From: sashiko-bot@kernel.org
To: "Bryam Vargas via B4 Relay"
<devnull+hexlabsecurity.proton.me@kernel.org>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 2/2] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
Date: Sun, 14 Jun 2026 05:50:01 +0000 [thread overview]
Message-ID: <20260614055001.B3D6D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260614-b4-disp-818d6bda-v1-2-cf39a3615085@proton.me>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Unbinding the `rmi4_f30` driver leaves a dangling pointer in the shared input device's `keycode` field, leading to a Use-After-Free.
--
commit 251790cc33b0da19e8d0320efecb822396ad7b5f
Author: Bryam Vargas <hexlabsecurity@proton.me>
Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
This commit fixes an out-of-bounds read and write issue in the F30
keymap handler. It allocates the keymap based on the full reported
GPIO/LED count rather than capping the allocation at 6 entries.
> diff --git a/drivers/input/rmi4/rmi_f30.c b/drivers/input/rmi4/rmi_f30.c
> --- a/drivers/input/rmi4/rmi_f30.c
> +++ b/drivers/input/rmi4/rmi_f30.c
> @@ -233,7 +233,7 @@ static int rmi_f30_map_gpios(struct rmi_function *fn,
> int button_count = min_t(u8, f30->gpioled_count, TRACKSTICK_RANGE_END);
>
> f30->gpioled_key_map = devm_kcalloc(&fn->dev,
> - button_count,
> + f30->gpioled_count,
> sizeof(f30->gpioled_key_map[0]),
> GFP_KERNEL);
[Severity: High]
This is a pre-existing issue, but since we are modifying this allocation,
can this lead to a use-after-free when the driver is unbound?
The memory for f30->gpioled_key_map is managed by the function subdevice
using fn->dev. Later in rmi_f30_map_gpios(), this pointer is assigned to the
shared input device's keycode field:
input->keycode = f30->gpioled_key_map;
Since the shared input device is attached to the parent RMI device, it can
outlive the function subdevice. If userspace unbinds the rmi4_f30 driver
via sysfs (because the driver lacks a remove callback and does not set
suppress_bind_attrs), devres will free f30->gpioled_key_map while
the input device remains registered.
Would a subsequent ioctl like EVIOCGKEYCODE or EVIOCSKEYCODE access this
freed input->keycode memory?
Does this also cause a race condition during device unplug, since the
function devices are unbound before the input device is unregistered?
> if (!f30->gpioled_key_map) {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260614-b4-disp-818d6bda-v1-0-cf39a3615085@proton.me?part=2
next prev parent reply other threads:[~2026-06-14 5:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 5:36 [PATCH 0/2] (no cover subject) Bryam Vargas
2026-06-14 5:36 ` Bryam Vargas via B4 Relay
2026-06-14 5:36 ` [PATCH 1/2] Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count Bryam Vargas
2026-06-14 5:36 ` Bryam Vargas via B4 Relay
2026-06-14 5:51 ` sashiko-bot
2026-06-14 5:36 ` [PATCH 2/2] Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count Bryam Vargas
2026-06-14 5:36 ` Bryam Vargas via B4 Relay
2026-06-14 5:50 ` sashiko-bot [this message]
2026-06-26 0:47 ` [PATCH 0/2] (no cover subject) Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260614055001.B3D6D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=devnull+hexlabsecurity.proton.me@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.