From: Ruoyu Wang <ruoyuw560@gmail.com>
To: Ping Cheng <ping.cheng@wacom.com>
Cc: Jason Gerecke <jason.gerecke@wacom.com>,
Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <bentiss@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
Ruoyu Wang <ruoyuw560@gmail.com>
Subject: [PATCH] HID: wacom: handle kmemdup failure in Bluetooth IRQ path
Date: Sat, 6 Jun 2026 12:03:44 +0800 [thread overview]
Message-ID: <20260606040344.4-1-ruoyuw560@gmail.com> (raw)
wacom_intuos_bt_irq() duplicates the input report with kmemdup() and then
uses data[0] to dispatch the report type. If the allocation fails, the
switch statement dereferences a NULL pointer.
Handle allocation failure by dropping the report. This keeps the
interrupt path from dereferencing a NULL buffer while preserving the
existing return convention for ignored or malformed reports.
Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
---
drivers/hid/wacom_wac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index da1f0ea85625d..c42af15e7dba0 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1206,6 +1206,9 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len)
int i = 1;
unsigned power_raw, battery_capacity, bat_charging, ps_connected;
+ if (!data)
+ return 0;
+
switch (data[0]) {
case 0x04:
if (len < 32) {
--
2.34.1
next reply other threads:[~2026-06-06 4:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-06 4:03 Ruoyu Wang [this message]
2026-06-16 18:27 ` [PATCH] HID: wacom: handle kmemdup failure in Bluetooth IRQ path Jason Gerecke
2026-06-17 7:20 ` [PATCH v2] HID: wacom: avoid copying Bluetooth input reports Ruoyu Wang
2026-06-17 7:31 ` sashiko-bot
2026-06-17 16:55 ` Jason Gerecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606040344.4-1-ruoyuw560@gmail.com \
--to=ruoyuw560@gmail.com \
--cc=bentiss@kernel.org \
--cc=jason.gerecke@wacom.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ping.cheng@wacom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.