Re: [PATCH 0/1] HID: wacom: fix slab-out-of-bounds write in kfifo_copy_in

[Benjamin Tissoires]

On Sun, 24 May 2026 22:52:02 +0900, Jinmo Yang wrote:
> I found the following slab-out-of-bounds write in the wacom HID driver
> while fuzzing with syzkaller on v7.1.0-rc4-next-20260522:
> 
>   BUG: KASAN: slab-out-of-bounds in kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
>   Write of size 3842 at addr ffff888009179000 by task syz.3.9362/61135
> 
>   CPU: 1 UID: 0 PID: 61135 Comm: syz.3.9362 Not tainted 7.1.0-rc4-next-20260522-dirty #3 PREEMPT(lazy)
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
>   Call Trace:
>    <TASK>
>    __dump_stack lib/dump_stack.c:94 [inline]
>    dump_stack_lvl+0x97/0xe0 lib/dump_stack.c:120
>    print_address_description mm/kasan/report.c:378 [inline]
>    print_report+0x157/0x4c9 mm/kasan/report.c:482
>    kasan_report+0xce/0x100 mm/kasan/report.c:595
>    check_region_inline mm/kasan/generic.c:186 [inline]
>    kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
>    __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
>    kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
>    __kfifo_in_r lib/kfifo.c:442 [inline]
>    __kfifo_in_r+0x1b2/0x230 lib/kfifo.c:434
>    wacom_wac_queue_insert drivers/hid/wacom_sys.c:65 [inline]
>    wacom_wac_pen_serial_enforce drivers/hid/wacom_sys.c:165 [inline]
>    wacom_raw_event+0x900/0xa90 drivers/hid/wacom_sys.c:179
>    __hid_input_report.constprop.0+0x39a/0x4d0 drivers/hid/hid-core.c:2161
>    uhid_dev_input2 drivers/hid/uhid.c:618 [inline]
>    uhid_char_write+0xa8a/0xfa0 drivers/hid/uhid.c:776
>    vfs_write+0x2c0/0xe40 fs/read_write.c:686
>    ksys_write+0x1f8/0x250 fs/read_write.c:740
>    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>    do_syscall_64+0xee/0x590 arch/x86/entry/syscall_64.c:94
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> [...]

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/wacom), thanks!

[1/1] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
      https://git.kernel.org/hid/hid/c/6b3014ec0e9a

Cheers,
-- 
Benjamin Tissoires <bentiss@xxxxxxxxxx>