diff mbox series

HID: wacom: Correct NULL dereference on AES pen proximity

Message ID 20210121184649.157189-1-jason.gerecke@wacom.com
State Accepted
Commit 179e8e47c02a1950f1c556f2b854bdb2259078fb
Headers show
Series HID: wacom: Correct NULL dereference on AES pen proximity | expand

Commit Message

Gerecke, Jason Jan. 21, 2021, 6:46 p.m. UTC
The recent commit to fix a memory leak introduced an inadvertant NULL
pointer dereference. The `wacom_wac->pen_fifo` variable was never
intialized, resuling in a crash whenever functions tried to use it.
Since the FIFO is only used by AES pens (to buffer events from pen
proximity until the hardware reports the pen serial number) this would
have been easily overlooked without testing an AES device.

This patch converts `wacom_wac->pen_fifo` over to a pointer (since the
call to `devres_alloc` allocates memory for us) and ensures that we assign
it to point to the allocated and initalized `pen_fifo` before the function
returns.

Link: https://github.com/linuxwacom/input-wacom/issues/230
Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc")
CC: stable@vger.kernel.org # v4.19+
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Tested-by: Ping Cheng <ping.cheng@wacom.com>
---
 drivers/hid/wacom_sys.c | 7 ++++---
 drivers/hid/wacom_wac.h | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

Comments

Jiri Kosina Jan. 26, 2021, 10:55 a.m. UTC | #1
On Thu, 21 Jan 2021, Jason Gerecke wrote:

> The recent commit to fix a memory leak introduced an inadvertant NULL
> pointer dereference. The `wacom_wac->pen_fifo` variable was never
> intialized, resuling in a crash whenever functions tried to use it.
> Since the FIFO is only used by AES pens (to buffer events from pen
> proximity until the hardware reports the pen serial number) this would
> have been easily overlooked without testing an AES device.
> 
> This patch converts `wacom_wac->pen_fifo` over to a pointer (since the
> call to `devres_alloc` allocates memory for us) and ensures that we assign
> it to point to the allocated and initalized `pen_fifo` before the function
> returns.
> 
> Link: https://github.com/linuxwacom/input-wacom/issues/230
> Fixes: 37309f47e2f5 ("HID: wacom: Fix memory leakage caused by kfifo_alloc")
> CC: stable@vger.kernel.org # v4.19+
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
> Tested-by: Ping Cheng <ping.cheng@wacom.com>

Applied, thanks.
diff mbox series

Patch

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index e8acd235db2a..aa9e48876ced 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -147,9 +147,9 @@  static int wacom_wac_pen_serial_enforce(struct hid_device *hdev,
 	}
 
 	if (flush)
-		wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo);
+		wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo);
 	else if (insert)
-		wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo,
+		wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo,
 				       raw_data, report_size);
 
 	return insert && !flush;
@@ -1280,7 +1280,7 @@  static void wacom_devm_kfifo_release(struct device *dev, void *res)
 static int wacom_devm_kfifo_alloc(struct wacom *wacom)
 {
 	struct wacom_wac *wacom_wac = &wacom->wacom_wac;
-	struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo;
+	struct kfifo_rec_ptr_2 *pen_fifo;
 	int error;
 
 	pen_fifo = devres_alloc(wacom_devm_kfifo_release,
@@ -1297,6 +1297,7 @@  static int wacom_devm_kfifo_alloc(struct wacom *wacom)
 	}
 
 	devres_add(&wacom->hdev->dev, pen_fifo);
+	wacom_wac->pen_fifo = pen_fifo;
 
 	return 0;
 }
diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
index da612b6e9c77..195910dd2154 100644
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -342,7 +342,7 @@  struct wacom_wac {
 	struct input_dev *pen_input;
 	struct input_dev *touch_input;
 	struct input_dev *pad_input;
-	struct kfifo_rec_ptr_2 pen_fifo;
+	struct kfifo_rec_ptr_2 *pen_fifo;
 	int pid;
 	int num_contacts_left;
 	u8 bt_features;