Commit 2ac97f0f authored by Jason Gerecke's avatar Jason Gerecke Committed by Jiri Kosina

HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

The following Smatch complaint was generated in response to commit
2a6cdbdd ("HID: wacom: Introduce new 'touch_input' device"):

    drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
             error: we previously assumed 'wacom->touch_input' could be null (see line 1577)

The 'touch_input' and 'pen_input' variables point to the 'struct input_dev'
used for relaying touch and pen events to userspace, respectively. If a
device does not have a touch interface or pen interface, the associated
input variable is NULL. The 'wacom_tpc_irq()' function is responsible for
forwarding input reports to a more-specific IRQ handler function. An
unknown report could theoretically be mistaken as e.g. a touch report
on a device which does not have a touch interface. This can be prevented
by only calling the pen/touch functions are called when the pen/touch
pointers are valid.

Fixes: 2a6cdbdd ("HID: wacom: Introduce new 'touch_input' device")
Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: default avatarPing Cheng <ping.cheng@wacom.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 7af4c727
...@@ -1571,10 +1571,15 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len) ...@@ -1571,10 +1571,15 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
{ {
unsigned char *data = wacom->data; unsigned char *data = wacom->data;
if (wacom->pen_input) if (wacom->pen_input) {
dev_dbg(wacom->pen_input->dev.parent, dev_dbg(wacom->pen_input->dev.parent,
"%s: received report #%d\n", __func__, data[0]); "%s: received report #%d\n", __func__, data[0]);
else if (wacom->touch_input)
if (len == WACOM_PKGLEN_PENABLED ||
data[0] == WACOM_REPORT_PENABLED)
return wacom_tpc_pen(wacom);
}
else if (wacom->touch_input) {
dev_dbg(wacom->touch_input->dev.parent, dev_dbg(wacom->touch_input->dev.parent,
"%s: received report #%d\n", __func__, data[0]); "%s: received report #%d\n", __func__, data[0]);
...@@ -1585,9 +1590,6 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len) ...@@ -1585,9 +1590,6 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
case WACOM_PKGLEN_TPC2FG: case WACOM_PKGLEN_TPC2FG:
return wacom_tpc_mt_touch(wacom); return wacom_tpc_mt_touch(wacom);
case WACOM_PKGLEN_PENABLED:
return wacom_tpc_pen(wacom);
default: default:
switch (data[0]) { switch (data[0]) {
case WACOM_REPORT_TPC1FG: case WACOM_REPORT_TPC1FG:
...@@ -1600,8 +1602,7 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len) ...@@ -1600,8 +1602,7 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
case WACOM_REPORT_TPCMT2: case WACOM_REPORT_TPCMT2:
return wacom_mt_touch(wacom); return wacom_mt_touch(wacom);
case WACOM_REPORT_PENABLED: }
return wacom_tpc_pen(wacom);
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment