From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 14/26] mtd: maps: vmu-flash: remove unused mdev->driver assignment
Date: Sat, 04 Jul 2026 06:08:48 +0000 [thread overview]
Message-ID: <20260704060848.CD33A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-14-41e424964da5@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Dangling pointers for `fileerr_handler` and `can_unload` left on `maple_device` if `probe` fails.
- [Critical] Use-after-free of `card` structure due to dangling `mdev->callback` on probe error path.
- [High] Out-of-bounds read in `vmu_connect` when parsing device `function_data`.
- [High] NULL pointer dereference in `vmu_disconnect` if `vmu_queryblocks` fails.
--
commit aec7eca58a1d1d49c7c51af4d1d0fb848ff3245c
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
mtd: maps: vmu-flash: remove unused mdev->driver assignment
This commit removes the unused assignment to mdev->driver and the now unused
mdrv variable in probe_maple_vmu. The driver field in struct maple_device is
no longer used since earlier cleanups.
> diff --git a/drivers/mtd/maps/vmu-flash.c b/drivers/mtd/maps/vmu-flash.c
> index 10244e6731d07..8f7028ac1b56a 100644
> --- a/drivers/mtd/maps/vmu-flash.c
> +++ b/drivers/mtd/maps/vmu-flash.c
> @@ -772,11 +772,9 @@ static void vmu_file_error(struct maple_device *mdev, void *recvbuf)
> static int probe_maple_vmu(struct device *dev)
> {
> struct maple_device *mdev = to_maple_dev(dev);
> - struct maple_driver *mdrv = to_maple_driver(dev->driver);
>
> mdev->can_unload = vmu_can_unload;
> mdev->fileerr_handler = vmu_file_error;
> - mdev->driver = mdrv;
>
> return vmu_connect(mdev);
[Severity: Critical]
This is a pre-existing issue, but if vmu_connect() fails below, are these
pointers properly cleared?
If vmu_connect() fails, the probe aborts and the device is left unbound, but
the function pointers to vmu_can_unload() and vmu_file_error() remain
assigned to the persistent maple_device structure.
If the vmu-flash module is subsequently unloaded, could a later
MAPLE_RESPONSE_FILEERR event cause the maple bus core to dereference the
now-dangling mdev->fileerr_handler pointer?
> }
While reviewing the context of this patch, I noticed a few other pre-existing
issues in the surrounding code:
> static int vmu_connect(struct maple_device *mdev)
> {
> unsigned long test_flash_data, basic_flash_data;
> int c, error;
> struct memcard *card;
> u32 partnum = 0;
>
> test_flash_data = be32_to_cpu(mdev->devinfo.function);
> /* Need to count how many bits are set - to find out which
> * function_data element has details of the memory card
> */
> c = hweight_long(test_flash_data);
>
> basic_flash_data = be32_to_cpu(mdev->devinfo.function_data[c - 1]);
[Severity: High]
This is a pre-existing issue, but does this array access risk an out-of-bounds
read?
Since test_flash_data is derived directly from the hardware packet, it could
have up to 32 bits set. If a malfunctioning device reports 0 bits or more than
3 bits set, does using c - 1 read past the bounds of the 3-element
function_data array?
[ ... ]
> /*
> * We want to trap meminfo not get cond
> * so set interval to zero, but rely on maple bus
> * driver to pass back the results of the meminfo
> */
> maple_getcond_callback(mdev, vmu_queryblocks, 0,
> MAPLE_FUNC_MEMCARD);
[ ... ]
> error = maple_add_packet(mdev, MAPLE_FUNC_MEMCARD,
> MAPLE_COMMAND_GETMINFO, 2, &partnum);
> if (error) {
> dev_err(&mdev->dev, "Could not lock VMU at (%d, %d)"
> " error is 0x%X\n", mdev->port, mdev->unit, error);
> goto fail_mtd_info;
> }
> return 0;
>
> fail_device_busy:
> kfree(card->mtd);
> fail_mtd_info:
> kfree(card->parts);
> fail_partitions:
> kfree(card);
> fail_nomem:
> return error;
> }
[Severity: Critical]
This is a pre-existing issue, but if maple_add_packet() fails, is the card
structure freed while the callback is still active?
In vmu_connect(), an asynchronous callback is registered via
maple_getcond_callback(). If a subsequent operation like maple_add_packet()
fails, the error path frees the card structure but does not clear
mdev->callback.
If a delayed or stray MAPLE_RESPONSE_DATATRF packet arrives later, could
maple_dma_handler() invoke the lingering mdev->callback, writing hardware
response data to the already freed card memory?
Regarding vmu_disconnect():
If vmu_queryblocks() fails, it branches to an error path that frees the
priv pointer and sets it to NULL:
> for (error = 0; error <= card->partition; error++) {
> kfree(((card->mtd)[error]).priv);
> ((card->mtd)[error]).priv = NULL;
> }
Because the initial probe returned success, the device remains bound. When
it is eventually disconnected, vmu_disconnect() executes:
> for (x = 0; x < card->partitions; x++) {
> mpart = ((card->mtd)[x]).priv;
> mpart->mdev = NULL;
[Severity: High]
This is a pre-existing issue, but if vmu_queryblocks() encountered an
asynchronous failure earlier, will vmu_disconnect() blindly dereference a
NULL pointer here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=14
next prev parent reply other threads:[~2026-07-04 6:08 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04 6:05 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:07 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:06 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04 6:08 ` sashiko-bot [this message]
2026-07-04 5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04 6:11 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04 6:14 ` sashiko-bot
2026-07-04 15:48 ` Florian Fuchs
2026-07-04 23:50 ` Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:13 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260704060848.CD33A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox