From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h
Date: Sat, 04 Jul 2026 06:05:47 +0000 [thread overview]
Message-ID: <20260704060547.915641F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-1-41e424964da5@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [High] The error path in `vmu_queryblocks` frees the `priv` field of previously registered MTD partitions without unregistering them, leaving dangling MTD devices that crash the kernel if accessed.
- [High] `vmu_disconnect` assumes all partitions have a fully initialized `priv` structure and unconditionally dereferences it, which causes a NULL pointer dereference if initialization failed or was incomplete.
- [High] `vmu_disconnect` fails to free multiple dynamically allocated structures, causing a severe memory leak on device removal.
- [High] `vmu_flash_read_char` truncates negative error codes into an `unsigned char`, causing the caller to silently misinterpret errors as valid data.
--
commit 3694a7f48be1fa76db703e9eae953d9ee9757f9f
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
sh: maple: include linux/device.h in linux/maple.h
This commit includes linux/device.h in linux/maple.h to ensure full
definitions of struct device and struct device_driver are available.
This fixes a compilation error in drivers/mtd/maps/vmu-flash.c.
> diff --git a/include/linux/maple.h b/include/linux/maple.h
> index 3be4e567473c8..22f2930251edc 100644
> --- a/include/linux/maple.h
> +++ b/include/linux/maple.h
[ ... ]
While this patch fixes the build, looking at drivers/mtd/maps/vmu-flash.c
revealed a few pre-existing issues:
drivers/mtd/maps/vmu-flash.c:vmu_flash_read_char() {
...
unsigned char *buf, ret;
...
error = maple_vmu_read_block(vblock->num, buf, mtd);
if (error) {
ret = error;
*retval = 2;
goto out_vblock;
}
...
return ret;
}
[Severity: High]
This is a pre-existing issue, but does assigning a negative error code
like -ENOMEM or -EIO to the unsigned char ret truncate it? This could
cause the caller to misinterpret errors as valid data instead of properly
propagating the negative error code back to the MTD subsystem.
drivers/mtd/maps/vmu-flash.c:vmu_queryblocks() {
...
error = mtd_device_register(mtd_cur, NULL, 0);
if (error)
goto fail_mtd_register;
...
fail_mpart:
for (error = 0; error <= card->partition; error++) {
kfree(((card->mtd)[error]).priv);
((card->mtd)[error]).priv = NULL;
}
...
}
[Severity: High]
This isn't a bug introduced by this patch, but could this cleanup loop
fail to unregister the previously successfully registered MTD devices?
If a recursive call fails, freeing the priv field without calling
mtd_device_unregister() might leave dangling MTD devices that could
crash the kernel if accessed later.
drivers/mtd/maps/vmu-flash.c:vmu_disconnect() {
...
for (x = 0; x < card->partitions; x++) {
mpart = ((card->mtd)[x]).priv;
mpart->mdev = NULL;
mtd_device_unregister(&((card->mtd)[x]));
kfree(((card->parts)[x]).name);
}
...
}
[Severity: High]
This is a pre-existing issue, but does this assume all partitions have a
fully initialized priv structure? If the device is disconnected before
vmu_queryblocks() finishes initialization or if initialization fails,
can mpart be NULL here, leading to a NULL pointer dereference when
assigning mpart->mdev = NULL?
[Severity: High]
This is also a pre-existing issue, but does this disconnect routine leak
resources? It appears to omit freeing the mpart, pcache, and pcache->buffer
resources that were allocated during initialization.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=1
next prev parent reply other threads:[~2026-07-04 6:05 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04 6:05 ` sashiko-bot [this message]
2026-07-04 5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:07 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:06 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04 6:08 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04 6:11 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04 6:14 ` sashiko-bot
2026-07-04 15:48 ` Florian Fuchs
2026-07-04 23:50 ` Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:13 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260704060547.915641F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox