Commit 179e8e47 authored by Jason Gerecke's avatar Jason Gerecke Committed by Jiri Kosina

HID: wacom: Correct NULL dereference on AES pen proximity

The recent commit to fix a memory leak introduced an inadvertant NULL
pointer dereference. The `wacom_wac->pen_fifo` variable was never
intialized, resuling in a crash whenever functions tried to use it.
Since the FIFO is only used by AES pens (to buffer events from pen
proximity until the hardware reports the pen serial number) this would
have been easily overlooked without testing an AES device.

This patch converts `wacom_wac->pen_fifo` over to a pointer (since the
call to `devres_alloc` allocates memory for us) and ensures that we assign
it to point to the allocated and initalized `pen_fifo` before the function
returns.

Link: https://github.com/linuxwacom/input-wacom/issues/230
Fixes: 37309f47 ("HID: wacom: Fix memory leakage caused by kfifo_alloc")
CC: stable@vger.kernel.org # v4.19+
Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
Tested-by: default avatarPing Cheng <ping.cheng@wacom.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 794c6133
...@@ -147,9 +147,9 @@ static int wacom_wac_pen_serial_enforce(struct hid_device *hdev, ...@@ -147,9 +147,9 @@ static int wacom_wac_pen_serial_enforce(struct hid_device *hdev,
} }
if (flush) if (flush)
wacom_wac_queue_flush(hdev, &wacom_wac->pen_fifo); wacom_wac_queue_flush(hdev, wacom_wac->pen_fifo);
else if (insert) else if (insert)
wacom_wac_queue_insert(hdev, &wacom_wac->pen_fifo, wacom_wac_queue_insert(hdev, wacom_wac->pen_fifo,
raw_data, report_size); raw_data, report_size);
return insert && !flush; return insert && !flush;
...@@ -1280,7 +1280,7 @@ static void wacom_devm_kfifo_release(struct device *dev, void *res) ...@@ -1280,7 +1280,7 @@ static void wacom_devm_kfifo_release(struct device *dev, void *res)
static int wacom_devm_kfifo_alloc(struct wacom *wacom) static int wacom_devm_kfifo_alloc(struct wacom *wacom)
{ {
struct wacom_wac *wacom_wac = &wacom->wacom_wac; struct wacom_wac *wacom_wac = &wacom->wacom_wac;
struct kfifo_rec_ptr_2 *pen_fifo = &wacom_wac->pen_fifo; struct kfifo_rec_ptr_2 *pen_fifo;
int error; int error;
pen_fifo = devres_alloc(wacom_devm_kfifo_release, pen_fifo = devres_alloc(wacom_devm_kfifo_release,
...@@ -1297,6 +1297,7 @@ static int wacom_devm_kfifo_alloc(struct wacom *wacom) ...@@ -1297,6 +1297,7 @@ static int wacom_devm_kfifo_alloc(struct wacom *wacom)
} }
devres_add(&wacom->hdev->dev, pen_fifo); devres_add(&wacom->hdev->dev, pen_fifo);
wacom_wac->pen_fifo = pen_fifo;
return 0; return 0;
} }
......
...@@ -342,7 +342,7 @@ struct wacom_wac { ...@@ -342,7 +342,7 @@ struct wacom_wac {
struct input_dev *pen_input; struct input_dev *pen_input;
struct input_dev *touch_input; struct input_dev *touch_input;
struct input_dev *pad_input; struct input_dev *pad_input;
struct kfifo_rec_ptr_2 pen_fifo; struct kfifo_rec_ptr_2 *pen_fifo;
int pid; int pid;
int num_contacts_left; int num_contacts_left;
u8 bt_features; u8 bt_features;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment