From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dy1-f181.google.com (mail-dy1-f181.google.com [74.125.82.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BDBF34CFA7
	for <linux-kernel@vger.kernel.org>; Wed, 27 May 2026 19:18:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779909501; cv=none; b=GvJSKfCzSgQkSQJOFOpQbKQkw6+u6bNw1q5cQAlqGemEuX5GkXIxTJEV+9a+u+DnCxi1qVOrLb9sYntdeST/R3VyMiTmm/FR+n5PhSc9ebRIjttyYsGDesfFhfbISKXVozsBGMPBnhfwN7VKVyMhqkHb/KLQuRi8Wij6c3jKt1w=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779909501; c=relaxed/simple;
	bh=t0rjTqOZvOLuVyg0IrKzfpdcNbAW2LgYA1nuGLHCNx4=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=Jk55HuXSUoO3rcT6FdGAMd3LilRYdcCByj3oxT1sv1nUoYlMNxAP4H51hPFAMkApU0a6s4YVnNc4uFczRnN4IlmW39fSaOFGa7L+gOrjWfLOhVRSptgoQm1l3pIHSaP+7FY2FoO1CT+6XZaKWRD0kTA/uR+T/ETh2EaEPW1wZA0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dmIjP908; arc=none smtp.client-ip=74.125.82.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dmIjP908"
Received: by mail-dy1-f181.google.com with SMTP id 5a478bee46e88-2ef2a1cc06dso5876351eec.0
        for <linux-kernel@vger.kernel.org>; Wed, 27 May 2026 12:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779909499; x=1780514299; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=5bXT+KoekSYXIqzGWND4TiUi3TuNJGTNeenYWK6EeKo=;
        b=dmIjP9080KuxFKfYBGN7ZFIN7F5zSpUIl3WOdnd7tb57/23SyqZByxrmUWOjrV/13u
         kVa1QxlTHPqSoPqqB5tkv/kYtKHAhANQskPMxEr6IkRegtkNBLJkkRLnlWkUFraJOI4c
         P4yHGETpDBF8AyaTsaEWKF8ADlhSTT/iOYd979GBQveDOLJmf+vyTSAvcszMGGEuIgSV
         9Aqzc3q7nkX98RDiuADdGj9Z9a4Hk+MdL49GSBw1rM31L9T8s0wOMxnRbTLFT7ecTFjj
         J3MapGzzUzB0cTnQ1xvYKRuyy2f7/w9XDqOJN91D78t81xxQhdMA785ic3Z1ukIEln+U
         LTlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779909499; x=1780514299;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=5bXT+KoekSYXIqzGWND4TiUi3TuNJGTNeenYWK6EeKo=;
        b=mtYm04mETHe1jWhiRATAaXtKKK8ETU6OwoKUK5/aV6Jqd5cJi3cS5zcQR68gHWVrO9
         iVo//5g4A70ZaNh4ov8M1tnckWXrAqXRssd90mbTQaDpHli/WVyVm0rQr33ehFoW0dt8
         WN5Ld02RFHedZeFOK+siesyf/9Eifw2OtX7t8HxOSN2ET/RlwY7AavMlH/f1a/SCmXRQ
         DiQMNuHbG4T2a3ZJOOarqeZNDC0WwkGW6RuXfvfY5oWygx6zLCY3qc8H2Pf5b5SeIvf7
         UhWRcCmLXCCxdvzX7zkJPx+XNLWGpiTBYnG2daHS6BpLlAT6PDIe/Tmj4QyX82Izhc/b
         IaTg==
X-Forwarded-Encrypted: i=1; AFNElJ/RKzVL3fYcUz4p3R/RTYMEddeC0KzhdQ8D5l1rVz0YNL0PYMTYT+f9I/pNTQuwYkrPpwkRI5kXR2hTR8I=@vger.kernel.org
X-Gm-Message-State: AOJu0YwoUPJ2Dj83IXh00FdC5XpqAViIj1pJxPGo++3Oyu78ChpW+0Et
	zjY0PqypVLEfkIzmOkxaJXUaEUKYvUgQbGtTBg8C5ylq7IyPwrdGnGAA
X-Gm-Gg: Acq92OGmIErcxhJzpDfWhl3gH/syRZXIY0aLuhyzeqGdFXhL81a+nv/gM4UFJrBY2ah
	HDNFp/7CC8tO3buvkh47fEqDYWJ1mDfHic+mrusS0CE7bD3Z8F3/2TZ0Ir1n+PA5hvO9QoVM2VN
	jdlcZ/Fo8zZ/ws9mvea28AIXFDuQQrvXmNvQkT/3vjzA6OjX+4fLZ1H+MOAT1chieIe3lYdAk9k
	RsIICPgrCWnEynZzMXO1qOleXstiTX5U9u6z01GJ6vDk2tY2is6ntVDneHZTvZFC9mpQHRPtEsu
	wKTi6f06sRMj+IXTSG2xV2WIjLDI58cf/OaMh4iBFYcQk5RFl9G+lk8nxWuTvrUnFiwqg0frujD
	VE2BbkHpWPcu0Lb1d9hjccAUyi5b80KqvBFeWW37X4R8qWJd1RpN60rG/k6B6oqP2gos61o7aAs
	haVjEq5jCTGYOlx6w20QoXTn6/Z/UncBPrfdeWvlL6WNP0rz4pAJAs3KScvpXluWioDjfJLV5tB
	oE=
X-Received: by 2002:a05:7300:730f:b0:2f5:3641:f126 with SMTP id 5a478bee46e88-3044919da81mr12181831eec.24.1779909499321;
        Wed, 27 May 2026 12:18:19 -0700 (PDT)
Received: from google.com ([2a00:79e0:2ebe:8:ca8d:7a6a:7fd3:5948])
        by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30452461cb5sm19767519eec.31.2026.05.27.12.18.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 May 2026 12:18:18 -0700 (PDT)
Date: Wed, 27 May 2026 12:18:15 -0700
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Lee Jones <lee@kernel.org>
Cc: Ping Cheng <ping.cheng@wacom.com>, 
	Jason Gerecke <jason.gerecke@wacom.com>, Jiri Kosina <jikos@kernel.org>, 
	Benjamin Tissoires <bentiss@kernel.org>, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] HID: wacom: Fix multiple Use-After-Free issues in
 shared state
Message-ID: <ahcLS0tBhkHlUuLS@google.com>
References: <20260527140731.642783-1-lee@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260527140731.642783-1-lee@kernel.org>

Hi Lee,

On Wed, May 27, 2026 at 03:07:30PM +0100, Lee Jones wrote:
> The Wacom driver coordinates state between sibling interfaces of the same
> physical device (like Pen, Touch, Pad) using a shared structure
> 'wacom_shared' inside 'wacom_hdev_data'.  The driver kept a volatile
> representative pointer 'data->dev' pointing to a sibling 'hid_device'
> for physical path comparisons during sibling matching.
> 
> This pointer management is fragile.  When the representative device is
> disconnected, wacom_remove_shared_data() failed to clear/update
> 'data->dev' or wacom_wac->shared->touch_input, leading to two Use-After-Free
> vulnerabilities:
> 
>   1. dangling 'touch_input' dereferenced during touch switch sync.
>   2. dangling 'data->dev' dereferenced during subsequent sibling probes.
> 
> Instead of adding complex pointer handover logic to keep 'data->dev'
> updated (which has logic gaps with Pad siblings and introduces race
> conditions), completely eliminate 'data->dev' pointer.
> 
> Redesign 'wacom_hdev_data' to store stable static copies of the required
> representative attributes when it is first allocated:
> 
>   - Copy 'phys' path string (stored in data->phys) for stable path comparison.
>   - Copy 'vendor' and 'product' IDs.

This I think makes sense.

>   - Copy and accumulate 'device_type' capabilities as siblings are probed.

This (accumulation) I unconvinced is safe. In any case I think it should
be a separate patch as it may change the behavior.

> 
> Also explicitly clear 'touch_input = NULL' in wacom_remove_shared_data()
> under wacom_udev_list_lock to safely avoid the touch_input UAF.

The fix is incomplete and should be split out. It is not enough to take
the lock, you need to make sure you are not racing with URB/IRQ
handling. Maybe RCU can help here.

> 
> This resolves all vulnerabilities permanently at the design level without
> complex pointer lifecycles or race-prone swaps on device removal.
> 
> Fixes: 471d17148c8b ("Input: wacom - move the USB (now hid) Wacom driver in drivers/hid")

This is not the commit that introduced this behavior IIRC.

Thanks.

-- 
Dmitry