This is a note to let you know that I've just added the patch titled
HID: wacom: Avoid using stale array indicies to read contact count
to the 5.16-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch
and it can be found in the queue-5.16 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 Mon Sep 17 00:00:00 2001
From: Jason Gerecke <killertofu@xxxxxxxxx>
Date: Tue, 18 Jan 2022 14:38:41 -0800
Subject: HID: wacom: Avoid using stale array indicies to read contact count
From: Jason Gerecke <killertofu@xxxxxxxxx>
commit 20f3cf5f860f9f267a6a6e5642d3d0525edb1814 upstream.
If we ever see a touch report with contact count data we initialize
several variables used to read the contact count in the pre-report
phase. These variables are never reset if we process a report which
doesn't contain a contact count, however. This can cause the pre-
report function to trigger a read of arbitrary memory (e.g. NULL
if we're lucky) and potentially crash the driver.
This commit restores resetting of the variables back to default
"none" values that were used prior to the commit mentioned
below.
Link: https://github.com/linuxwacom/input-wacom/issues/276
Fixes: 003f50ab673c (HID: wacom: Update last_slot_field during pre_report phase)
CC: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jason Gerecke <jason.gerecke@xxxxxxxxx>
Reviewed-by: Ping Cheng <ping.cheng@xxxxxxxxx>
Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/hid/wacom_wac.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -2682,6 +2682,10 @@ static void wacom_wac_finger_pre_report(
hid_data->confidence = true;
+ hid_data->cc_report = 0;
+ hid_data->cc_index = -1;
+ hid_data->cc_value_index = -1;
+
for (i = 0; i < report->maxfield; i++) {
struct hid_field *field = report->field[i];
int j;
Patches currently in stable-queue which might be from killertofu@xxxxxxxxx are
queue-5.16/hid-wacom-reset-expected-and-received-contact-counts-at-the-same-time.patch
queue-5.16/hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch
queue-5.16/hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch
