From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver
Date: Sat, 04 Jul 2026 06:11:36 +0000 [thread overview]
Message-ID: <20260704061136.8899C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-15-41e424964da5@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [High] Asynchronous work items are not canceled on the `maple_bus_init` error path.
- [High] Error path in `maple_bus_init` frees devices that are still linked on the global `maple_waitq`.
- [High] Directly calling `kfree` via `maple_free_dev` on `device_register` failure in `maple_attach_driver` leaks kobject state.
- [High] Re-queuing a maple packet without setting the busy flag causes list corruption.
--
commit 8ed68bea570556010f84062b91e5bd48da1f0c8d
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
sh: maple: remove not needed maple_unsupported_device driver
This commit removes the maple_unsupported_device fallback driver since
the driver core handles devices without drivers. It also updates the
shared interrupt registrations to use &maple_bus instead of the removed
driver.
> diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
> --- a/drivers/sh/maple/maple.c
> +++ b/drivers/sh/maple/maple.c
[ ... ]
> @@ -378,7 +376,6 @@ static void maple_attach_driver(struct maple_device *mdev)
> if (matched == 0) {
> /* Driver does not exist yet */
> dev_info(&mdev->dev, "no driver found\n");
> - mdev->driver = &maple_unsupported_device;
> }
> dev_set_name(&mdev->dev, "%d:0%d.%lX", mdev->port,
> mdev->unit, function);
[Severity: High]
This isn't a regression introduced by this patch, but does the error path in
maple_attach_driver() leak kobject state?
If device_register(&mdev->dev) fails:
error = device_register(&mdev->dev);
if (error) {
dev_warn(&mdev->dev, "could not register device at"
" (%d, %d), with error 0x%X\n", mdev->unit,
mdev->port, error);
maple_free_dev(mdev);
mdev = NULL;
return;
}
maple_free_dev() directly calls kfree(). Since device_register() was
called, shouldn't failures be handled by calling put_device() to safely
invoke the release callback instead of bypassing it?
[ ... ]
> @@ -863,17 +851,14 @@ static int __init maple_bus_init(void)
> kmem_cache_destroy(maple_queue_cache);
>
> cleanup_bothirqs:
> - free_irq(HW_EVENT_VSYNC, 0);
> + free_irq(HW_EVENT_VSYNC, &maple_bus);
>
> cleanup_irq:
> - free_irq(HW_EVENT_MAPLE_DMA, 0);
> + free_irq(HW_EVENT_MAPLE_DMA, &maple_bus);
>
> cleanup_dma:
> free_pages((unsigned long) maple_sendbuf, MAPLE_DMA_PAGES);
[Severity: High]
This is a pre-existing issue, but can this error path lead to a
use-after-free crash?
In maple_bus_init(), if initialization fails after setting the DMA
interrupt handler (for example, if KMEM_CACHE allocation fails), the error
path calls free_irq() and frees the maple_sendbuf memory.
However, it does not appear to call cancel_work_sync() for
maple_dma_process and maple_vblank_process. If an interrupt fired before
free_irq(), could the scheduled work items execute asynchronously after the
buffers are freed, dereferencing the freed memory?
[Severity: High]
This is another pre-existing issue in maple_bus_init(), but does the port
initialization loop leave dangling pointers on the global maple_waitq?
During the loop, each allocated device is immediately queued onto the
global maple_waitq via maple_add_packet():
for (i = 0; i < MAPLE_PORTS; i++) {
checked[i] = false;
empty[i] = false;
mdev[i] = maple_alloc_dev(i, 0);
if (!mdev[i]) {
while (i-- > 0)
maple_free_dev(mdev[i]);
If a subsequent allocation fails, the error handler loops backwards and
calls maple_free_dev(). However, maple_free_dev() frees mdev and mdev->mq
directly via kfree() without executing list_del() to remove them from
maple_waitq. Could this corrupt the linked list?
[Severity: High]
This is a pre-existing issue not touched by this patch, but can re-queuing
a maple packet without setting the busy flag cause list corruption?
Looking at setup_maple_commands() in drivers/sh/maple/maple.c, a
MAPLE_COMMAND_GETCOND packet is queued if mdev->busy is 0:
if (mdev->interval > 0 && atomic_read(&mdev->busy) == 0 &&
time_after(jiffies, mdev->when)) {
/* bounce if we cannot add */
add = maple_add_packet(mdev,
be32_to_cpu(mdev->devinfo.function),
MAPLE_COMMAND_GETCOND, 1, NULL);
if (!add)
mdev->when = jiffies + mdev->interval;
}
It successfully calls maple_add_packet(), which links mdev->mq->list into
maple_waitq. However, unlike other packet types, it fails to set
mdev->busy = 1.
If a concurrent userspace action (such as a read via /dev/mtdX in vmu-flash
leading to maple_vmu_read_block()) executes, would it read mdev->busy as 0,
assume the queue is free, and call maple_add_packet() again? This would
reuse the exact same mdev->mq object, executing list_add_tail() on an
already-linked node, which corrupts the list.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=15
next prev parent reply other threads:[~2026-07-04 6:11 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04 6:05 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:07 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04 6:10 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:06 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04 6:08 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04 6:11 ` sashiko-bot [this message]
2026-07-04 5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04 6:09 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04 6:14 ` sashiko-bot
2026-07-04 15:48 ` Florian Fuchs
2026-07-04 23:50 ` Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:13 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04 5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04 6:12 ` sashiko-bot
2026-07-04 5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260704061136.8899C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox