[bug report] HID: wacom: Introduce new 'touch_input' device

[bug report] HID: wacom: Introduce new 'touch_input' device

[Dan Carpenter]

Hello Jason Gerecke,

This is a semi-automatic email about new static checker warnings.

The patch 2a6cdbdd4cc0: "HID: wacom: Introduce new 'touch_input' 
device" from Jun 15, 2015, leads to the following Smatch complaint:

drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
	 error: we previously assumed 'wacom->touch_input' could be null (see line 1577)

drivers/hid/wacom_wac.c
  1576				"%s: received report #%d\n", __func__, data[0]);
  1577		else if (wacom->touch_input)
                         ^^^^^^^^^^^^^^^^^^
Patch adds new check for NULL.

  1578			dev_dbg(wacom->touch_input->dev.parent,
  1579				"%s: received report #%d\n", __func__, data[0]);
  1580	
  1581		switch (len) {
  1582		case WACOM_PKGLEN_TPC1FG:
  1583			return wacom_tpc_single_touch(wacom, len);
  1584	
  1585		case WACOM_PKGLEN_TPC2FG:
  1586			return wacom_tpc_mt_touch(wacom);
                                                  ^^^^^
Not checked inside this function call.

  1587	
  1588		case WACOM_PKGLEN_PENABLED:

regards,
dan carpenter

[PATCH] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

[Jason Gerecke]

The following Smatch complaint was generated in response to commit
2a6cdbd ("HID: wacom: Introduce new 'touch_input' device"):

    drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
             error: we previously assumed 'wacom->touch_input' could be null (see line 1577)

The 'touch_input' and 'pen_input' variables point to the 'struct input_dev'
used for relaying touch and pen events to userspace, respectively. If a
device does not have a touch interface or pen interface, the associated
input variable is NULL. The 'wacom_tpc_irq()' function is responsible for
forwarding input reports to a more-specific IRQ handler function. An
unknown report could theoretically be mistaken as e.g. a touch report
on a device which does not have a touch interface. This can be prevented
by only calling the pen/touch functions are called when the pen/touch
pointers are valid.

Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
---
 drivers/hid/wacom_wac.c | 45 +++++++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 6b8f6b816195..b963499e3351 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1571,37 +1571,38 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
 {
 	unsigned char *data = wacom->data;
 
-	if (wacom->pen_input)
+	if (wacom->pen_input) {
 		dev_dbg(wacom->pen_input->dev.parent,
 			"%s: received report #%d\n", __func__, data[0]);
-	else if (wacom->touch_input)
+
+		if (len == WACOM_PKGLEN_PENABLED ||
+		    data[0] == WACOM_REPORT_PENABLED)
+			return wacom_tpc_pen(wacom);
+	}
+	else if (wacom->touch_input) {
 		dev_dbg(wacom->touch_input->dev.parent,
 			"%s: received report #%d\n", __func__, data[0]);
 
-	switch (len) {
-	case WACOM_PKGLEN_TPC1FG:
-		return wacom_tpc_single_touch(wacom, len);
+		switch (len) {
+		case WACOM_PKGLEN_TPC1FG:
+			return wacom_tpc_single_touch(wacom, len);
 
-	case WACOM_PKGLEN_TPC2FG:
-		return wacom_tpc_mt_touch(wacom);
+		case WACOM_PKGLEN_TPC2FG:
+			return wacom_tpc_mt_touch(wacom);
 
-	case WACOM_PKGLEN_PENABLED:
-		return wacom_tpc_pen(wacom);
+		default:
+			switch (data[0]) {
+			case WACOM_REPORT_TPC1FG:
+			case WACOM_REPORT_TPCHID:
+			case WACOM_REPORT_TPCST:
+			case WACOM_REPORT_TPC1FGE:
+				return wacom_tpc_single_touch(wacom, len);
 
-	default:
-		switch (data[0]) {
-		case WACOM_REPORT_TPC1FG:
-		case WACOM_REPORT_TPCHID:
-		case WACOM_REPORT_TPCST:
-		case WACOM_REPORT_TPC1FGE:
-			return wacom_tpc_single_touch(wacom, len);
-
-		case WACOM_REPORT_TPCMT:
-		case WACOM_REPORT_TPCMT2:
-			return wacom_mt_touch(wacom);
+			case WACOM_REPORT_TPCMT:
+			case WACOM_REPORT_TPCMT2:
+				return wacom_mt_touch(wacom);
 
-		case WACOM_REPORT_PENABLED:
-			return wacom_tpc_pen(wacom);
+			}
 		}
 	}
 
-- 
2.12.2

Re: [PATCH] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

[Ping Cheng]

On Tuesday, April 25, 2017, Jason Gerecke <killertofu@gmail.com> wrote:
>
> The following Smatch complaint was generated in response to commit
> 2a6cdbd ("HID: wacom: Introduce new 'touch_input' device"):
>
>     drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
>              error: we previously assumed 'wacom->touch_input' could be null (see line 1577)
>
> The 'touch_input' and 'pen_input' variables point to the 'struct input_dev'
> used for relaying touch and pen events to userspace, respectively. If a
> device does not have a touch interface or pen interface, the associated
> input variable is NULL. The 'wacom_tpc_irq()' function is responsible for
> forwarding input reports to a more-specific IRQ handler function. An
> unknown report could theoretically be mistaken as e.g. a touch report
> on a device which does not have a touch interface. This can be prevented
> by only calling the pen/touch functions are called when the pen/touch
> pointers are valid.
>
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>

Reviewed-by: Ping Cheng <ping.cheng@wacom.com>

Looks good to me.

Cheers,
Ping

>
> ---
>  drivers/hid/wacom_wac.c | 45 +++++++++++++++++++++++----------------------
>  1 file changed, 23 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
> index 6b8f6b816195..b963499e3351 100644
> --- a/drivers/hid/wacom_wac.c
> +++ b/drivers/hid/wacom_wac.c
> @@ -1571,37 +1571,38 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
>  {
>         unsigned char *data = wacom->data;
>
> -       if (wacom->pen_input)
> +       if (wacom->pen_input) {
>                 dev_dbg(wacom->pen_input->dev.parent,
>                         "%s: received report #%d\n", __func__, data[0]);
> -       else if (wacom->touch_input)
> +
> +               if (len == WACOM_PKGLEN_PENABLED ||
> +                   data[0] == WACOM_REPORT_PENABLED)
> +                       return wacom_tpc_pen(wacom);
> +       }
> +       else if (wacom->touch_input) {
>                 dev_dbg(wacom->touch_input->dev.parent,
>                         "%s: received report #%d\n", __func__, data[0]);
>
> -       switch (len) {
> -       case WACOM_PKGLEN_TPC1FG:
> -               return wacom_tpc_single_touch(wacom, len);
> +               switch (len) {
> +               case WACOM_PKGLEN_TPC1FG:
> +                       return wacom_tpc_single_touch(wacom, len);
>
> -       case WACOM_PKGLEN_TPC2FG:
> -               return wacom_tpc_mt_touch(wacom);
> +               case WACOM_PKGLEN_TPC2FG:
> +                       return wacom_tpc_mt_touch(wacom);
>
> -       case WACOM_PKGLEN_PENABLED:
> -               return wacom_tpc_pen(wacom);
> +               default:
> +                       switch (data[0]) {
> +                       case WACOM_REPORT_TPC1FG:
> +                       case WACOM_REPORT_TPCHID:
> +                       case WACOM_REPORT_TPCST:
> +                       case WACOM_REPORT_TPC1FGE:
> +                               return wacom_tpc_single_touch(wacom, len);
>
> -       default:
> -               switch (data[0]) {
> -               case WACOM_REPORT_TPC1FG:
> -               case WACOM_REPORT_TPCHID:
> -               case WACOM_REPORT_TPCST:
> -               case WACOM_REPORT_TPC1FGE:
> -                       return wacom_tpc_single_touch(wacom, len);
> -
> -               case WACOM_REPORT_TPCMT:
> -               case WACOM_REPORT_TPCMT2:
> -                       return wacom_mt_touch(wacom);
> +                       case WACOM_REPORT_TPCMT:
> +                       case WACOM_REPORT_TPCMT2:
> +                               return wacom_mt_touch(wacom);
>
> -               case WACOM_REPORT_PENABLED:
> -                       return wacom_tpc_pen(wacom);
> +                       }
>                 }
>         }
>
> --
> 2.12.2
>

Re: [PATCH] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

[Jason Gerecke]

Just making sure this doesn't get lost in the cracks.

Jason
---
Now instead of four in the eights place /
you’ve got three, ‘Cause you added one  /
(That is to say, eight) to the two,     /
But you can’t take seven from three,    /
So you look at the sixty-fours....



On Tue, Apr 25, 2017 at 1:56 PM, Ping Cheng <pinglinux@gmail.com> wrote:
> On Tuesday, April 25, 2017, Jason Gerecke <killertofu@gmail.com> wrote:
>>
>> The following Smatch complaint was generated in response to commit
>> 2a6cdbd ("HID: wacom: Introduce new 'touch_input' device"):
>>
>>     drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
>>              error: we previously assumed 'wacom->touch_input' could be null (see line 1577)
>>
>> The 'touch_input' and 'pen_input' variables point to the 'struct input_dev'
>> used for relaying touch and pen events to userspace, respectively. If a
>> device does not have a touch interface or pen interface, the associated
>> input variable is NULL. The 'wacom_tpc_irq()' function is responsible for
>> forwarding input reports to a more-specific IRQ handler function. An
>> unknown report could theoretically be mistaken as e.g. a touch report
>> on a device which does not have a touch interface. This can be prevented
>> by only calling the pen/touch functions are called when the pen/touch
>> pointers are valid.
>>
>> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
>
> Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
>
> Looks good to me.
>
> Cheers,
> Ping
>
>>
>> ---
>>  drivers/hid/wacom_wac.c | 45 +++++++++++++++++++++++----------------------
>>  1 file changed, 23 insertions(+), 22 deletions(-)
>>
>> diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
>> index 6b8f6b816195..b963499e3351 100644
>> --- a/drivers/hid/wacom_wac.c
>> +++ b/drivers/hid/wacom_wac.c
>> @@ -1571,37 +1571,38 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len)
>>  {
>>         unsigned char *data = wacom->data;
>>
>> -       if (wacom->pen_input)
>> +       if (wacom->pen_input) {
>>                 dev_dbg(wacom->pen_input->dev.parent,
>>                         "%s: received report #%d\n", __func__, data[0]);
>> -       else if (wacom->touch_input)
>> +
>> +               if (len == WACOM_PKGLEN_PENABLED ||
>> +                   data[0] == WACOM_REPORT_PENABLED)
>> +                       return wacom_tpc_pen(wacom);
>> +       }
>> +       else if (wacom->touch_input) {
>>                 dev_dbg(wacom->touch_input->dev.parent,
>>                         "%s: received report #%d\n", __func__, data[0]);
>>
>> -       switch (len) {
>> -       case WACOM_PKGLEN_TPC1FG:
>> -               return wacom_tpc_single_touch(wacom, len);
>> +               switch (len) {
>> +               case WACOM_PKGLEN_TPC1FG:
>> +                       return wacom_tpc_single_touch(wacom, len);
>>
>> -       case WACOM_PKGLEN_TPC2FG:
>> -               return wacom_tpc_mt_touch(wacom);
>> +               case WACOM_PKGLEN_TPC2FG:
>> +                       return wacom_tpc_mt_touch(wacom);
>>
>> -       case WACOM_PKGLEN_PENABLED:
>> -               return wacom_tpc_pen(wacom);
>> +               default:
>> +                       switch (data[0]) {
>> +                       case WACOM_REPORT_TPC1FG:
>> +                       case WACOM_REPORT_TPCHID:
>> +                       case WACOM_REPORT_TPCST:
>> +                       case WACOM_REPORT_TPC1FGE:
>> +                               return wacom_tpc_single_touch(wacom, len);
>>
>> -       default:
>> -               switch (data[0]) {
>> -               case WACOM_REPORT_TPC1FG:
>> -               case WACOM_REPORT_TPCHID:
>> -               case WACOM_REPORT_TPCST:
>> -               case WACOM_REPORT_TPC1FGE:
>> -                       return wacom_tpc_single_touch(wacom, len);
>> -
>> -               case WACOM_REPORT_TPCMT:
>> -               case WACOM_REPORT_TPCMT2:
>> -                       return wacom_mt_touch(wacom);
>> +                       case WACOM_REPORT_TPCMT:
>> +                       case WACOM_REPORT_TPCMT2:
>> +                               return wacom_mt_touch(wacom);
>>
>> -               case WACOM_REPORT_PENABLED:
>> -                       return wacom_tpc_pen(wacom);
>> +                       }
>>                 }
>>         }
>>
>> --
>> 2.12.2
>>

Re: [PATCH] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

[Jiri Kosina]

On Tue, 2 May 2017, Jason Gerecke wrote:

> Just making sure this doesn't get lost in the cracks.

I will definitely be picking it up for 4.12-rc.

I believe you wanted to add Fixes: tag and -stable inclusion anotation as 
well.

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [PATCH] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference

[Jiri Kosina]

On Tue, 25 Apr 2017, Jason Gerecke wrote:

> The following Smatch complaint was generated in response to commit
> 2a6cdbd ("HID: wacom: Introduce new 'touch_input' device"):
> 
>     drivers/hid/wacom_wac.c:1586 wacom_tpc_irq()
>              error: we previously assumed 'wacom->touch_input' could be null (see line 1577)
> 
> The 'touch_input' and 'pen_input' variables point to the 'struct input_dev'
> used for relaying touch and pen events to userspace, respectively. If a
> device does not have a touch interface or pen interface, the associated
> input variable is NULL. The 'wacom_tpc_irq()' function is responsible for
> forwarding input reports to a more-specific IRQ handler function. An
> unknown report could theoretically be mistaken as e.g. a touch report
> on a device which does not have a touch interface. This can be prevented
> by only calling the pen/touch functions are called when the pen/touch
> pointers are valid.
> 
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>

Applied to for-4.12/upstream-fixes branch with these tags:

    Fixes: 2a6cdbd ("HID: wacom: Introduce new 'touch_input' device")
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
    Cc: stable@vger.kernel.org

-- 
Jiri Kosina
SUSE Labs