From: sashiko-bot@kernel.org
To: "Haoxiang Li" <haoxiang_li2024@163.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v2 1/2] HID: sensor: custom: Remove enable_sensor before freeing fields
Date: Thu, 02 Jul 2026 10:05:35 +0000 [thread overview]
Message-ID: <20260702100535.DF47D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702094856.1105555-2-haoxiang_li2024@163.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Out-of-bounds array access in `show_value()` and `store_value()` due to flawed sysfs attribute index parsing.
- [High] A race condition in `hid_sensor_custom_remove()` allows incoming sensor events to trigger a Use-After-Free.
- [High] Using `devm_kzalloc` for the driver context linked to a `miscdevice` causes a Use-After-Free if the device is unbound while the file is open.
- [Medium] Concurrent reads on the `miscdevice` corrupt the `kfifo` state, leading to broken data streams.
--
commit a7339c2fa4bb12ea6bad0a949e3b22ab6d1f4ed6
Author: Haoxiang Li <haoxiang_li2024@163.com>
HID: sensor: custom: Remove enable_sensor before freeing fields
enable_sensor_store() can call set_power_report_state(), which
dereferences sensor_inst->power_state and sensor_inst->report_state.
These pointers refer to entries in sensor_inst->fields.
hid_sensor_custom_remove() currently frees the field attributes before
removing the enable_sensor sysfs attribute, leaving a window where a
concurrent sysfs write can dereference freed memory.
Remove enable_sensor before freeing the field attributes.
Fixes: 4a7de0519df5 ("HID: sensor: Custom and Generic sensor support")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
> diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
> index afffea8940214..d7bdbae96b501 100644
> --- a/drivers/hid/hid-sensor-custom.c
> +++ b/drivers/hid/hid-sensor-custom.c
> @@ -1042,9 +1042,9 @@ static void hid_sensor_custom_remove(struct platform_device *pdev)
> }
>
> hid_sensor_custom_dev_if_remove(sensor_inst);
> - hid_sensor_custom_remove_attributes(sensor_inst);
> sysfs_remove_group(&sensor_inst->pdev->dev.kobj,
> &enable_sensor_attr_group);
> + hid_sensor_custom_remove_attributes(sensor_inst);
> sensor_hub_remove_callback(hsdev, hsdev->usage);
[Severity: High]
This is a pre-existing issue, but does freeing the kfifo resource before
unregistering the interrupt-driven callback leave a window for a
use-after-free?
If hid_sensor_custom_dev_if_remove() frees sensor_inst->data_fifo, and an
incoming hardware event occurs before sensor_hub_remove_callback() is called,
could an open file descriptor trigger hid_sensor_capture_sample() to write to
the freed kfifo?
drivers/hid/hid-sensor-custom.c:hid_sensor_capture_sample() {
...
if (kfifo_avail(&sensor_inst->data_fifo) >= required_size) {
kfifo_in(&sensor_inst->data_fifo, ...);
...
}
> }
[Severity: High]
This isn't a bug introduced by this patch, but it appears using devm_kzalloc()
for the driver context linked to a miscdevice might cause a use-after-free.
If the device is unbound (e.g., via USB unplug), devres frees sensor_inst.
However, if a user process holds the miscdevice file descriptor open, is it
possible for a subsequent call to read() to extract and dereference the freed
pointer?
drivers/hid/hid-sensor-custom.c:hid_sensor_custom_read() {
sensor_inst = container_of(file->private_data, struct hid_sensor_custom, custom_dev);
...
if (kfifo_is_empty(&sensor_inst->data_fifo)) {
...
}
[Severity: Critical]
This is a pre-existing issue, but we might have an out-of-bounds array access
when parsing the attribute name for an index.
In hid_sensor_custom_add_field(), the raw HID loop index is baked into the
sysfs filename:
drivers/hid/hid-sensor-custom.c:hid_sensor_custom_add_field() {
...
snprintf(sensor_field->group_name, sizeof(sensor_field->group_name),
"input-%x-%x", sensor_field->attribute.index,
sensor_field->attribute.attrib_id);
...
}
If fields are skipped and the array is reallocated to a smaller size, would a
user reading the sysfs file trigger an out-of-bounds access in show_value(),
given it uses the raw index directly from the filename?
drivers/hid/hid-sensor-custom.c:show_value() {
...
if (sscanf(attr->attr.name, "input-%x-%x-%s", &index, &usage, name) == 3) {
...
field_index = index;
...
attribute = &sensor_inst->fields[field_index].attribute;
...
}
[Severity: Medium]
This isn't a bug introduced by this patch, but can concurrent readers corrupt
the internal indices by invoking the kfifo consumer API without serialization?
While open() prevents multiple independent opens, a process can fork() or
spawn threads to invoke read() concurrently on the same file descriptor.
Since hid_sensor_custom_read() does not use a mutex around kfifo_to_user(),
will racing threads corrupt the kfifo state?
drivers/hid/hid-sensor-custom.c:hid_sensor_custom_read() {
...
ret = kfifo_to_user(&sensor_inst->data_fifo, buf, count, &copied);
...
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702094856.1105555-1-haoxiang_li2024@163.com?part=1
next prev parent reply other threads:[~2026-07-02 10:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 9:48 [PATCH v2 0/2] HID: sensor: custom: Fix fields lifetime issues Haoxiang Li
2026-07-02 9:48 ` [PATCH v2 1/2] HID: sensor: custom: Remove enable_sensor before freeing fields Haoxiang Li
2026-07-02 10:05 ` sashiko-bot [this message]
2026-07-02 18:53 ` Jonathan Cameron
2026-07-02 9:48 ` [PATCH v2 2/2] HID: sensor: custom: Fix field sysfs group cleanup on failure Haoxiang Li
2026-07-02 10:16 ` sashiko-bot
2026-07-02 18:55 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702100535.DF47D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=haoxiang_li2024@163.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox