Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver
Date: Sat, 04 Jul 2026 06:11:36 +0000	[thread overview]
Message-ID: <20260704061136.8899C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-15-41e424964da5@gmail.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] Asynchronous work items are not canceled on the `maple_bus_init` error path.
- [High] Error path in `maple_bus_init` frees devices that are still linked on the global `maple_waitq`.
- [High] Directly calling `kfree` via `maple_free_dev` on `device_register` failure in `maple_attach_driver` leaks kobject state.
- [High] Re-queuing a maple packet without setting the busy flag causes list corruption.
--

commit 8ed68bea570556010f84062b91e5bd48da1f0c8d
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>

sh: maple: remove not needed maple_unsupported_device driver

This commit removes the maple_unsupported_device fallback driver since
the driver core handles devices without drivers. It also updates the
shared interrupt registrations to use &maple_bus instead of the removed
driver.

> diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
> --- a/drivers/sh/maple/maple.c
> +++ b/drivers/sh/maple/maple.c

[ ... ]

> @@ -378,7 +376,6 @@ static void maple_attach_driver(struct maple_device *mdev)
>  		if (matched == 0) {
>  			/* Driver does not exist yet */
>  			dev_info(&mdev->dev, "no driver found\n");
> -			mdev->driver = &maple_unsupported_device;
>  		}
>  		dev_set_name(&mdev->dev, "%d:0%d.%lX", mdev->port,
>  			     mdev->unit, function);

[Severity: High]
This isn't a regression introduced by this patch, but does the error path in
maple_attach_driver() leak kobject state?

If device_register(&mdev->dev) fails:

	error = device_register(&mdev->dev);
	if (error) {
		dev_warn(&mdev->dev, "could not register device at"
			" (%d, %d), with error 0x%X\n", mdev->unit,
			mdev->port, error);
		maple_free_dev(mdev);
		mdev = NULL;
		return;
	}

maple_free_dev() directly calls kfree(). Since device_register() was
called, shouldn't failures be handled by calling put_device() to safely
invoke the release callback instead of bypassing it?

[ ... ]

> @@ -863,17 +851,14 @@ static int __init maple_bus_init(void)
>  	kmem_cache_destroy(maple_queue_cache);
>  
>  cleanup_bothirqs:
> -	free_irq(HW_EVENT_VSYNC, 0);
> +	free_irq(HW_EVENT_VSYNC, &maple_bus);
>  
>  cleanup_irq:
> -	free_irq(HW_EVENT_MAPLE_DMA, 0);
> +	free_irq(HW_EVENT_MAPLE_DMA, &maple_bus);
>  
>  cleanup_dma:
>  	free_pages((unsigned long) maple_sendbuf, MAPLE_DMA_PAGES);

[Severity: High]
This is a pre-existing issue, but can this error path lead to a
use-after-free crash?

In maple_bus_init(), if initialization fails after setting the DMA
interrupt handler (for example, if KMEM_CACHE allocation fails), the error
path calls free_irq() and frees the maple_sendbuf memory.

However, it does not appear to call cancel_work_sync() for
maple_dma_process and maple_vblank_process. If an interrupt fired before
free_irq(), could the scheduled work items execute asynchronously after the
buffers are freed, dereferencing the freed memory?

[Severity: High]
This is another pre-existing issue in maple_bus_init(), but does the port
initialization loop leave dangling pointers on the global maple_waitq?

During the loop, each allocated device is immediately queued onto the
global maple_waitq via maple_add_packet():

	for (i = 0; i < MAPLE_PORTS; i++) {
		checked[i] = false;
		empty[i] = false;
		mdev[i] = maple_alloc_dev(i, 0);
		if (!mdev[i]) {
			while (i-- > 0)
				maple_free_dev(mdev[i]);

If a subsequent allocation fails, the error handler loops backwards and
calls maple_free_dev(). However, maple_free_dev() frees mdev and mdev->mq
directly via kfree() without executing list_del() to remove them from
maple_waitq. Could this corrupt the linked list?

[Severity: High]
This is a pre-existing issue not touched by this patch, but can re-queuing
a maple packet without setting the busy flag cause list corruption?

Looking at setup_maple_commands() in drivers/sh/maple/maple.c, a
MAPLE_COMMAND_GETCOND packet is queued if mdev->busy is 0:

	if (mdev->interval > 0 && atomic_read(&mdev->busy) == 0 &&
		time_after(jiffies, mdev->when)) {
		/* bounce if we cannot add */
		add = maple_add_packet(mdev,
			be32_to_cpu(mdev->devinfo.function),
			MAPLE_COMMAND_GETCOND, 1, NULL);
		if (!add)
			mdev->when = jiffies + mdev->interval;
	}

It successfully calls maple_add_packet(), which links mdev->mq->list into
maple_waitq. However, unlike other packet types, it fails to set
mdev->busy = 1.

If a concurrent userspace action (such as a read via /dev/mtdX in vmu-flash
leading to maple_vmu_read_block()) executes, would it read mdev->busy as 0,
assume the queue is free, and call maple_add_packet() again? This would
reuse the exact same mdev->mq object, executing list_add_tail() on an
already-linked node, which corrupts the list.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=15

  reply	other threads:[~2026-07-04  6:11 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-04  5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04  6:05   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:07   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:06   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04  6:08   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04  6:11   ` sashiko-bot [this message]
2026-07-04  5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04  6:14   ` sashiko-bot
2026-07-04 15:48   ` Florian Fuchs
2026-07-04 23:50     ` Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:13   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260704061136.8899C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox