From: sashiko-bot@kernel.org
To: "Myeonghun Pak" <mhun512@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH v2] HID: wacom: stop hardware after post-start probe failures
Date: Thu, 04 Jun 2026 05:14:23 +0000 [thread overview]
Message-ID: <20260604051423.B0C521F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604045710.25512-1-mhun512@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] Failing to cancel scheduled delayed works and timers on the probe error path leads to a Use-After-Free when the `wacom` structure is freed.
- [High] Nullifying input pointers in `wacom_register_inputs` before stopping the hardware leaves a race window where incoming interrupts can cause a NULL pointer dereference.
- [High] Hardware interrupts can arrive before `wacom->remote` is allocated, causing a NULL pointer dereference in the IRQ handlers.
--
commit 517a367ac93aa0d6c6470c3a21cdb477449345e3
Author: Myeonghun Pak <mhun512@gmail.com>
Subject: HID: wacom: stop hardware after post-start probe failures
This patch routes post-hid_hw_start() failures in wacom_parse_and_register()
through hid_hw_stop() before releasing driver resources. This ensures that the
HID hardware is properly stopped before the wacom resources are freed.
> diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
> index 2220168bf1164..252771dcfd8f8 100644
> --- a/drivers/hid/wacom_sys.c
> +++ b/drivers/hid/wacom_sys.c
> @@ -2462,16 +2462,16 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
>
> error = wacom_register_inputs(wacom);
> if (error)
> - goto fail;
> + goto fail_hw_stop;
[Severity: High]
This is a pre-existing issue, but does this leave a small race window where
an interrupt could cause a NULL pointer dereference?
If wacom_register_inputs() fails, its error path sets the input pointers to
NULL:
fail:
wacom_wac->pad_input = NULL;
wacom_wac->touch_input = NULL;
wacom_wac->pen_input = NULL;
return error;
The code then jumps to fail_hw_stop. Since hid_hw_start() has already been
called, the hardware is active. Could an interrupt arrive before hid_hw_stop()
completes, triggering an IRQ handler like wacom_intuos_irq() which
dereferences wacom->pen_input without checking for NULL?
>
> if (wacom->wacom_wac.features.device_type & WACOM_DEVICETYPE_PAD) {
> error = wacom_initialize_leds(wacom);
> if (error)
> - goto fail;
> + goto fail_hw_stop;
>
> error = wacom_initialize_remotes(wacom);
> if (error)
> - goto fail;
> + goto fail_hw_stop;
[Severity: High]
This is a pre-existing issue, but I have a question about how this handles
interrupts arriving before initialization is complete.
Since hid_hw_start() is called prior to wacom_initialize_remotes():
error = hid_hw_start(hdev, connect_mask);
...
error = wacom_initialize_remotes(wacom);
Could an early hardware event or a malicious USB report arrive and trigger
wacom_remote_irq() or wacom_remote_status_irq()? Those handlers appear to
dereference wacom->remote to acquire a spinlock:
spin_lock_irqsave(&remote->remote_lock, flags);
If the interrupt arrives before wacom_initialize_remotes() has allocated
wacom->remote, would this lead to a NULL pointer dereference?
[ ... ]
> @@ -2501,7 +2501,7 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
>
> return 0;
>
> -fail_quirks:
> +fail_hw_stop:
> hid_hw_stop(hdev);
> fail:
> wacom_release_resources(wacom);
[Severity: High]
This isn't a bug introduced by this patch, but it seems there might be a
pre-existing issue with pending works on the error path.
If wacom_query_tablet_data() is called earlier:
wacom_query_tablet_data(struct wacom *wacom)
{
schedule_delayed_work(&wacom->init_work, msecs_to_jiffies(1000));
}
And then a subsequent step like hid_hw_open() fails, we jump to fail_hw_stop
which stops the hardware and releases resources:
fail_hw_stop:
hid_hw_stop(hdev);
fail:
wacom_release_resources(wacom);
return error;
Since the error is returned to wacom_probe() which can cause the devres core
to free the wacom structure, could the uncancelled wacom->init_work (or other
works/timers scheduled by interrupts) execute later and dereference the freed
wacom memory?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604045710.25512-1-mhun512@gmail.com?part=1
next prev parent reply other threads:[~2026-06-04 5:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 17:53 [PATCH] HID: wacom: stop hardware after post-start probe failures Myeonghun Pak
2026-05-24 18:41 ` sashiko-bot
2026-05-27 19:34 ` Dmitry Torokhov
2026-06-03 12:22 ` Jiri Kosina
2026-06-04 4:43 ` Myeonghun Pak
2026-06-04 4:56 ` [PATCH v2] " Myeonghun Pak
2026-06-04 5:14 ` sashiko-bot [this message]
2026-06-10 15:49 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604051423.B0C521F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=mhun512@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.