From: sashiko-bot@kernel.org
To: "Vicki Pfau" <vi@endrift.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 07/10] HID: steam: Rearrange deinitialization sequence
Date: Thu, 02 Jul 2026 22:35:35 +0000 [thread overview]
Message-ID: <20260702223536.5D9AC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702222145.1863104-7-vi@endrift.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free due to work item rescheduling during device removal
- [High] Double-free and Use-After-Free due to lockless concurrent execution of steam_unregister()
--
commit 3f510b9fc8a4fe35042e364f53f44a52a7f1b526
Author: Vicki Pfau <vi@endrift.com>
HID: steam: Rearrange deinitialization sequence
This fixes a narrow window during the deinitialization where callbacks
could still be scheduled during cleanup that would then have a dangling
pointer to the now-freed steam struct.
> diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> --- a/drivers/hid/hid-steam.c
> +++ b/drivers/hid/hid-steam.c
> @@ -1443,18 +1443,18 @@ static void steam_remove(struct hid_device *hdev)
> }
>
> hid_destroy_device(steam->client_hdev);
> - cancel_delayed_work_sync(&steam->mode_switch);
> - cancel_work_sync(&steam->work_connect);
> - cancel_work_sync(&steam->rumble_work);
> - cancel_delayed_work_sync(&steam->coalesce_rumble_work);
> steam->client_hdev = NULL;
> + hid_hw_close(hdev);
> + cancel_work_sync(&steam->work_connect);
[Severity: High]
This is a pre-existing issue, but does this still leave a window where the
work item can be rescheduled?
Because hid_hw_stop() has not been called yet, the hardware can still deliver
a raw event like ID_CONTROLLER_WIRELESS. This calls steam_raw_event() which
calls steam_do_connect_event() and unconditionally queues the work item:
steam_do_connect_event()
if (changed && schedule_work(&steam->work_connect) == 0)
If this happens after cancel_work_sync() but before hid_hw_stop(), will the
delayed work item execute on a freed steam struct?
> steam->client_opened = 0;
> if (steam->quirks & STEAM_QUIRK_WIRELESS) {
> hid_info(hdev, "Steam wireless receiver disconnected");
> }
> - hid_hw_close(hdev);
> - hid_hw_stop(hdev);
> steam_unregister(steam);
[Severity: High]
This is a pre-existing issue, but could concurrent calls to steam_unregister()
result in a double-free?
If a wireless disconnect event arrives concurrently with a device unplug,
the worker thread executing steam_work_connect_cb() and the unplug thread
executing steam_remove() might both call steam_unregister().
Since steam_unregister() relies on a lockless check of steam->serial_no[0],
could both threads pass the check simultaneously and call
steam_input_unregister()? Both threads would then read steam->input via RCU
and call input_unregister_device() on the same pointer.
Also, does this lack of serialization allow the probe error path to race
with steam_register(), potentially leaving active input devices pointing
to a freed steam struct?
> + cancel_work_sync(&steam->rumble_work);
> + cancel_delayed_work_sync(&steam->mode_switch);
> + cancel_delayed_work_sync(&steam->coalesce_rumble_work);
> + hid_hw_stop(hdev);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702222145.1863104-1-vi@endrift.com?part=7
next prev parent reply other threads:[~2026-07-02 22:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 22:21 [PATCH 01/10] HID: steam: Update documentation Vicki Pfau
2026-07-02 22:21 ` [PATCH 02/10] HID: steam: Refactor and clean up report parsing Vicki Pfau
2026-07-02 22:21 ` [PATCH 03/10] HID: steam: Rename some constants that got renamed upstream Vicki Pfau
2026-07-02 22:21 ` [PATCH 04/10] HID: steam: Add support for sensor events on the Steam Controller (2015) Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 05/10] HID: steam: Coalesce rumble packets Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 06/10] HID: steam: Fully unregister controller when hidraw is opened Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 07/10] HID: steam: Rearrange deinitialization sequence Vicki Pfau
2026-07-02 22:35 ` sashiko-bot [this message]
2026-07-02 22:21 ` [PATCH 08/10] HID: steam: Improve logging and other cleanup Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 09/10] HID: steam: Reject short reads Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-03 11:26 ` Yousef Alhouseen
2026-07-02 22:21 ` [PATCH 10/10] HID: steam: Retry send/recv reports if stale Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702223536.5D9AC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vi@endrift.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox