| Message ID | 20250329002003.36600-1-qasdev00@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | HID: wacom: handle kzalloc() allocation failure in wacom_wac_queue_flush() | expand |
… > from the fifo via kfifo_out(). However it does not > check kzalloc() for allocation failure which returns > NULL and could potentially lead to a NULL deref. … pointer dereference? I imagine that word wrapping can occasionally become a bit nicer for text lines which may be longer than 52 characters. Regards, Markus
On Fri, Mar 28, 2025 at 5:20 PM Qasim Ijaz <qasdev00@gmail.com> wrote: > > During wacom_wac_queue_flush() the code calls > kzalloc() to allocate a zero initialised buffer > which it uses as a storage buffer to get data > from the fifo via kfifo_out(). However it does not > check kzalloc() for allocation failure which returns > NULL and could potentially lead to a NULL deref. > > Fix this by checking for kzalloc() failure and skipping > the current entry if allocation failure occurs. > > Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit") > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> > --- > drivers/hid/wacom_sys.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c > index 97393a3083ca..666b7eb0fdfe 100644 > --- a/drivers/hid/wacom_sys.c > +++ b/drivers/hid/wacom_sys.c > @@ -70,10 +70,16 @@ static void wacom_wac_queue_flush(struct hid_device *hdev, > { > while (!kfifo_is_empty(fifo)) { > int size = kfifo_peek_len(fifo); > - u8 *buf = kzalloc(size, GFP_KERNEL); > + u8 *buf; > unsigned int count; > int err; > > + buf = kzalloc(size, GFP_KERNEL); > + if (!buf) { > + kfifo_skip(fifo); > + continue; > + } > + > count = kfifo_out(fifo, buf, size); > if (count != size) { > // Hard to say what is the "right" action in this > -- > 2.39.5 > > Patch looks good to me. With or without Markus' comments addressed, Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com> Jason (she/they) --- Now instead of four in the eights place / you’ve got three, ‘Cause you added one / (That is to say, eight) to the two, / But you can’t take seven from three, / So you look at the sixty-fours....
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 97393a3083ca..666b7eb0fdfe 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -70,10 +70,16 @@ static void wacom_wac_queue_flush(struct hid_device *hdev, { while (!kfifo_is_empty(fifo)) { int size = kfifo_peek_len(fifo); - u8 *buf = kzalloc(size, GFP_KERNEL); + u8 *buf; unsigned int count; int err; + buf = kzalloc(size, GFP_KERNEL); + if (!buf) { + kfifo_skip(fifo); + continue; + } + count = kfifo_out(fifo, buf, size); if (count != size) { // Hard to say what is the "right" action in this
During wacom_wac_queue_flush() the code calls kzalloc() to allocate a zero initialised buffer which it uses as a storage buffer to get data from the fifo via kfifo_out(). However it does not check kzalloc() for allocation failure which returns NULL and could potentially lead to a NULL deref. Fix this by checking for kzalloc() failure and skipping the current entry if allocation failure occurs. Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit") Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> --- drivers/hid/wacom_sys.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)