Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 14/26] mtd: maps: vmu-flash: remove unused mdev->driver assignment
Date: Sat, 04 Jul 2026 06:08:48 +0000	[thread overview]
Message-ID: <20260704060848.CD33A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-14-41e424964da5@gmail.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Dangling pointers for `fileerr_handler` and `can_unload` left on `maple_device` if `probe` fails.
- [Critical] Use-after-free of `card` structure due to dangling `mdev->callback` on probe error path.
- [High] Out-of-bounds read in `vmu_connect` when parsing device `function_data`.
- [High] NULL pointer dereference in `vmu_disconnect` if `vmu_queryblocks` fails.
--

commit aec7eca58a1d1d49c7c51af4d1d0fb848ff3245c
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>

mtd: maps: vmu-flash: remove unused mdev->driver assignment

This commit removes the unused assignment to mdev->driver and the now unused
mdrv variable in probe_maple_vmu. The driver field in struct maple_device is
no longer used since earlier cleanups.

> diff --git a/drivers/mtd/maps/vmu-flash.c b/drivers/mtd/maps/vmu-flash.c
> index 10244e6731d07..8f7028ac1b56a 100644
> --- a/drivers/mtd/maps/vmu-flash.c
> +++ b/drivers/mtd/maps/vmu-flash.c
> @@ -772,11 +772,9 @@ static void vmu_file_error(struct maple_device *mdev, void *recvbuf)
>  static int probe_maple_vmu(struct device *dev)
>  {
>  	struct maple_device *mdev = to_maple_dev(dev);
> -	struct maple_driver *mdrv = to_maple_driver(dev->driver);
>  
>  	mdev->can_unload = vmu_can_unload;
>  	mdev->fileerr_handler = vmu_file_error;
> -	mdev->driver = mdrv;
>  
>  	return vmu_connect(mdev);

[Severity: Critical]
This is a pre-existing issue, but if vmu_connect() fails below, are these
pointers properly cleared?

If vmu_connect() fails, the probe aborts and the device is left unbound, but
the function pointers to vmu_can_unload() and vmu_file_error() remain
assigned to the persistent maple_device structure. 

If the vmu-flash module is subsequently unloaded, could a later
MAPLE_RESPONSE_FILEERR event cause the maple bus core to dereference the
now-dangling mdev->fileerr_handler pointer?

>  }

While reviewing the context of this patch, I noticed a few other pre-existing
issues in the surrounding code:

> static int vmu_connect(struct maple_device *mdev)
> {
> 	unsigned long test_flash_data, basic_flash_data;
> 	int c, error;
> 	struct memcard *card;
> 	u32 partnum = 0;
> 
> 	test_flash_data = be32_to_cpu(mdev->devinfo.function);
> 	/* Need to count how many bits are set - to find out which
> 	 * function_data element has details of the memory card
> 	 */
> 	c = hweight_long(test_flash_data);
> 
> 	basic_flash_data = be32_to_cpu(mdev->devinfo.function_data[c - 1]);

[Severity: High]
This is a pre-existing issue, but does this array access risk an out-of-bounds
read?

Since test_flash_data is derived directly from the hardware packet, it could
have up to 32 bits set. If a malfunctioning device reports 0 bits or more than
3 bits set, does using c - 1 read past the bounds of the 3-element
function_data array?

[ ... ]

> 	/*
> 	* We want to trap meminfo not get cond
> 	* so set interval to zero, but rely on maple bus
> 	* driver to pass back the results of the meminfo
> 	*/
> 	maple_getcond_callback(mdev, vmu_queryblocks, 0,
> 		MAPLE_FUNC_MEMCARD);

[ ... ]

> 	error = maple_add_packet(mdev, MAPLE_FUNC_MEMCARD,
> 		MAPLE_COMMAND_GETMINFO, 2, &partnum);
> 	if (error) {
> 		dev_err(&mdev->dev, "Could not lock VMU at (%d, %d)"
> 			" error is 0x%X\n", mdev->port, mdev->unit, error);
> 		goto fail_mtd_info;
> 	}
> 	return 0;
> 
> fail_device_busy:
> 	kfree(card->mtd);
> fail_mtd_info:
> 	kfree(card->parts);
> fail_partitions:
> 	kfree(card);
> fail_nomem:
> 	return error;
> }

[Severity: Critical]
This is a pre-existing issue, but if maple_add_packet() fails, is the card
structure freed while the callback is still active?

In vmu_connect(), an asynchronous callback is registered via
maple_getcond_callback(). If a subsequent operation like maple_add_packet()
fails, the error path frees the card structure but does not clear
mdev->callback.

If a delayed or stray MAPLE_RESPONSE_DATATRF packet arrives later, could
maple_dma_handler() invoke the lingering mdev->callback, writing hardware
response data to the already freed card memory?

Regarding vmu_disconnect():

If vmu_queryblocks() fails, it branches to an error path that frees the
priv pointer and sets it to NULL:

> 	for (error = 0; error <= card->partition; error++) {
> 		kfree(((card->mtd)[error]).priv);
> 		((card->mtd)[error]).priv = NULL;
> 	}

Because the initial probe returned success, the device remains bound. When
it is eventually disconnected, vmu_disconnect() executes:

> 	for (x = 0; x < card->partitions; x++) {
> 		mpart = ((card->mtd)[x]).priv;
> 		mpart->mdev = NULL;

[Severity: High]
This is a pre-existing issue, but if vmu_queryblocks() encountered an
asynchronous failure earlier, will vmu_disconnect() blindly dereference a
NULL pointer here?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=14

  reply	other threads:[~2026-07-04  6:08 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-04  5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04  6:05   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:07   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:06   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04  6:08   ` sashiko-bot [this message]
2026-07-04  5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04  6:11   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04  6:14   ` sashiko-bot
2026-07-04 15:48   ` Florian Fuchs
2026-07-04 23:50     ` Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:13   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260704060848.CD33A1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox