Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Vicki Pfau" <vi@endrift.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH v11 2/3] HID: nintendo: Add rumble support for Switch 2 controllers
Date: Thu, 02 Jul 2026 22:04:24 +0000	[thread overview]
Message-ID: <20260702220426.593851F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702214704.1859350-3-vi@endrift.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [High] Use-After-Free of rumble_work and controller state due to devm lifecycle mismatch

Pre-existing issues:
- [High] Circular reference in LED devm registration causes permanent memory leak and Use-After-Free
--

commit 24b9a46372beedd9b4a7b187b2ec2e8fa3058997
Author: Vicki Pfau <vi@endrift.com>

HID: nintendo: Add rumble support for Switch 2 controllers

This adds rumble support for both the "HD Rumble" linear resonant actuator
type as used in the Joy-Cons and Pro Controller, as well as the eccentric
rotating mass type used in the GameCube controller.

> diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c
> index e21c369218325..a36f4fd9a1da5 100644
> --- a/drivers/hid/hid-nintendo.c
> +++ b/drivers/hid/hid-nintendo.c
[ ... ]
> @@ -3209,6 +3260,125 @@ static void switch2_kref_put(struct kref *refcount)
>  	kfree(ns2);
>  }
>  
> +#if IS_ENABLED(CONFIG_NINTENDO_FF)
[ ... ]
> +static void switch2_rumble_work(struct work_struct *work)
> +{
> +	struct switch2_controller *ns2 = container_of(to_delayed_work(work),
> +						      struct switch2_controller, rumble_work);
> +	unsigned long flags;
> +	bool active;
> +	int ret = 0;
> +
> +	spin_lock_irqsave(&ns2->rumble_lock, flags);

[Severity: High]
If the device is unplugged and `ns2` is manually freed, can this work
function execute concurrently and attempt to acquire `ns2->rumble_lock`
on freed memory?

> +	ns2->rumble_buffer[0x1] = 0x50 | ns2->rumble_seq;
[ ... ]
> @@ -3332,6 +3502,26 @@ static int switch2_init_input(struct switch2_controller *ns2)
>  		return -EINVAL;
>  	}
>  

[Severity: High]
This is a pre-existing issue, but does registering the LED devices with
devm create a circular reference by binding the LED devres to the input
device while simultaneously setting it as the parent?

The driver core's device_add() function automatically takes a reference to
the parent device (&input->dev). Since devres is attached to the same
parent, it waits for the parent's refcount to drop to 0 before unregistering
the LEDs, which means neither can be released. 

Does this permanently leak the input device, LED devices, and devm
allocations? 

Furthermore, because `ns2` is freed manually upon device removal, could
lingering LED sysfs attributes trigger a use-after-free crash if a user
writes to them, causing switch2_player_led_brightness_set() to dereference
the freed `ns2` pointer?

> +#if IS_ENABLED(CONFIG_NINTENDO_FF)
> +	ns2->rumble_buffer = devm_kzalloc(&input->dev, 64, GFP_KERNEL);
> +	if (!ns2->rumble_buffer) {
> +		input_free_device(input);
> +		return -ENOMEM;
> +	}
> +	ret = devm_delayed_work_autocancel(&input->dev, &ns2->rumble_work, switch2_rumble_work);

[Severity: High]
Does binding the rumble work lifecycle to &input->dev cause a
use-after-free when `ns2` is manually freed?

If a user unplugs the controller while holding the input device open,
`ns2` is freed in the removal path, but the devres cleanup for the input
device will run later. 

Will this result in the devres cleanup unconditionally calling
cancel_delayed_work_sync(&ns2->rumble_work) on the already-freed
`ns2` pointer?

> +	if (ret < 0) {
> +		input_free_device(input);
> +		return ret;
> +	}
> +
> +	input_set_capability(input, EV_FF, FF_RUMBLE);
> +	ret = input_ff_create_memless(input, NULL, switch2_play_effect);
[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702214704.1859350-1-vi@endrift.com?part=2

  reply	other threads:[~2026-07-02 22:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 21:46 [PATCH v11 0/3] HID: nintendo: Add preliminary Switch 2 controller Vicki Pfau
2026-07-02 21:47 ` [PATCH v11 1/3] HID: nintendo: Add preliminary Switch 2 controller driver Vicki Pfau
2026-07-02 22:04   ` sashiko-bot
2026-07-02 21:47 ` [PATCH v11 2/3] HID: nintendo: Add rumble support for Switch 2 controllers Vicki Pfau
2026-07-02 22:04   ` sashiko-bot [this message]
2026-07-02 21:47 ` [PATCH v11 3/3] HID: nintendo: Add unified report format support Vicki Pfau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702220426.593851F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=vi@endrift.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox