From: sashiko-bot@kernel.org
To: "Guenter Roeck" <linux@roeck-us.net>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH 2/4] hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop
Date: Wed, 08 Jul 2026 02:08:50 +0000 [thread overview]
Message-ID: <20260708020851.58A2D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708015806.213790-3-linux@roeck-us.net>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [Medium] Unconditional invocation of `hid_device_io_stop()` in the probe error path triggers spurious kernel warnings on early failures and inverts the teardown order.
Pre-existing issues:
- [High] Missing bounds check on the `size` parameter in `waterforce_raw_event()` allows out-of-bounds memory reads.
- [High] Potential deadlock due to using `spin_lock_bh()` in process context while the same lock is acquired in hardware interrupt context.
- [High] Data race and unprotected multi-variable access between `waterforce_raw_event()` and `waterforce_read()`.
--
--- Patch [2]: [PATCH 2/4] hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop ---
commit 5f26e64b65cc1e460573670ab5b05e083da3d241
Author: Guenter Roeck <linux@roeck-us.net>
hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop
This commit fixes a use-after-free vulnerability by calling
hid_device_io_stop() before hid_hw_stop() in the probe error path.
> diff --git a/drivers/hwmon/gigabyte_waterforce.c b/drivers/hwmon/gigabyte_waterforce.c
> --- a/drivers/hwmon/gigabyte_waterforce.c
> +++ b/drivers/hwmon/gigabyte_waterforce.c
> @@ -381,6 +381,7 @@ static int waterforce_probe(struct hid_device *hdev, const struct hid_device_id
> fail_and_close:
> hid_hw_close(hdev);
> fail_and_stop:
> + hid_device_io_stop(hdev);
[Severity: Medium]
Will this unconditionally calling hid_device_io_stop() here trigger spurious
warnings on early failures?
If an early failure occurs, such as hid_hw_open() failing, the code jumps to
fail_and_stop. At this point, hid_device_io_start() has not been called, so
hdev->io_started is false, causing hid_device_io_stop() to emit a spurious
warning.
Also, for later failures that jump to fail_and_close, does this result in
an inverted teardown order by calling hid_hw_close() before
hid_device_io_stop()?
> hid_hw_stop(hdev);
> return ret;
> }
[Severity: High]
This is a pre-existing issue, but does waterforce_raw_event() lack a bounds
check on the size parameter?
In waterforce_raw_event():
if (data[0] == get_firmware_ver_cmd[0] && ...
and later:
priv->temp_input[0] = data[WATERFORCE_TEMP_SENSOR] * 1000;
If a malicious or malfunctioning HID device sends a short report, could
accessing data at WATERFORCE_TEMP_SENSOR result in an out-of-bounds memory
read?
[Severity: High]
This isn't a bug introduced by this patch, but is there a potential deadlock
between process context and hardware interrupt context?
waterforce_get_status() runs in process context and uses spin_lock_bh():
spin_lock_bh(&priv->status_report_request_lock);
while waterforce_raw_event() can execute in hardirq context and acquires
the same lock:
spin_lock(&priv->status_report_request_lock);
If waterforce_raw_event() is triggered by an interrupt on the same CPU
while waterforce_get_status() is holding the lock, will the interrupt
handler attempt to acquire the lock and spin forever?
[Severity: High]
This is a pre-existing issue, but does this code have a data race between
the interrupt handler and the sysfs read function?
waterforce_raw_event() executes asynchronously and updates sensor values
without a lock protecting the data arrays:
priv->speed_input[0] = get_unaligned_le16(data + WATERFORCE_FAN_SPEED);
priv->speed_input[1] = get_unaligned_le16(data + WATERFORCE_PUMP_SPEED);
waterforce_read() is called from sysfs and reads these fields locklessly
after releasing the status mutex:
switch (type) {
case hwmon_temp:
*val = priv->temp_input[channel];
Can this result in torn reads and bogus sysfs values if the interrupt
handler overwrites the fields concurrently?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260708015806.213790-1-linux@roeck-us.net?part=2
next prev parent reply other threads:[~2026-07-08 2:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 1:58 [PATCH 0/4] Fix error handling in HID device probe functions Guenter Roeck
2026-07-08 1:58 ` [PATCH 1/4] hwmon: (corsair-cpro) Stop device IO before calling hid_hw_stop Guenter Roeck
2026-07-08 2:09 ` sashiko-bot
2026-07-08 1:58 ` [PATCH 2/4] hwmon: (gigabyte_waterforce) " Guenter Roeck
2026-07-08 2:08 ` sashiko-bot [this message]
2026-07-08 1:58 ` [PATCH 3/4] hwmon: (nzxt-smart2) " Guenter Roeck
2026-07-08 2:11 ` sashiko-bot
2026-07-08 1:58 ` [PATCH 4/4] hwmon: (nzxt-kraken3) " Guenter Roeck
2026-07-08 2:10 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708020851.58A2D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox