From: Lee Jones <lee@kernel.org>
To: lee@kernel.org, Ping Cheng <ping.cheng@wacom.com>,
Jason Gerecke <jason.gerecke@wacom.com>,
Jiri Kosina <jikos@kernel.org>,
Benjamin Tissoires <bentiss@kernel.org>,
Peter Hutterer <peter.hutterer@who-t.net>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 4/4] HID: wacom: Fix teardown order in wacom_mode_change_work
Date: Tue, 9 Jun 2026 13:13:40 +0100 [thread overview]
Message-ID: <20260609121353.3743782-4-lee@kernel.org> (raw)
In-Reply-To: <20260609121353.3743782-1-lee@kernel.org>
wacom_mode_change_work() called wacom_release_resources() before
hid_hw_stop(). wacom_release_resources() triggers devres cleanup
which calls wacom_remove_shared_data() to nullify wacom_wac->shared.
Since hid_hw_stop() was not called yet, hardware IRQs could still fire
and dereference the nullified wacom_wac->shared pointer, causing a crash.
Fix this by correcting the teardown order to call hid_hw_stop()
first, matching the order used in wacom_remove().
Fixes: 4082da80f46a ("HID: wacom: generic: add mode change touch key")
Signed-off-by: Lee Jones <lee@kernel.org>
---
v1 -> v2: Split and use RCU as per Dmitry's review
v2 -> v3: Sashiko fixes
drivers/hid/wacom_sys.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 1b019e3331b4..378dddbf7ec5 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2835,16 +2835,16 @@ static void wacom_mode_change_work(struct work_struct *work)
if (pen) {
wacom1 = hid_get_drvdata(pen);
- wacom_release_resources(wacom1);
hid_hw_stop(wacom1->hdev);
+ wacom_release_resources(wacom1);
wacom1->wacom_wac.has_mode_change = true;
wacom1->wacom_wac.is_direct_mode = is_direct;
}
if (touch) {
wacom2 = hid_get_drvdata(touch);
- wacom_release_resources(wacom2);
hid_hw_stop(wacom2->hdev);
+ wacom_release_resources(wacom2);
wacom2->wacom_wac.has_mode_change = true;
wacom2->wacom_wac.is_direct_mode = is_direct;
}
--
2.54.0.1099.g489fc7bff1-goog
next prev parent reply other threads:[~2026-06-09 12:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 12:13 [PATCH v3 1/4] HID: wacom: Fix Use-After-Free in wacom_intuos_pad Lee Jones
2026-06-09 12:13 ` [PATCH v3 2/4] HID: wacom: Fix Use-After-Free in wacom_bamboo_pad Lee Jones
2026-06-09 12:33 ` sashiko-bot
2026-06-09 12:13 ` [PATCH v3 3/4] HID: wacom: Redesign shared sibling data lifecycle Lee Jones
2026-06-09 12:13 ` Lee Jones [this message]
2026-06-09 12:48 ` [PATCH v3 4/4] HID: wacom: Fix teardown order in wacom_mode_change_work sashiko-bot
2026-06-09 12:35 ` [PATCH v3 1/4] HID: wacom: Fix Use-After-Free in wacom_intuos_pad sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609121353.3743782-4-lee@kernel.org \
--to=lee@kernel.org \
--cc=bentiss@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jason.gerecke@wacom.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peter.hutterer@who-t.net \
--cc=ping.cheng@wacom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox