Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dmitry Torokhov" <dmitry.torokhov@gmail.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH 17/26] sh: maple: implement bus-level probe/remove
Date: Sat, 04 Jul 2026 06:12:54 +0000	[thread overview]
Message-ID: <20260704061254.9FDA71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-b4-maple-cleanup-v1-17-41e424964da5@gmail.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:

Pre-existing issues:
- [High] Dangling function pointers in maple_device leading to execution of unloaded module code on hot-unplug.
- [High] Missing `cancel_work_sync()` in `maple_bus_init` error path leads to Use-After-Free.
- [High] Dangling hardware callback in `vmu_connect` error path leads to Use-After-Free.
- [High] NULL pointer dereference and multiple memory leaks in `vmu_disconnect`.
- [High] The driver reports input events but fails to call `input_sync()` at the end of the packet handling.
- [Medium] Memory leak of `card->mtd` array on failure path in `vmu_connect`.
--

commit 8d15bc5545d93a9d1f9f85e0e543bc57384c73cb
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>

sh: maple: implement bus-level probe/remove
    
Implement probe() and remove() methods for the maple bus, and update
struct maple_driver to have its own probe() and remove() members that
take struct maple_device * directly. Adjust all maple drivers to
use these new bus-level methods.

> diff --git a/drivers/input/joystick/maplecontrol.c b/drivers/input/joystick/maplecontrol.c
> index 955e01bcfa0c1..6864243b0b4a2 100644
> --- a/drivers/input/joystick/maplecontrol.c
> +++ b/drivers/input/joystick/maplecontrol.c
> @@ -78,7 +78,7 @@ static void dc_pad_close(struct input_dev *dev)
>  }
>  
>  /* allow the controller to be used */
> -static int probe_maple_controller(struct device *dev)
> +static int probe_maple_controller(struct maple_device *mdev)
>  {

[Severity: High]
This is a pre-existing issue, but does dc_pad_callback() fail to call
input_sync() after reporting events?

drivers/input/joystick/maplecontrol.c:dc_pad_callback() {
    ...
    input_report_abs(dev, ABS_RY,     res[15]);
}

The driver reports input events but never calls input_sync() at the end of the
packet handling. As dictated by the Input Subsystem guidelines, every logical
group of events must be followed by a call to input_sync(), otherwise events
may not be properly synchronized and delivered to userspace.

[ ... ]
> diff --git a/drivers/mtd/maps/vmu-flash.c b/drivers/mtd/maps/vmu-flash.c
> index 8f7028ac1b56a..c34c768dfb876 100644
> --- a/drivers/mtd/maps/vmu-flash.c
> +++ b/drivers/mtd/maps/vmu-flash.c
> @@ -769,30 +769,25 @@ static void vmu_file_error(struct maple_device *mdev, void *recvbuf)
>  }
>  
>  
> -static int probe_maple_vmu(struct device *dev)
> +static int probe_maple_vmu(struct maple_device *mdev)
>  {
> -	struct maple_device *mdev = to_maple_dev(dev);
> -
>  	mdev->can_unload = vmu_can_unload;
>  	mdev->fileerr_handler = vmu_file_error;
>  

[Severity: High]
This is a pre-existing issue, but does this leave dangling function pointers
during device hot-unplug?

mdev->can_unload and mdev->fileerr_handler are set here, but remove_maple_vmu()
never clears them. If the module is unbound and unloaded, and the device is
subsequently physically unplugged, maple_response_none() will call the dangling
mdev->can_unload(mdev). This would jump to unmapped memory and cause a kernel
panic.

>  	return vmu_connect(mdev);
>  }

[Severity: Medium]
This is a pre-existing issue, but does vmu_connect() leak the card->mtd array
on the packet addition failure path?

When maple_add_packet() fails, the code jumps to fail_mtd_info:

drivers/mtd/maps/vmu-flash.c:vmu_connect() {
    ...
fail_device_busy:
    kfree(card->mtd);
fail_mtd_info:
    kfree(card->parts);
    ...
}

This bypasses the kfree(card->mtd) cleanup block, causing a memory leak.

[Severity: High]
This is a pre-existing issue, but does vmu_connect() leave a dangling callback
if it fails?

drivers/mtd/maps/vmu-flash.c:vmu_connect() {
    ...
    maple_getcond_callback(mdev, vmu_queryblocks, 0, MAPLE_FUNC_MEMCARD);
    ...
}

If vmu_connect() returns an error (like device busy or maple_add_packet failure),
it frees the 'card' structure but doesn't clear mdev->callback. If the maple
bus receives a MAPLE_RESPONSE_DATATRF, will the core unconditionally execute the
callback and attempt to use the freed 'card' structure?

> -static int remove_maple_vmu(struct device *dev)
> +static void remove_maple_vmu(struct maple_device *mdev)
>  {
> -	struct maple_device *mdev = to_maple_dev(dev);
> -
>  	vmu_disconnect(mdev);
> -	return 0;
>  }

[Severity: High]
This is a pre-existing issue, but can vmu_disconnect() trigger a NULL pointer
dereference?

drivers/mtd/maps/vmu-flash.c:vmu_disconnect() {
    ...
    for (x = 0; x < card->partitions; x++) {
        mpart = ((card->mtd)[x]).priv;
        mpart->mdev = NULL;
    ...
}

Since vmu_connect() creates card->mtd as a zeroed array, card->mtd[x].priv is
NULL until vmu_queryblocks() asynchronously allocates and assigns it. If the
device is disconnected before the callback completes for all partitions, will
this blindly dereference mpart? Additionally, does this fail to free mpart,
pcache, and pcache->buffer completely, causing memory leaks on every successful
bind/unbind?

[ ... ]
> diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c
> index 35aff2e57d2c8..c0715e3ace6f1 100644
> --- a/drivers/sh/maple/maple.c
> +++ b/drivers/sh/maple/maple.c
> @@ -790,7 +816,6 @@ static int __init maple_bus_init(void)
>  	if (retval)
>  		goto cleanup_device;
>  
> -
>  	/* allocate memory for maple bus dma */
>  	retval = maple_get_dma_buffer();

[Severity: High]
This is a pre-existing issue, but does the error path in maple_bus_init()
fail to cancel asynchronous work, leading to a use-after-free?

drivers/sh/maple/maple.c:maple_bus_init() {
    ...
cleanup_irq:
    free_irq(HW_EVENT_MAPLE_DMA, &maple_bus);

cleanup_dma:
    free_pages((unsigned long) maple_sendbuf, MAPLE_DMA_PAGES);
    ...
}

If initialization fails after the DMA or VBLANK IRQs are registered, the error
path frees the IRQs and the maple_sendbuf memory. However, it fails to cancel
the asynchronous work (maple_dma_process and maple_vblank_process). If an IRQ
fires before free_irq(), the scheduled work will execute maple_dma_handler() or
maple_vblank_handler(), which dereferences the freed maple_sendbuf memory via
maple_send().

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-b4-maple-cleanup-v1-0-41e424964da5@gmail.com?part=17

  reply	other threads:[~2026-07-04  6:12 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-04  5:57 [PATCH 00/26] sh: maple: cleanup and modernize input drivers Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 01/26] sh: maple: include linux/device.h in linux/maple.h Dmitry Torokhov
2026-07-04  6:05   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 02/26] Input: maple_keyb - fix key press detection Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 03/26] Input: maplecontrol - only enable present axes Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 04/26] Input: maplemouse - stop polling and clear callback on close Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 05/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:07   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 06/26] Input: maplecontrol - simplify maple_device retrieval in open/close Dmitry Torokhov
2026-07-04  6:10   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 07/26] Input: maple_keyb - implement open and close methods Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 08/26] Input: maplemouse - remove redundant drvdata resetting Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 09/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 10/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 11/26] Input: maplemouse - remove unused mdev->driver assignment Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 12/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:06   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 13/26] Input: maple_keyb " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 14/26] mtd: maps: vmu-flash: " Dmitry Torokhov
2026-07-04  6:08   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 15/26] sh: maple: remove not needed maple_unsupported_device driver Dmitry Torokhov
2026-07-04  6:11   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 16/26] sh: maple: remove unused driver field from struct maple_device Dmitry Torokhov
2026-07-04  6:09   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 17/26] sh: maple: implement bus-level probe/remove Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot [this message]
2026-07-04  5:57 ` [PATCH 18/26] sh: maple: introduce callback_mutex in maple_device Dmitry Torokhov
2026-07-04  6:14   ` sashiko-bot
2026-07-04 15:48   ` Florian Fuchs
2026-07-04 23:50     ` Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 19/26] Input: maple_keyb - remove redundant mutex and remove method Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 20/26] Input: maple_keyb - convert to devm Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 21/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 22/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:13   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 23/26] Input: maple_keyb - fix style issues Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 24/26] Input: maplemouse " Dmitry Torokhov
2026-07-04  5:57 ` [PATCH 25/26] Input: maplecontrol " Dmitry Torokhov
2026-07-04  6:12   ` sashiko-bot
2026-07-04  5:57 ` [PATCH 26/26] Input: maple_keyb - remove redundant 'new' buffer from struct dc_kbd Dmitry Torokhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260704061254.9FDA71F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox