From: kernel test robot <lkp@intel.com>
To: pip-izony <eeodqql09@gmail.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: oe-kbuild-all@lists.linux.dev, Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] Input: pegasus-notetaker - fix out-of-bounds access vulnerability in pegasus_parse_packet() function of the pegasus driver
Date: Sat, 11 Oct 2025 03:43:31 +0800 [thread overview]
Message-ID: <202510110303.ibbCe4PD-lkp@intel.com> (raw)
In-Reply-To: <20251007214131.3737115-2-eeodqql09@gmail.com>
Hi pip-izony,
kernel test robot noticed the following build warnings:
[auto build test WARNING on dtor-input/next]
[also build test WARNING on dtor-input/for-linus linus/master v6.17 next-20251010]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/pip-izony/Input-pegasus-notetaker-fix-out-of-bounds-access-vulnerability-in-pegasus_parse_packet-function-of-the-pegasus-driver/20251009-180618
base: https://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git next
patch link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09%40gmail.com
patch subject: [PATCH] Input: pegasus-notetaker - fix out-of-bounds access vulnerability in pegasus_parse_packet() function of the pegasus driver
config: powerpc64-randconfig-r073-20251010 (https://download.01.org/0day-ci/archive/20251011/202510110303.ibbCe4PD-lkp@intel.com/config)
compiler: powerpc64-linux-gcc (GCC) 8.5.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510110303.ibbCe4PD-lkp@intel.com/
smatch warnings:
drivers/input/tablet/pegasus_notetaker.c:314 pegasus_probe() warn: inconsistent indenting
vim +314 drivers/input/tablet/pegasus_notetaker.c
270
271 static int pegasus_probe(struct usb_interface *intf,
272 const struct usb_device_id *id)
273 {
274 struct usb_device *dev = interface_to_usbdev(intf);
275 struct usb_endpoint_descriptor *endpoint;
276 struct pegasus *pegasus;
277 struct input_dev *input_dev;
278 int error;
279 int pipe;
280
281 /* We control interface 0 */
282 if (intf->cur_altsetting->desc.bInterfaceNumber >= 1)
283 return -ENODEV;
284
285 /* Sanity check that the device has an endpoint */
286 if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
287 dev_err(&intf->dev, "Invalid number of endpoints\n");
288 return -EINVAL;
289 }
290
291 endpoint = &intf->cur_altsetting->endpoint[0].desc;
292
293 pegasus = kzalloc(sizeof(*pegasus), GFP_KERNEL);
294 input_dev = input_allocate_device();
295 if (!pegasus || !input_dev) {
296 error = -ENOMEM;
297 goto err_free_mem;
298 }
299
300 mutex_init(&pegasus->pm_mutex);
301
302 pegasus->usbdev = dev;
303 pegasus->dev = input_dev;
304 pegasus->intf = intf;
305
306 pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress);
307 /* Sanity check that pipe's type matches endpoint's type */
308 if (usb_pipe_type_check(dev, pipe)) {
309 error = -EINVAL;
310 goto err_free_mem;
311 }
312
313 pegasus->data_len = usb_maxpacket(dev, pipe);
> 314 if (pegasus->data_len < 5) {
315 dev_err(&intf->dev, "Invalid number of wMaxPacketSize\n");
316 error = -EINVAL;
317 goto err_free_mem;
318 }
319
320 pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,
321 &pegasus->data_dma);
322 if (!pegasus->data) {
323 error = -ENOMEM;
324 goto err_free_mem;
325 }
326
327 pegasus->irq = usb_alloc_urb(0, GFP_KERNEL);
328 if (!pegasus->irq) {
329 error = -ENOMEM;
330 goto err_free_dma;
331 }
332
333 usb_fill_int_urb(pegasus->irq, dev, pipe,
334 pegasus->data, pegasus->data_len,
335 pegasus_irq, pegasus, endpoint->bInterval);
336
337 pegasus->irq->transfer_dma = pegasus->data_dma;
338 pegasus->irq->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
339
340 if (dev->manufacturer)
341 strscpy(pegasus->name, dev->manufacturer,
342 sizeof(pegasus->name));
343
344 if (dev->product) {
345 if (dev->manufacturer)
346 strlcat(pegasus->name, " ", sizeof(pegasus->name));
347 strlcat(pegasus->name, dev->product, sizeof(pegasus->name));
348 }
349
350 if (!strlen(pegasus->name))
351 snprintf(pegasus->name, sizeof(pegasus->name),
352 "USB Pegasus Device %04x:%04x",
353 le16_to_cpu(dev->descriptor.idVendor),
354 le16_to_cpu(dev->descriptor.idProduct));
355
356 usb_make_path(dev, pegasus->phys, sizeof(pegasus->phys));
357 strlcat(pegasus->phys, "/input0", sizeof(pegasus->phys));
358
359 INIT_WORK(&pegasus->init, pegasus_init);
360
361 usb_set_intfdata(intf, pegasus);
362
363 input_dev->name = pegasus->name;
364 input_dev->phys = pegasus->phys;
365 usb_to_input_id(dev, &input_dev->id);
366 input_dev->dev.parent = &intf->dev;
367
368 input_set_drvdata(input_dev, pegasus);
369
370 input_dev->open = pegasus_open;
371 input_dev->close = pegasus_close;
372
373 __set_bit(EV_ABS, input_dev->evbit);
374 __set_bit(EV_KEY, input_dev->evbit);
375
376 __set_bit(ABS_X, input_dev->absbit);
377 __set_bit(ABS_Y, input_dev->absbit);
378
379 __set_bit(BTN_TOUCH, input_dev->keybit);
380 __set_bit(BTN_RIGHT, input_dev->keybit);
381 __set_bit(BTN_TOOL_PEN, input_dev->keybit);
382
383 __set_bit(INPUT_PROP_DIRECT, input_dev->propbit);
384 __set_bit(INPUT_PROP_POINTER, input_dev->propbit);
385
386 input_set_abs_params(input_dev, ABS_X, -1500, 1500, 8, 0);
387 input_set_abs_params(input_dev, ABS_Y, 1600, 3000, 8, 0);
388
389 error = input_register_device(pegasus->dev);
390 if (error)
391 goto err_free_urb;
392
393 return 0;
394
395 err_free_urb:
396 usb_free_urb(pegasus->irq);
397 err_free_dma:
398 usb_free_coherent(dev, pegasus->data_len,
399 pegasus->data, pegasus->data_dma);
400 err_free_mem:
401 input_free_device(input_dev);
402 kfree(pegasus);
403 usb_set_intfdata(intf, NULL);
404
405 return error;
406 }
407
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-10-10 19:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 21:41 [PATCH] Input: pegasus-notetaker - fix out-of-bounds access vulnerability in pegasus_parse_packet() function of the pegasus driver pip-izony
2025-10-08 4:58 ` Greg KH
2025-10-09 8:41 ` kernel test robot
2025-10-10 19:43 ` kernel test robot [this message]
2025-10-18 1:08 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202510110303.ibbCe4PD-lkp@intel.com \
--to=lkp@intel.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=dmitry.torokhov@gmail.com \
--cc=eeodqql09@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox