level

public inbox for linux-input@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] HID: core: downgrade short report warning to debug level
@ 2026-04-14 21:41 Anj Duvnjak
  2026-04-14 21:50 ` Oleksandr Natalenko
  0 siblings, 1 reply; 3+ messages in thread
From: Anj Duvnjak @ 2026-04-14 21:41 UTC (permalink / raw)
  To: linux-input
  Cc: benjamin.tissoires, lee, jikos, Anj Duvnjak, Oleksandr Natalenko

Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus
memset()") replaced the silent memset() with hid_warn_ratelimited(), which
causes dmesg flooding on devices that legitimately send short reports,
such as the APC UPS (051D:0002).

Downgrade to dbg_hid() to restore the previous behaviour of only
reporting under HID_DEBUG, while preserving the security fix of
removing the bogus memset().

Reported-by: Anj Duvnjak <avian@extremenerds.net>
Closes: https://lore.kernel.org/linux-input/MW5PR84MB135613E7947113897DD9FDA4C7272@MW5PR84MB1356.NAMPRD84.PROD.OUTLOOK.COM/
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Closes: https://lore.kernel.org/linux-input/6256259.lOV4Wx5bFT@natalenko.name/
Signed-off-by: Anj Duvnjak <avian@extremenerds.net>
---
 drivers/hid/hid-core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 833df14ef68f..de8a179347ec 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2057,8 +2057,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
 		rsize = max_buffer_size;
 
 	if (csize < rsize) {
-		hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
-				     report->id, rsize, csize);
+		dbg_hid("Event data for report %d was too short (%d vs %d)\n",
+			report->id, rsize, csize);
 		ret = -EINVAL;
 		goto out;
 	}
-- 
2.46.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: core: downgrade short report warning to debug level
  2026-04-14 21:41 [PATCH] HID: core: downgrade short report warning to debug level Anj Duvnjak
@ 2026-04-14 21:50 ` Oleksandr Natalenko
  2026-04-15  8:24   ` Benjamin Tissoires
  0 siblings, 1 reply; 3+ messages in thread
From: Oleksandr Natalenko @ 2026-04-14 21:50 UTC (permalink / raw)
  To: linux-input, Anj Duvnjak; +Cc: benjamin.tissoires, lee, jikos

[-- Attachment #1: Type: text/plain, Size: 2115 bytes --]

Hello.

Thank you for the submission. Please see comments inline.

On úterý 14. dubna 2026 23:41:43, středoevropský letní čas Anj Duvnjak wrote:
> Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus
> memset()") replaced the silent memset() with hid_warn_ratelimited(), which
> causes dmesg flooding on devices that legitimately send short reports,
> such as the APC UPS (051D:0002).
> 
> Downgrade to dbg_hid() to restore the previous behaviour of only
> reporting under HID_DEBUG, while preserving the security fix of
> removing the bogus memset().
> 
> Reported-by: Anj Duvnjak <avian@extremenerds.net>
> Closes: https://lore.kernel.org/linux-input/MW5PR84MB135613E7947113897DD9FDA4C7272@MW5PR84MB1356.NAMPRD84.PROD.OUTLOOK.COM/
> Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
> Closes: https://lore.kernel.org/linux-input/6256259.lOV4Wx5bFT@natalenko.name/

I think these Closes: should be Link: instead. And probably Fixes: should be added as follows:

Fixes: 0a3fe972a7cb14 ("HID: core: Mitigate potential OOB by removing bogus memset()")

> Signed-off-by: Anj Duvnjak <avian@extremenerds.net>
> ---
>  drivers/hid/hid-core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 833df14ef68f..de8a179347ec 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -2057,8 +2057,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
>  		rsize = max_buffer_size;
>  
>  	if (csize < rsize) {
> -		hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
> -				     report->id, rsize, csize);
> +		dbg_hid("Event data for report %d was too short (%d vs %d)\n",
> +			report->id, rsize, csize);

Ratelimiting is good to keep, IMO. There's a separate macro for that, hid_dbg_ratelimited(), which is surprisingly not used anywhere at the moment as far as I can grep, but it should do the job.

>  		ret = -EINVAL;
>  		goto out;
>  	}
> 


-- 
Oleksandr Natalenko, MSE

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: core: downgrade short report warning to debug level
  2026-04-14 21:50 ` Oleksandr Natalenko
@ 2026-04-15  8:24   ` Benjamin Tissoires
  0 siblings, 0 replies; 3+ messages in thread
From: Benjamin Tissoires @ 2026-04-15  8:24 UTC (permalink / raw)
  To: Oleksandr Natalenko
  Cc: linux-input, Anj Duvnjak, benjamin.tissoires, lee, jikos

On Apr 14 2026, Oleksandr Natalenko wrote:
> Hello.
> 
> Thank you for the submission. Please see comments inline.
> 
> On úterý 14. dubna 2026 23:41:43, středoevropský letní čas Anj Duvnjak wrote:
> > Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus
> > memset()") replaced the silent memset() with hid_warn_ratelimited(), which
> > causes dmesg flooding on devices that legitimately send short reports,
> > such as the APC UPS (051D:0002).
> > 
> > Downgrade to dbg_hid() to restore the previous behaviour of only
> > reporting under HID_DEBUG, while preserving the security fix of
> > removing the bogus memset().
> > 
> > Reported-by: Anj Duvnjak <avian@extremenerds.net>
> > Closes: https://lore.kernel.org/linux-input/MW5PR84MB135613E7947113897DD9FDA4C7272@MW5PR84MB1356.NAMPRD84.PROD.OUTLOOK.COM/
> > Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
> > Closes: https://lore.kernel.org/linux-input/6256259.lOV4Wx5bFT@natalenko.name/
> 
> I think these Closes: should be Link: instead. And probably Fixes: should be added as follows:
> 
> Fixes: 0a3fe972a7cb14 ("HID: core: Mitigate potential OOB by removing bogus memset()")
> 
> > Signed-off-by: Anj Duvnjak <avian@extremenerds.net>
> > ---
> >  drivers/hid/hid-core.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> > index 833df14ef68f..de8a179347ec 100644
> > --- a/drivers/hid/hid-core.c
> > +++ b/drivers/hid/hid-core.c
> > @@ -2057,8 +2057,8 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
> >  		rsize = max_buffer_size;
> >  
> >  	if (csize < rsize) {
> > -		hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
> > -				     report->id, rsize, csize);
> > +		dbg_hid("Event data for report %d was too short (%d vs %d)\n",
> > +			report->id, rsize, csize);
> 
> Ratelimiting is good to keep, IMO. There's a separate macro for that, hid_dbg_ratelimited(), which is surprisingly not used anywhere at the moment as far as I can grep, but it should do the job.

Thanks for the bug and the review.

However, I've got a proper fix which restores the original behavior
while still preventing the OOWM write. It should be out today or
tomorrow.

Cheers,
Benjamin

> 
> >  		ret = -EINVAL;
> >  		goto out;
> >  	}
> > 
> 
> 
> -- 
> Oleksandr Natalenko, MSE



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-15  8:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-14 21:41 [PATCH] HID: core: downgrade short report warning to debug level Anj Duvnjak
2026-04-14 21:50 ` Oleksandr Natalenko
2026-04-15  8:24   ` Benjamin Tissoires

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox