From: sashiko-bot@kernel.org
To: "Sriman Achanta" <srimanachanta@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v5 8/9] HID: steelseries: Add async status interface support
Date: Tue, 30 Jun 2026 17:39:13 +0000 [thread overview]
Message-ID: <20260630173913.E6EEC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <c993054229da167e96332fc142d372091e8c7406.1782840133.git.srimanachanta@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unsynchronized access to the sibling interface's HID device and driver data in `steelseries_get_sibling_sd()` leads to Use-After-Free vulnerabilities during concurrent unbinding.
- [High] Unsafe retrieval of `intfdata` from a sibling USB interface without verifying the bound USB driver leads to type confusion.
--
commit 184e416637c40dbd71e035542907c5105f99d55d
Author: Sriman Achanta <srimanachanta@gmail.com>
HID: steelseries: Add async status interface support
This patch adds support for an async status interface on some Steelseries
headsets. The driver binds both sync and async interfaces, using the async
interface to push status events and delay its probe until the sync interface
is fully initialized.
> diff --git a/drivers/hid/hid-steelseries-arctis.c b/drivers/hid/hid-steelseries-arctis.c
> --- a/drivers/hid/hid-steelseries-arctis.c
> +++ b/drivers/hid/hid-steelseries-arctis.c
[ ... ]
> +static struct steelseries_device *
> +steelseries_get_sibling_sd(struct hid_device *hdev, int interface_num)
> +{
> + struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
> + struct usb_device *usb_dev = interface_to_usbdev(intf);
> + struct usb_interface *sibling_intf;
> + struct hid_device *sibling_hdev;
> + struct steelseries_device *sd;
> +
> + sibling_intf = usb_ifnum_to_if(usb_dev, interface_num);
> + if (!sibling_intf)
> + return NULL;
> +
> + sibling_hdev = usb_get_intfdata(sibling_intf);
> + if (!sibling_hdev || sibling_hdev->driver != &steelseries_arctis_driver)
[Severity: High]
Can a malicious USB device trigger an out-of-bounds read here?
If the device advertises the sync interface as a non-HID class (like Mass
Storage) but the async interface as HID, the USB core might bind a different
driver to the sync interface. In that case, usb_get_intfdata() would return
a driver-specific structure (like struct us_data) rather than a
struct hid_device.
Would it be safer to verify the bound USB driver on the sibling interface
before casting the intfdata and dereferencing sibling_hdev->driver?
> + return NULL;
> +
> + sd = hid_get_drvdata(sibling_hdev);
> + if (sd)
> + kref_get(&sd->refcnt);
[Severity: High]
Is there a race condition with concurrent unbinding here?
If the sync interface is concurrently unbound (e.g., via sysfs or physical
disconnection) while the async interface is probing, usb_get_intfdata()
and hid_get_drvdata() are called without holding device_lock() for the
sibling interface's device.
Could this allow the hid_device to be freed before checking
sibling_hdev->driver, or allow the steelseries_device (sd) to be freed
before kref_get() is called?
> +
> + return sd;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1782840133.git.srimanachanta@gmail.com?part=8
next prev parent reply other threads:[~2026-06-30 17:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 17:29 [PATCH v5 0/9] HID: steelseries: split out Arctis driver and add Nova 7 Gen2 support Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 1/9] HID: steelseries: Fix ARCTIS_1_X device mislabeling Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 2/9] HID: steelseries: Split Arctis headset driver into separate module Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 3/9] HID: steelseries: Inline and simplify SRWS1 wheel driver Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 4/9] HID: steelseries: Refactor Arctis driver to use device_info framework Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 5/9] HID: steelseries: Report POWER_SUPPLY_STATUS_FULL when full Sriman Achanta
2026-06-30 17:39 ` sashiko-bot
2026-06-30 17:29 ` [PATCH v5 6/9] HID: steelseries: Correct Arctis 9 battery calibration range Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 7/9] HID: steelseries: Manage battery lifetime with refcounting Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 8/9] HID: steelseries: Add async status interface support Sriman Achanta
2026-06-30 17:39 ` sashiko-bot [this message]
2026-06-30 17:29 ` [PATCH v5 9/9] HID: steelseries: Add support for Arctis Nova 7 Gen2 family Sriman Achanta
2026-06-30 17:44 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630173913.E6EEC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=srimanachanta@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox