Re: [PATCH v3 2/4] HID: wacom: Fix Use-After-Free in wacom_bamboo_pad

Next message: Laurent Pinchart: "Re: [PATCH v2 2/5] dt-bindings: display: bridge: Document Renesas R-Car V4H DSC bindings"
Previous message: Reinette Chatre: "Re: [PATCH v5 00/11] x86,fs/resctrl: Fix long-standing issues"
In reply to: Lee Jones: "[PATCH v3 2/4] HID: wacom: Fix Use-After-Free in wacom_bamboo_pad"
Next in thread: Lee Jones: "Re: [PATCH v3 1/4] HID: wacom: Fix Use-After-Free in wacom_intuos_pad"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Wed Jun 10 2026 - 19:18:07 EST

On Tue, Jun 09, 2026 at 01:13:38PM +0100, Lee Jones wrote:
> @@ -3308,13 +3309,12 @@ static void wacom_bamboo_pad_pen_event(struct wacom_wac *wacom,
> prefix = data[0];
> data[0] = WACOM_REPORT_BPAD_PEN;
>
> - /*
> - * actually reroute the event.
> - * No need to check if wacom->shared->pen is valid, hid_input_report()
> - * will check for us.
> - */
> - hid_input_report(wacom->shared->pen, HID_INPUT_REPORT, data,
> - WACOM_PKGLEN_PENABLED, 1);
> + rcu_read_lock();

Since the driver already uses guard notation we can use

guard(rcu)();

> + pen = rcu_dereference(wacom->shared->pen);
> + if (pen)
> + hid_input_report(pen, HID_INPUT_REPORT, data,
> + WACOM_PKGLEN_PENABLED, 1);
> + rcu_read_unlock();
>
> data[0] = prefix;
> }

Otherwise:

Reviewed-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>

Thanks.

--
Dmitry