From nobody Tue Jun 16 17:02:08 2026 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 723EF39DBE1 for ; Thu, 30 Apr 2026 07:15:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777533324; cv=none; b=ZNf4If4Dmuc4A3qBhDVwOVinHWv9K8BuhyXvXwfl541AZMb/5YebMDcbeOfYuQ45GlCWSccFp4VoXpq1aXZJobU9NmyScjRdg0la81luGkfHXXtDqT9tkduYzx7HXTSdSRlB+AmuF5lR3fTFo/dj60s7NBqtH9G7X5KnVuFBGsI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777533324; c=relaxed/simple; bh=6M8vIhC5eapisP8abzJ0zTYqUAp/C0pP3Z4DEPMcxH0=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=erubUQQ15pm+2OTSgd5WeQyQnYq1HF4N2T+MYbw6JD0ivdUgvpBqUfREs8s1tmsuOiWg6MaPRWw5q0iRm6sqLYFtOj3JfiteIbZM7Ji5bNWQQ2YYyZ/qMUlDsV8oUykbKBEuNvBXg1qKKzanRsNzTd3ePVxbHGYueCuVEYFBIEo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AI2Ieis+; arc=none smtp.client-ip=209.85.216.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AI2Ieis+" Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-35d99031e4eso408834a91.1 for ; Thu, 30 Apr 2026 00:15:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777533323; x=1778138123; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=OPFz+mq7sl2va3Zah4DKkwVBgZIJ3y6xrphGxYzZrW0=; b=AI2Ieis+jb9TwUXNJlQguPaNnuHgeKAoe7l/E9kBdldGrvq6FQvmRIqe3g/QaI2kGF 3COxRjJCtmOEdEaCyHm3KkCWWJEQ98ZnuXk6Q1na++UpXxt8ZxabBEurwzfo4wpjW5on /YMqyVV/5G4SmuNgNUfDbh+GfStciPCD8Fd5solgfPiplY1KKYHnoHP0hIYIWfnBDQPa E1RcOQi0btsiL2QWMWW0xgYdFtYLV2hVEbTM5ZpFHC4smeEzkd//QFhvj+rikmwqSo4n hl/a0/ifrzfQGv4SaThSyXLRyeWem1LSiZLpbmQr5EJW9LZukbzi4ELEOwf3CADhG1PN j1YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777533323; x=1778138123; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OPFz+mq7sl2va3Zah4DKkwVBgZIJ3y6xrphGxYzZrW0=; b=P2HoStdpddzjhci7nPQcQej46tHEBp442pfUV7c+jkyF2dz5i9zWfRIlkY2kAXErid scrg0Eops79OUalDnfnMW+FbsYaq1r2MtZZii+mth8egksJyGIDO2g/98zIglGwERZGm fd7qfwKgoF8stIyV62STsFXxj82rvVn/y4V/d7mdTmBlU+U/xZ13qZKt3RWf83vgvgaI sEMs+AkZdxW3YomAVXMuauvBNJBWWK+CdxNZiaaqSWCl1BncM76WarisR1qlGWjg+L56 njIQ8anhwt37RVUx6zKmtY6LnXo08y2aDh/9WDW6m4xWh2aQVTJ+D3n6U+dvt7nQ3Aio ntdw== X-Forwarded-Encrypted: i=1; AFNElJ9q+Y0ylfa2MSW3ynLmuVEPS0VaE+thCieWato0+Sn0xxp17FABwWX1QDwPjhXBiV5DABIRVglBoRUdrOE=@vger.kernel.org X-Gm-Message-State: AOJu0Yxbh7HWIf9beEB9Gw3QZL65Bbh+DLADgg4Pvx8qQzk+EAEkkOH/ I1srrLWbpEy7mziO9aGafpaBLClJ1Um60fx2wlTsE1bQ08/XCWuF3H/a X-Gm-Gg: AeBDiesiXyJjSMnhCYyNIdhLU8gYqTemG7Ozvxuemh+rnPDA6iNdd7QU8RQGxHqKr1w 1M28TXyQ9tq36u01IoGEeR1Dw7IWXXrrXuTQkHLQXDSlEaeYZk90JspIQxj4qVtIudTsRJ9zvtD SdER5Kbx66JyQuc7ox1QeMUTPcdruBa5q8hoqRnQccf2Ned9BUnt5YSK5nZMbRVUFB2fhKHVv6K Tji20We00c/f/KP/orkk6TRLekO5aM3+/AH/NsquQcgSOlq/SFXquO+hKvCl5kGYhZex0iU5ZXa uzg9iBsweSLhozsc7MRjp0huuLULyZJC1CA/X/Z5BgtkVEkxel3ysYgGowLDD4KTFVisTvJotes kA9ho3210m0eFR8UVOP+qEeNS8xrzIg9FHfxXYhLBCjcpN6IJF6Lg4Or4k8rWBNCOXbwMqe2DFd VZFISWsfW2cpPq87Xm X-Received: by 2002:a17:90b:544f:b0:359:8e5e:43de with SMTP id 98e67ed59e1d1-364c3167242mr1804841a91.22.1777533322766; Thu, 30 Apr 2026 00:15:22 -0700 (PDT) Received: from lgs.. ([2001:250:5800:1000::5a26]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-364d1c70d8csm1165825a91.13.2026.04.30.00.15.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Apr 2026 00:15:22 -0700 (PDT) From: Guangshuo Li To: Dmitry Torokhov , Guangshuo Li , Kees Cook , Peter Hutterer , Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Input: wacom_w8001 - avoid double release of pen input device Date: Thu, 30 Apr 2026 15:13:11 +0800 Message-ID: <20260430071311.451957-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When registering the touch input device fails after the pen input device has already been registered, w8001_connect() jumps to fail4 and unregisters w8001->pen_dev. It then falls through to fail1 where input_dev_pen is passed to input_free_device(). Once input_register_device() has succeeded, the device must be released with input_unregister_device(), and input_free_device() must not be used on the same object afterwards. Since input_dev_pen still aliases w8001->pen_dev, this can result in a use-after-free or kref underflow. Clear the local and container aliases after unregistering the pen device so that the common cleanup path does not try to free it again. This issue was found by a static analysis tool I am developing. Fixes: e0361b70175f0 ("Input: wacom_w8001 - split the touch and pen devices= into two devices") Signed-off-by: Guangshuo Li Reviewed-by: Benjamin Tissoires Reviewed-by: Peter Hutterer --- drivers/input/touchscreen/wacom_w8001.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/input/touchscreen/wacom_w8001.c b/drivers/input/touchs= creen/wacom_w8001.c index 45930d731873..a3b283c59cdd 100644 --- a/drivers/input/touchscreen/wacom_w8001.c +++ b/drivers/input/touchscreen/wacom_w8001.c @@ -665,8 +665,11 @@ static int w8001_connect(struct serio *serio, struct s= erio_driver *drv) return 0; =20 fail4: - if (w8001->pen_dev) + if (w8001->pen_dev) { input_unregister_device(w8001->pen_dev); + input_dev_pen =3D NULL; + w8001->pen_dev =3D NULL; + } fail3: serio_close(serio); fail2: --=20 2.43.0