Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Sriman Achanta" <srimanachanta@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v5 9/9] HID: steelseries: Add support for Arctis Nova 7 Gen2 family
Date: Tue, 30 Jun 2026 17:44:11 +0000	[thread overview]
Message-ID: <20260630174411.D937A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <8d6f139f082f2b985bad0cb3f60f260e60a7f2e9.1782840133.git.srimanachanta@gmail.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Medium] The global bounds check `if (size < 4)` incorrectly drops valid, shorter unsolicited status reports.

Pre-existing issues:
- [High] Concurrent sysfs unbind leads to Use-After-Free of sibling `hid_device` and `steelseries_device`.
- [High] Type confusion when retrieving the sibling HID device can lead to an out-of-bounds memory read.
--

commit 70087cd16ba3bb84894fac86ae371e8ee1265c7a
Author: Sriman Achanta <srimanachanta@gmail.com>

HID: steelseries: Add support for Arctis Nova 7 Gen2 family

This patch adds support for the Arctis Nova 7 Gen2 headsets. It introduces a
new parser for unsolicited battery and connection updates on a second HID
interface, and adds eight new USB product IDs to the supported devices list.

> diff --git a/drivers/hid/hid-steelseries-arctis.c b/drivers/hid/hid-steelseries-arctis.c
> index 689435c60ecbd..31d31f3f4b0e9 100644
> --- a/drivers/hid/hid-steelseries-arctis.c
> +++ b/drivers/hid/hid-steelseries-arctis.c
[ ... ]
> @@ -162,6 +169,30 @@ static void steelseries_arctis_9_parse_status(struct steelseries_device *sd,
>  	}
>  }
>  
> +static void steelseries_arctis_nova_7_gen2_parse_status(struct steelseries_device *sd,
> +							u8 *data, int size)
> +{
> +	if (size < 4)
> +		return;

[Severity: Medium]
Could this global bounds check prematurely discard valid unsolicited battery
and connection updates?

The new opcodes 0xb7, 0xb9, and 0xbb only require up to data[1] to be valid.
If the headset firmware sends these unsolicited updates as 2-byte short USB
HID packets reflecting their actual content size, this check will drop them.

[ ... ]
> @@ -180,6 +211,14 @@ static const struct steelseries_device_info arctis_9_info = {
>  	.parse_status = steelseries_arctis_9_parse_status,
>  };
>  
> +static const struct steelseries_device_info arctis_nova_7_gen2_info = {
> +	.sync_interface = 3,
> +	.async_interface = 5,

[Severity: High]
This is a pre-existing issue, but the addition of these new devices using the
async/sync interface mechanism heavily exercises it. Is it possible for a
concurrent sysfs unbind to cause a use-after-free?

During the async interface probe, steelseries_get_sibling_sd() calls
usb_get_intfdata(sibling_intf) without holding the device lock for the sibling
interface. If a user concurrently unbinds the sibling interface (e.g., via
sysfs), usbhid destroys the hid_device. This causes the probe path to
locklessly dereference the freed sibling_hdev->driver:

	sibling_hdev = usb_get_intfdata(sibling_intf);
	if (!sibling_hdev || sibling_hdev->driver != &steelseries_arctis_driver)
		return NULL;

	sd = hid_get_drvdata(sibling_hdev);
	if (sd)
		kref_get(&sd->refcnt);

It then calls kref_get(&sd->refcnt) on the associated private data, modifying
freed memory.

[Severity: High]
This isn't a bug introduced by this patch, but adding these devices expands
the exposure to a pre-existing type confusion issue. Could this lead to an
out-of-bounds memory read?

In steelseries_get_sibling_sd(), the driver extracts the private data via
usb_get_intfdata() and assumes it is a struct hid_device *:

	sibling_intf = usb_ifnum_to_if(usb_dev, interface_num);
	if (!sibling_intf)
		return NULL;

	sibling_hdev = usb_get_intfdata(sibling_intf);
	if (!sibling_hdev || sibling_hdev->driver != &steelseries_arctis_driver)
		return NULL;

If a crafted USB device is plugged in where the sibling interface (e.g.,
interface 0 or 3) is a non-HID class like USB Audio, a different driver will
bind and store its own private structure in intfdata.

The driver field sits hundreds of bytes deep into struct hid_device. Reading
it from a smaller structure belonging to another driver will read out-of-bounds
of the allocated SLUB object.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1782840133.git.srimanachanta@gmail.com?part=9

      reply	other threads:[~2026-06-30 17:44 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 17:29 [PATCH v5 0/9] HID: steelseries: split out Arctis driver and add Nova 7 Gen2 support Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 1/9] HID: steelseries: Fix ARCTIS_1_X device mislabeling Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 2/9] HID: steelseries: Split Arctis headset driver into separate module Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 3/9] HID: steelseries: Inline and simplify SRWS1 wheel driver Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 4/9] HID: steelseries: Refactor Arctis driver to use device_info framework Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 5/9] HID: steelseries: Report POWER_SUPPLY_STATUS_FULL when full Sriman Achanta
2026-06-30 17:39   ` sashiko-bot
2026-06-30 17:29 ` [PATCH v5 6/9] HID: steelseries: Correct Arctis 9 battery calibration range Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 7/9] HID: steelseries: Manage battery lifetime with refcounting Sriman Achanta
2026-06-30 17:29 ` [PATCH v5 8/9] HID: steelseries: Add async status interface support Sriman Achanta
2026-06-30 17:39   ` sashiko-bot
2026-06-30 17:29 ` [PATCH v5 9/9] HID: steelseries: Add support for Arctis Nova 7 Gen2 family Sriman Achanta
2026-06-30 17:44   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630174411.D937A1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=srimanachanta@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox