From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D68E1413621; Tue, 9 Jun 2026 12:20:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781007605; cv=none; b=NvIzVuhZTc4rRQAnR63v2ai7B9CxFZiqTsghSm/1r9o+ZKQ6a8+fzSL5C3kwrJYxb2kyvJp1cL/KidIA98LotkZX5++smo5z78FLByhcJMsiuvzN1C1jy3onfr2weAFl1jEd2lUOWI9aBTKHgXSbQvben7kYt2MvP6ri/gWDq/U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781007605; c=relaxed/simple; bh=MQvbKjfuwmOlit9Yp6WwH/epZW5GwOwN4/Ghv9TwGQw=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=amFkajWB4V1oXDseZblkL3t+YNgvvVBOCWeRiVaG1be4d1dw+HprFSdzwdZ7YD59lLwAYEDgyXO3ppgD1N+3rq2qeI7xsVpVuXIDjbIibhY7w8A961hNl7DIkUCClSdVWCDj8BYcwYD7yRwVRWubJ72jhSmL6k4dZJ5PBvuBRXk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JBJVsxlZ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JBJVsxlZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8ABC11F00893; Tue, 9 Jun 2026 12:20:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781007602; bh=/tfFdcva0pP5JR7/jYd9aZjhTXhNOriwNac8B/dyDDo=; h=From:To:Subject:Date:In-Reply-To:References; b=JBJVsxlZb2E2yOHULlWUdyXRlv9Lg9h+z8QC14tFnXgSRm8G6hBmXdrzbGbF2//gT PPOdMBQwzXu1Q721qniSHkZkkR7rCbFD1WKL0aSSiVvfmSLY+2SZFjf/z+hP1RjrjE gF2jogNSPwJkgImgmnCijo2mG/Xinq58yK5R6QDPLsWoccLK0HQWEHHp1m7R2wbIl8 p6cHoXMqGULPfwHeGLFZw7srF1V9RVMofzkRFthAK+x/4DM/rTxddVpAwBXItsyrBp bE4mkbbMsw9MKpJni0uL91biFkUFjQQg4KDu2dpQpEPEesBo9mR3J8fw/7aDYl/INv ymGUI43qwTbmg== From: Lee Jones To: lee@kernel.org, Ping Cheng , Jason Gerecke , Jiri Kosina , Benjamin Tissoires , Dmitry Torokhov , Peter Hutterer , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 2/4] HID: wacom: Fix Use-After-Free in wacom_bamboo_pad Date: Tue, 9 Jun 2026 13:13:38 +0100 Message-ID: <20260609121353.3743782-2-lee@kernel.org> X-Mailer: git-send-email 2.54.0.1099.g489fc7bff1-goog In-Reply-To: <20260609121353.3743782-1-lee@kernel.org> References: <20260609121353.3743782-1-lee@kernel.org> Precedence: bulk X-Mailing-List: linux-input@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit wacom_bamboo_pad_pen_event() accesses wacom->shared->pen locklessly relative to wacom_remove_shared_data() which nullifies it. This can lead to a Use-After-Free if the sibling device is removed while events are being processed. Resolve this by introducing RCU protection for pen and touch pointers: - Annotate 'pen' and 'touch' in wacom_shared struct with __rcu. - Wrap lockless readers in wacom_bamboo_pad_pen_event() with rcu_read_lock() and rcu_dereference(). - Update writers in wacom_sys.c using rcu_assign_pointer(). - Use rcu_dereference_protected for comparisons under wacom_udev_list_lock. - Also use rcu_access_pointer in wacom_mode_change_work() to avoid warnings (while lockless access there remains a pre-existing issue). Fixes: 8c97a765467c ("HID: wacom: add full support of the Wacom Bamboo PAD") Signed-off-by: Lee Jones --- v1 -> v2: Split and use RCU as per Dmitry's review v2 -> v3: Sashiko fixes drivers/hid/wacom_sys.c | 36 +++++++++++++++++++++++++----------- drivers/hid/wacom_wac.c | 14 +++++++------- drivers/hid/wacom_wac.h | 4 ++-- 3 files changed, 34 insertions(+), 20 deletions(-) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 7ba589826548..9b352027aa98 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -878,11 +878,18 @@ static void wacom_remove_shared_data(void *res) shared); scoped_guard(mutex, &wacom_udev_list_lock) { - if (wacom_wac->shared->touch == wacom->hdev) { - wacom_wac->shared->touch = NULL; + struct hid_device *touch = + rcu_dereference_protected(wacom_wac->shared->touch, + lockdep_is_held(&wacom_udev_list_lock)); + struct hid_device *pen = + rcu_dereference_protected(wacom_wac->shared->pen, + lockdep_is_held(&wacom_udev_list_lock)); + + if (touch == wacom->hdev) { + rcu_assign_pointer(wacom_wac->shared->touch, NULL); rcu_assign_pointer(wacom_wac->shared->touch_input, NULL); - } else if (wacom_wac->shared->pen == wacom->hdev) { - wacom_wac->shared->pen = NULL; + } else if (pen == wacom->hdev) { + rcu_assign_pointer(wacom_wac->shared->pen, NULL); } } @@ -916,9 +923,9 @@ static int wacom_add_shared_data(struct hid_device *hdev) } if (wacom_wac->features.device_type & WACOM_DEVICETYPE_TOUCH) - data->shared.touch = hdev; + rcu_assign_pointer(data->shared.touch, hdev); else if (wacom_wac->features.device_type & WACOM_DEVICETYPE_PEN) - data->shared.pen = hdev; + rcu_assign_pointer(data->shared.pen, hdev); mutex_unlock(&wacom_udev_list_lock); @@ -2356,7 +2363,11 @@ static void wacom_set_shared_values(struct wacom_wac *wacom_wac) mutex_lock(&wacom_udev_list_lock); if (wacom_wac->features.device_type & WACOM_DEVICETYPE_TOUCH) { - if (wacom_wac->shared->touch == wacom->hdev) { + struct hid_device *touch = + rcu_dereference_protected(wacom_wac->shared->touch, + lockdep_is_held(&wacom_udev_list_lock)); + + if (touch == wacom->hdev) { wacom_wac->shared->type = wacom_wac->features.type; rcu_assign_pointer(wacom_wac->shared->touch_input, wacom_wac->touch_input); } @@ -2797,16 +2808,19 @@ static void wacom_mode_change_work(struct work_struct *work) bool is_direct = wacom->wacom_wac.is_direct_mode; int error = 0; - if (shared->pen) { - wacom1 = hid_get_drvdata(shared->pen); + struct hid_device *pen = rcu_access_pointer(shared->pen); + struct hid_device *touch = rcu_access_pointer(shared->touch); + + if (pen) { + wacom1 = hid_get_drvdata(pen); wacom_release_resources(wacom1); hid_hw_stop(wacom1->hdev); wacom1->wacom_wac.has_mode_change = true; wacom1->wacom_wac.is_direct_mode = is_direct; } - if (shared->touch) { - wacom2 = hid_get_drvdata(shared->touch); + if (touch) { + wacom2 = hid_get_drvdata(touch); wacom_release_resources(wacom2); hid_hw_stop(wacom2->hdev); wacom2->wacom_wac.has_mode_change = true; diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 495960227b8d..32d6f1dfb001 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -3296,6 +3296,7 @@ static int wacom_bpt_irq(struct wacom_wac *wacom, size_t len) static void wacom_bamboo_pad_pen_event(struct wacom_wac *wacom, unsigned char *data) { + struct hid_device *pen; unsigned char prefix; /* @@ -3308,13 +3309,12 @@ static void wacom_bamboo_pad_pen_event(struct wacom_wac *wacom, prefix = data[0]; data[0] = WACOM_REPORT_BPAD_PEN; - /* - * actually reroute the event. - * No need to check if wacom->shared->pen is valid, hid_input_report() - * will check for us. - */ - hid_input_report(wacom->shared->pen, HID_INPUT_REPORT, data, - WACOM_PKGLEN_PENABLED, 1); + rcu_read_lock(); + pen = rcu_dereference(wacom->shared->pen); + if (pen) + hid_input_report(pen, HID_INPUT_REPORT, data, + WACOM_PKGLEN_PENABLED, 1); + rcu_read_unlock(); data[0] = prefix; } diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h index a8bbba4a6f37..170d6adbe02a 100644 --- a/drivers/hid/wacom_wac.h +++ b/drivers/hid/wacom_wac.h @@ -286,8 +286,8 @@ struct wacom_shared { unsigned touch_max; int type; struct input_dev __rcu *touch_input; - struct hid_device *pen; - struct hid_device *touch; + struct hid_device __rcu *pen; + struct hid_device __rcu *touch; bool has_mute_touch_switch; bool is_touch_on; }; -- 2.54.0.1099.g489fc7bff1-goog