From: sashiko-bot@kernel.org
To: "Vicki Pfau" <vi@endrift.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 09/10] HID: steam: Reject short reads
Date: Thu, 02 Jul 2026 22:36:57 +0000 [thread overview]
Message-ID: <20260702223658.4735C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702222145.1863104-9-vi@endrift.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The newly added short-read check in `steam_recv_report` contains multiple logic errors that render it ineffective, allowing short reads to bypass validation and leak uninitialized kernel stack memory, while also erroneously rejecting valid reports.
Pre-existing issues:
- [High] Self-deadlock in haptic rumble callbacks due to recursive acquisition of `steam->report_mutex`.
--
commit 27b5eb27907342525c15b39fe076131c6198f9b3
Author: Vicki Pfau <vi@endrift.com>
HID: steam: Reject short reads
Steam Controller FEATURE reports encode the size of the message in the
message itself. Previously we were trusting that the size reported matched
the size we actually read, leading to a potential issue with short reads.
Instead, we should actually verify the length of the read.
Link: https://syzkaller.appspot.com/bug?extid=75f3f9bff8c510602d36
> diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
> index 593151709cf1d..e97431bc2828c 100644
> --- a/drivers/hid/hid-steam.c
> +++ b/drivers/hid/hid-steam.c
> @@ -389,6 +389,12 @@ static int steam_recv_report(struct steam_device *steam,
> hid_err(steam->hdev, "%s: error %d\n", __func__, ret);
> else
> hid_dbg(steam->hdev, "Received report %*ph\n", ret, data);
> +
> + if (ret >= 2 && data[1] > ret + 2) {
[Severity: High]
Does this logic effectively catch short reads, or does it contain an algebraic
error?
It appears data[1] > ret + 2 should be data[1] + 2 > ret. With the current
check, a device returning a short payload would bypass validation.
Additionally, since this check happens after ret is clamped to size earlier
in the function (ret = min(size, ret - 1);), won't this reject perfectly valid
large reports if the caller only requested a smaller buffer?
Also, the ret >= 2 gate allows 0 or 1 byte reads to return successfully. If
this occurs, callers like steam_get_serial() will read from an uninitialized
stack buffer.
For instance, in steam_get_serial():
drivers/hid/hid-steam.c:steam_get_serial() {
u8 reply[3 + STEAM_SERIAL_LEN + 1];
...
res = steam_recv_report(steam, reply, sizeof(reply));
if (res < 0)
return res;
reply[3 + reply[1]] = 0;
strscpy(steam->serial_no, reply + 3, sizeof(steam->serial_no));
}
If steam_recv_report() returns 0 or 1, reply[1] is uninitialized,
potentially causing out-of-bounds reads or leaking kernel stack memory into
steam->serial_no.
> + hid_err(steam->hdev, "%s: expected %u bytes, read %i\n",
> + __func__, data[1] + 2, ret);
> + return -EPROTO;
> + }
> return ret;
> }
[Severity: High]
This is a pre-existing issue, but does steam_haptic_rumble_cb() cause a
self-deadlock when triggering rumble?
This was introduced by the commit "HID: steam: Coalesce rumble packets"
earlier in the same series and persists through the end of the series.
In steam_haptic_rumble_cb():
drivers/hid/hid-steam.c:steam_haptic_rumble_cb() {
guard(mutex)(&steam->report_mutex);
steam_haptic_rumble(steam, 0, steam->rumble_left,
steam->rumble_right, 2, 0);
}
And steam_haptic_rumble() unconditionally locks the same mutex:
drivers/hid/hid-steam.c:steam_haptic_rumble() {
mutex_lock(&steam->report_mutex);
ret = steam_send_report(steam, report, sizeof(report));
mutex_unlock(&steam->report_mutex);
}
Since Linux mutexes are not recursive, won't this permanently hang the system
workqueue worker executing the rumble callbacks?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702222145.1863104-1-vi@endrift.com?part=9
next prev parent reply other threads:[~2026-07-02 22:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 22:21 [PATCH 01/10] HID: steam: Update documentation Vicki Pfau
2026-07-02 22:21 ` [PATCH 02/10] HID: steam: Refactor and clean up report parsing Vicki Pfau
2026-07-02 22:21 ` [PATCH 03/10] HID: steam: Rename some constants that got renamed upstream Vicki Pfau
2026-07-02 22:21 ` [PATCH 04/10] HID: steam: Add support for sensor events on the Steam Controller (2015) Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 05/10] HID: steam: Coalesce rumble packets Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 06/10] HID: steam: Fully unregister controller when hidraw is opened Vicki Pfau
2026-07-02 22:34 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 07/10] HID: steam: Rearrange deinitialization sequence Vicki Pfau
2026-07-02 22:35 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 08/10] HID: steam: Improve logging and other cleanup Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
2026-07-02 22:21 ` [PATCH 09/10] HID: steam: Reject short reads Vicki Pfau
2026-07-02 22:36 ` sashiko-bot [this message]
2026-07-03 11:26 ` Yousef Alhouseen
2026-07-02 22:21 ` [PATCH 10/10] HID: steam: Retry send/recv reports if stale Vicki Pfau
2026-07-02 22:36 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702223658.4735C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vi@endrift.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox