From: sashiko-bot@kernel.org
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 09/11] HID: mod_devicetable: 'hid_device_id::driver_data' add union
Date: Mon, 18 May 2026 16:35:00 +0000 [thread overview]
Message-ID: <20260518163500.C6795C2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518-mod-devicetable-hid_device_id-v1-9-a08e3989c283@thegoodpenguin.co.uk>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Adding a pointer variant to `hid_device_id` union encourages a dangerous architectural anti-pattern involving `driver_data`.
- [Low] The commit message inaccurately claims that `struct hid_device_id` is part of the userspace ABI.
--
commit c7768796e9018aff03a8509ee8a35c62af4417cf
Author: Pawel Zalewski (The Capable Hub) <pzalewski@thegoodpenguin.co.uk>
HID: mod_devicetable: 'hid_device_id::driver_data' add union
This commit adds a union to the driver_data field in struct hid_device_id
to provide a direct pointer representation.
> The change doesn't affect the size and layout of struct hid_device_id
> which is part of the userspace ABI.
Is this description accurate regarding the userspace ABI?
The structure struct hid_device_id is defined in
include/linux/mod_devicetable.h, which is an internal kernel header and is
not exported to include/uapi/.
While modpost uses the binary layout during the kernel build to generate
the text-based modules.alias file, userspace tools interact with the
generated text interface rather than the binary structure itself.
Could the commit message be updated to clarify that this layout is an
internal build ABI rather than a userspace ABI?
> diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
> index 23ff24080dfd9..90b2dae75109c 100644
> --- a/include/linux/mod_devicetable.h
> +++ b/include/linux/mod_devicetable.h
> @@ -175,7 +175,10 @@ struct hid_device_id {
> __u16 group;
> __u32 vendor;
> __u32 product;
> - kernel_ulong_t driver_data;
> + union {
> + kernel_ulong_t driver_data;
> + const void *driver_data_ptr;
> + };
> };
Does this code introduce a regression by encouraging an architectural
pattern where drivers assume they can dereference driver_data as a pointer?
The HID core supports dynamic device ID injection via the sysfs new_id
interface. In drivers/hid/hid-core.c, new_id_store() parses user input as
an unsigned long and assigns it to driver_data.
By adding driver_data_ptr, it explicitly blesses treating this field as a
kernel pointer at the core API level.
If a driver dereferences this user-provided value as a pointer during
probe, could it lead to arbitrary memory dereferences or lockdown bypasses?
Does it make more sense to keep driver_data restricted to an index or enum
to avoid exposing an API that facilitates this pattern?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518-mod-devicetable-hid_device_id-v1-0-a08e3989c283@thegoodpenguin.co.uk?part=9
next prev parent reply other threads:[~2026-05-18 16:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 16:06 [PATCH 00/11] HID: storing pointers in 'hid_device_id::driver_data' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 01/11] HID: hid-input: use named initializer for 'hid_battery_quirks[]' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 02/11] HID: hid-quirks: use named initializer in 'hid_quirks[]' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 03/11] HID: hid-asus: use named initializer for 'asus_devices[]' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 04/11] HID: i2c-hid-dmi-quirks: use named initializer for 'i2c_hid_elan_flipped_quirks[]' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 05/11] HID: hid-belkin: clean up usage of 'driver_data' Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 06/11] HID: hid-cypress: " Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 07/11] HID: hid-gfrm: " Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 08/11] HID: hid-ite: " Pawel Zalewski (The Capable Hub)
2026-05-18 16:06 ` [PATCH 09/11] HID: mod_devicetable: 'hid_device_id::driver_data' add union Pawel Zalewski (The Capable Hub)
2026-05-18 16:35 ` sashiko-bot [this message]
2026-05-18 16:06 ` [PATCH 10/11] HID: hid-tmff: use 'hid_device_id::driver_data_ptr' Pawel Zalewski (The Capable Hub)
2026-05-18 16:26 ` sashiko-bot
2026-05-18 16:06 ` [PATCH 11/11] HID: wacom: " Pawel Zalewski (The Capable Hub)
2026-05-18 16:23 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518163500.C6795C2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox