Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Haoxiang Li" <haoxiang_li2024@163.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v2 1/2] HID: sensor: custom: Remove enable_sensor before freeing fields
Date: Thu, 02 Jul 2026 10:05:35 +0000	[thread overview]
Message-ID: <20260702100535.DF47D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702094856.1105555-2-haoxiang_li2024@163.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Out-of-bounds array access in `show_value()` and `store_value()` due to flawed sysfs attribute index parsing.
- [High] A race condition in `hid_sensor_custom_remove()` allows incoming sensor events to trigger a Use-After-Free.
- [High] Using `devm_kzalloc` for the driver context linked to a `miscdevice` causes a Use-After-Free if the device is unbound while the file is open.
- [Medium] Concurrent reads on the `miscdevice` corrupt the `kfifo` state, leading to broken data streams.
--

commit a7339c2fa4bb12ea6bad0a949e3b22ab6d1f4ed6
Author: Haoxiang Li <haoxiang_li2024@163.com>

HID: sensor: custom: Remove enable_sensor before freeing fields

enable_sensor_store() can call set_power_report_state(), which
dereferences sensor_inst->power_state and sensor_inst->report_state.
These pointers refer to entries in sensor_inst->fields.

hid_sensor_custom_remove() currently frees the field attributes before
removing the enable_sensor sysfs attribute, leaving a window where a
concurrent sysfs write can dereference freed memory.

Remove enable_sensor before freeing the field attributes.

Fixes: 4a7de0519df5 ("HID: sensor: Custom and Generic sensor support")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>

> diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
> index afffea8940214..d7bdbae96b501 100644
> --- a/drivers/hid/hid-sensor-custom.c
> +++ b/drivers/hid/hid-sensor-custom.c
> @@ -1042,9 +1042,9 @@ static void hid_sensor_custom_remove(struct platform_device *pdev)
>  	}
>  
>  	hid_sensor_custom_dev_if_remove(sensor_inst);
> -	hid_sensor_custom_remove_attributes(sensor_inst);
>  	sysfs_remove_group(&sensor_inst->pdev->dev.kobj,
>  			   &enable_sensor_attr_group);
> +	hid_sensor_custom_remove_attributes(sensor_inst);
>  	sensor_hub_remove_callback(hsdev, hsdev->usage);

[Severity: High]
This is a pre-existing issue, but does freeing the kfifo resource before
unregistering the interrupt-driven callback leave a window for a
use-after-free?

If hid_sensor_custom_dev_if_remove() frees sensor_inst->data_fifo, and an
incoming hardware event occurs before sensor_hub_remove_callback() is called,
could an open file descriptor trigger hid_sensor_capture_sample() to write to
the freed kfifo?

drivers/hid/hid-sensor-custom.c:hid_sensor_capture_sample() {
    ...
    if (kfifo_avail(&sensor_inst->data_fifo) >= required_size) {
        kfifo_in(&sensor_inst->data_fifo, ...);
    ...
}

>  }

[Severity: High]
This isn't a bug introduced by this patch, but it appears using devm_kzalloc()
for the driver context linked to a miscdevice might cause a use-after-free.

If the device is unbound (e.g., via USB unplug), devres frees sensor_inst.
However, if a user process holds the miscdevice file descriptor open, is it
possible for a subsequent call to read() to extract and dereference the freed
pointer?

drivers/hid/hid-sensor-custom.c:hid_sensor_custom_read() {
    sensor_inst = container_of(file->private_data, struct hid_sensor_custom, custom_dev);
    ...
    if (kfifo_is_empty(&sensor_inst->data_fifo)) {
    ...
}

[Severity: Critical]
This is a pre-existing issue, but we might have an out-of-bounds array access
when parsing the attribute name for an index.

In hid_sensor_custom_add_field(), the raw HID loop index is baked into the
sysfs filename:

drivers/hid/hid-sensor-custom.c:hid_sensor_custom_add_field() {
    ...
    snprintf(sensor_field->group_name, sizeof(sensor_field->group_name),
             "input-%x-%x", sensor_field->attribute.index,
             sensor_field->attribute.attrib_id);
    ...
}

If fields are skipped and the array is reallocated to a smaller size, would a
user reading the sysfs file trigger an out-of-bounds access in show_value(),
given it uses the raw index directly from the filename?

drivers/hid/hid-sensor-custom.c:show_value() {
    ...
    if (sscanf(attr->attr.name, "input-%x-%x-%s", &index, &usage, name) == 3) {
        ...
        field_index = index;
        ...
        attribute = &sensor_inst->fields[field_index].attribute;
    ...
}

[Severity: Medium]
This isn't a bug introduced by this patch, but can concurrent readers corrupt
the internal indices by invoking the kfifo consumer API without serialization?

While open() prevents multiple independent opens, a process can fork() or
spawn threads to invoke read() concurrently on the same file descriptor.

Since hid_sensor_custom_read() does not use a mutex around kfifo_to_user(),
will racing threads corrupt the kfifo state?

drivers/hid/hid-sensor-custom.c:hid_sensor_custom_read() {
    ...
    ret = kfifo_to_user(&sensor_inst->data_fifo, buf, count, &copied);
    ...
}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702094856.1105555-1-haoxiang_li2024@163.com?part=1

  reply	other threads:[~2026-07-02 10:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  9:48 [PATCH v2 0/2] HID: sensor: custom: Fix fields lifetime issues Haoxiang Li
2026-07-02  9:48 ` [PATCH v2 1/2] HID: sensor: custom: Remove enable_sensor before freeing fields Haoxiang Li
2026-07-02 10:05   ` sashiko-bot [this message]
2026-07-02 18:53   ` Jonathan Cameron
2026-07-02  9:48 ` [PATCH v2 2/2] HID: sensor: custom: Fix field sysfs group cleanup on failure Haoxiang Li
2026-07-02 10:16   ` sashiko-bot
2026-07-02 18:55   ` Jonathan Cameron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702100535.DF47D1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=haoxiang_li2024@163.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox