From: sashiko-bot@kernel.org
To: "Sriman Achanta" <srimanachanta@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v4 05/10] HID: steelseries: Refactor Arctis driver to use device_info framework
Date: Tue, 23 Jun 2026 17:33:24 +0000 [thread overview]
Message-ID: <20260623173325.47C3C1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260623172310.272708-6-srimanachanta@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] Missing report ID signature validation for Arctis 1 causes arbitrary raw events to corrupt headset state.
- [High] Battery status requests are incorrectly sent as Feature reports instead of Output reports, breaking battery polling.
- [Medium] Dropped logic for marking Arctis 9 headset as disconnected when it reports an unknown status.
Pre-existing issues:
- [High] The raw_event interrupt handler can dereference an ERR_PTR due to a TOCTOU race window when battery registration fails.
--
commit 0576cf59ec529dc31ed68f59a8d598bdb4ca4a82
Author: Sriman Achanta <srimanachanta@gmail.com>
HID: steelseries: Refactor Arctis driver to use device_info framework
Replace the per-product if/else quirk bitmap with a steelseries_device_info
struct. Each model provides its capabilities, sync_interface, and
request_status/parse_status callbacks.
> diff --git a/drivers/hid/hid-steelseries-arctis.c b/drivers/hid/hid-steelseries-arctis.c
> index 079504e6932a1..f00f4c5e6d9e4 100644
> --- a/drivers/hid/hid-steelseries-arctis.c
> +++ b/drivers/hid/hid-steelseries-arctis.c
[ ... ]
> @@ -15,70 +16,95 @@
[ ... ]
> +static int steelseries_arctis_1_request_status(struct hid_device *hdev)
> +{
> + const u8 data[] = { 0x06, 0x12 };
> +
> + return steelseries_send_feature_report(hdev, data, sizeof(data));
> +}
> +
> +static int steelseries_arctis_9_request_status(struct hid_device *hdev)
> +{
> + const u8 data[] = { 0x00, 0x20 };
> +
> + return steelseries_send_feature_report(hdev, data, sizeof(data));
> +}
[Severity: High]
Do these devices expect feature reports instead of output reports for status
requests?
The original code sent the periodic battery status request to the device
using an output report via hid_hw_raw_request(..., HID_OUTPUT_REPORT, ...).
This refactoring switches it to use steelseries_send_feature_report()
instead.
Sending a feature report to a device endpoint expecting an output report
might result in a USB stall, which would break battery polling.
[ ... ]
> @@ -88,30 +114,96 @@ static int battery_capacity_to_level(int capacity)
[ ... ]
> +static void steelseries_arctis_1_parse_status(struct steelseries_device *sd,
> + u8 *data, int size)
> +{
> + if (size < 4)
> + return;
> +
> + sd->headset_connected = (data[2] != 0x01);
> + sd->battery_capacity = data[3];
> +}
[Severity: High]
Will this corrupt the battery state if other reports are received?
The original raw event handler verified that the incoming Arctis 1 report
matched the expected battery status signature using memcmp().
Since steelseries_arctis_raw_event() now invokes parse_status()
unconditionally for all incoming raw events, could a different report
(such as volume control) with a payload of at least 4 bytes be erroneously
parsed as battery data?
> +static void steelseries_arctis_9_parse_status(struct steelseries_device *sd,
> + u8 *data, int size)
> +{
> + if (size < 5)
> + return;
> +
> + if (data[0] == 0xaa) {
> + sd->headset_connected = (data[1] == 0x01);
> + sd->battery_charging = (data[4] == 0x01);
> + sd->battery_capacity = steelseries_map_capacity(data[3], 0x68, 0x9d);
> + }
> +}
[Severity: Medium]
What happens if the device is turned off and sends the "no known status"
packet?
The original code explicitly handled the 0x55 response and used it to mark
the headset as disconnected.
By only processing 0xaa and dropping other responses without taking any
action, will we fail to update the connection state and leave the device
incorrectly reported as connected?
[ ... ]
> @@ -168,7 +245,26 @@ static enum power_supply_property steelseries_headset_battery_props[] = {
[ ... ]
> +static int steelseries_battery_register(struct steelseries_device *sd)
> {
[ ... ]
> sd->battery = devm_power_supply_register(&sd->hdev->dev,
> &sd->battery_desc, &battery_cfg);
> if (IS_ERR(sd->battery)) {
> ret = PTR_ERR(sd->battery);
> + sd->battery = NULL;
[Severity: High]
This isn't a bug introduced by this patch, but does assigning the return
value directly to sd->battery before checking for an error create a race
condition?
Since hid_hw_start() and hid_hw_open() are already called in the probe
function, hardware interrupts are active. If power_supply_register() fails,
sd->battery temporarily holds an error pointer.
If steelseries_arctis_raw_event() triggers during this small window, the
following check would evaluate to true because an error pointer is not NULL:
steelseries_arctis_raw_event() {
...
if (sd->battery)
power_supply_changed(sd->battery);
}
Could this lead to an invalid pointer dereference and a kernel panic?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623172310.272708-1-srimanachanta@gmail.com?part=5
next prev parent reply other threads:[~2026-06-23 17:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 17:23 [PATCH v4 00/10] HID: steelseries: Refactor Arctis driver and add Arctis Nova 7 Gen2 support Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 01/10] HID: steelseries: Fix ARCTIS_1_X device mislabeling Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 02/10] HID: steelseries: Fix whitespace in srws1 report descriptor Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 03/10] HID: steelseries: Split Arctis headset driver into separate module Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 04/10] HID: steelseries: Inline and simplify SRWS1 wheel driver Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 05/10] HID: steelseries: Refactor Arctis driver to use device_info framework Sriman Achanta
2026-06-23 17:33 ` sashiko-bot [this message]
2026-06-23 17:23 ` [PATCH v4 06/10] HID: steelseries: Report POWER_SUPPLY_STATUS_FULL when full Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 07/10] HID: steelseries: Correct Arctis 9 battery calibration range Sriman Achanta
2026-06-23 17:23 ` [PATCH v4 08/10] HID: steelseries: Manage battery lifetime with refcounting Sriman Achanta
2026-06-23 17:36 ` sashiko-bot
2026-06-23 17:23 ` [PATCH v4 09/10] HID: steelseries: Add async status interface support Sriman Achanta
2026-06-23 17:36 ` sashiko-bot
2026-06-23 17:23 ` [PATCH v4 10/10] HID: steelseries: Add support for Arctis Nova 7 Gen2 family Sriman Achanta
2026-06-23 17:35 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623173325.47C3C1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=srimanachanta@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox