Linux Hardware Monitor development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Guenter Roeck" <linux@roeck-us.net>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH 2/4] hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop
Date: Wed, 08 Jul 2026 02:08:50 +0000	[thread overview]
Message-ID: <20260708020851.58A2D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708015806.213790-3-linux@roeck-us.net>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [Medium] Unconditional invocation of `hid_device_io_stop()` in the probe error path triggers spurious kernel warnings on early failures and inverts the teardown order.

Pre-existing issues:
- [High] Missing bounds check on the `size` parameter in `waterforce_raw_event()` allows out-of-bounds memory reads.
- [High] Potential deadlock due to using `spin_lock_bh()` in process context while the same lock is acquired in hardware interrupt context.
- [High] Data race and unprotected multi-variable access between `waterforce_raw_event()` and `waterforce_read()`.
--

--- Patch [2]: [PATCH 2/4] hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop ---
commit 5f26e64b65cc1e460573670ab5b05e083da3d241
Author: Guenter Roeck <linux@roeck-us.net>

hwmon: (gigabyte_waterforce) Stop device IO before calling hid_hw_stop

This commit fixes a use-after-free vulnerability by calling
hid_device_io_stop() before hid_hw_stop() in the probe error path.

> diff --git a/drivers/hwmon/gigabyte_waterforce.c b/drivers/hwmon/gigabyte_waterforce.c
> --- a/drivers/hwmon/gigabyte_waterforce.c
> +++ b/drivers/hwmon/gigabyte_waterforce.c
> @@ -381,6 +381,7 @@ static int waterforce_probe(struct hid_device *hdev, const struct hid_device_id
>  fail_and_close:
>  	hid_hw_close(hdev);
>  fail_and_stop:
> +	hid_device_io_stop(hdev);
[Severity: Medium]
Will this unconditionally calling hid_device_io_stop() here trigger spurious
warnings on early failures?

If an early failure occurs, such as hid_hw_open() failing, the code jumps to
fail_and_stop. At this point, hid_device_io_start() has not been called, so
hdev->io_started is false, causing hid_device_io_stop() to emit a spurious
warning.

Also, for later failures that jump to fail_and_close, does this result in
an inverted teardown order by calling hid_hw_close() before
hid_device_io_stop()?

>  	hid_hw_stop(hdev);
>  	return ret;
>  }

[Severity: High]
This is a pre-existing issue, but does waterforce_raw_event() lack a bounds
check on the size parameter?

In waterforce_raw_event():

    if (data[0] == get_firmware_ver_cmd[0] && ...

and later:

    priv->temp_input[0] = data[WATERFORCE_TEMP_SENSOR] * 1000;

If a malicious or malfunctioning HID device sends a short report, could
accessing data at WATERFORCE_TEMP_SENSOR result in an out-of-bounds memory
read?

[Severity: High]
This isn't a bug introduced by this patch, but is there a potential deadlock
between process context and hardware interrupt context?

waterforce_get_status() runs in process context and uses spin_lock_bh():

    spin_lock_bh(&priv->status_report_request_lock);

while waterforce_raw_event() can execute in hardirq context and acquires
the same lock:

    spin_lock(&priv->status_report_request_lock);

If waterforce_raw_event() is triggered by an interrupt on the same CPU
while waterforce_get_status() is holding the lock, will the interrupt
handler attempt to acquire the lock and spin forever?

[Severity: High]
This is a pre-existing issue, but does this code have a data race between
the interrupt handler and the sysfs read function?

waterforce_raw_event() executes asynchronously and updates sensor values
without a lock protecting the data arrays:

    priv->speed_input[0] = get_unaligned_le16(data + WATERFORCE_FAN_SPEED);
    priv->speed_input[1] = get_unaligned_le16(data + WATERFORCE_PUMP_SPEED);

waterforce_read() is called from sysfs and reads these fields locklessly
after releasing the status mutex:

    switch (type) {
    case hwmon_temp:
        *val = priv->temp_input[channel];

Can this result in torn reads and bogus sysfs values if the interrupt
handler overwrites the fields concurrently?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260708015806.213790-1-linux@roeck-us.net?part=2

  reply	other threads:[~2026-07-08  2:08 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  1:58 [PATCH 0/4] Fix error handling in HID device probe functions Guenter Roeck
2026-07-08  1:58 ` [PATCH 1/4] hwmon: (corsair-cpro) Stop device IO before calling hid_hw_stop Guenter Roeck
2026-07-08  2:09   ` sashiko-bot
2026-07-08  1:58 ` [PATCH 2/4] hwmon: (gigabyte_waterforce) " Guenter Roeck
2026-07-08  2:08   ` sashiko-bot [this message]
2026-07-08  1:58 ` [PATCH 3/4] hwmon: (nzxt-smart2) " Guenter Roeck
2026-07-08  2:11   ` sashiko-bot
2026-07-08  1:58 ` [PATCH 4/4] hwmon: (nzxt-kraken3) " Guenter Roeck
2026-07-08  2:10   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708020851.58A2D1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-hwmon@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox