Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jiale Yao" <yaojiale02@163.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH 1/4] HID: cougar: fix out-of-bounds read in cougar_raw_event
Date: Tue, 14 Jul 2026 13:32:17 +0000	[thread overview]
Message-ID: <20260714133217.69FA21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714131611.269929-1-yaojiale02@163.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:

New issues:
- [Medium] Unbounded error logging in interrupt context can lead to log flooding and Denial of Service.
- [Low] The newly added `hid_err` log message is missing a terminating newline character.

Pre-existing issues:
- [High] TOCTOU race condition during device unbinding leads to a Use-After-Free of the keyboard's input_dev (`shared->input`).
- [High] Self-deadlock on `cougar_udev_list_lock` during error handling in `cougar_bind_shared_data()`.
- [High] Race condition between `kref_put()` and list lookup causing Use-After-Free of the `cougar_shared` structure.
- [High] The probe function dereferences `hdev->collection` without verifying that any collections were actually parsed.
--

--- Patch [1]: [PATCH 1/4] HID: cougar: fix out-of-bounds read in cougar_raw_event ---
commit bb404070c5edd2b402b1e549ba66068e04c7d429
Author: Jiale Yao <yaojiale02@163.com>

HID: cougar: fix out-of-bounds read in cougar_raw_event

This patch adds a bounds check to cougar_raw_event() to prevent out-of-bounds
reads when handling malformed HID reports shorter than 3 bytes.

> --- a/drivers/hid/hid-cougar.c
> +++ b/drivers/hid/hid-cougar.c
> @@ -270,6 +270,12 @@ static int cougar_raw_event(struct hid_device *hdev, struct hid_report *report,
>  	if (!shared->enabled || !shared->input)
>  		return -EPERM;

[Severity: High]
This is a pre-existing issue, but is there a TOCTOU race condition here
during device unbinding?

If a device disconnect is triggered while a USB event is being processed,
cougar_raw_event() checks shared->enabled locklessly on one CPU.
Concurrently, cougar_remove() on another CPU could clear shared->enabled
and call hid_hw_stop(), destroying the input_dev.

Could the interrupt handler then resume and dereference the freed
shared->input in input_event()?

> +	if (size < 3) {
> +		hid_err(hdev, "Received HID report of bad size (%d)",
> +			size);

[Severity: Medium]
Could this un-ratelimited error logging lead to a log flood if a
malfunctioning or malicious device continuously sends reports shorter than
3 bytes?

Since cougar_raw_event() runs in interrupt context, this might cause high
CPU usage and flood the kernel ring buffer.

[Severity: Low]
Also, does this log message need a terminating newline character?
Without the \n, subsequent kernel messages might be incorrectly appended
to the same line.

> +		return -EPERM;
> +	}
> +
>  	code = data[COUGAR_FIELD_CODE];

[ ... ]

[Severity: High]
This is a pre-existing issue, but does cougar_bind_shared_data() have a
self-deadlock on cougar_udev_list_lock during error handling?

If devm_add_action_or_reset() fails, it invokes cougar_remove_shared_data()
which drops the kref to zero, triggering cougar_release_shared_data():

drivers/hid/hid-cougar.c:cougar_release_shared_data() {
    ...
    mutex_lock(&cougar_udev_list_lock);
    ...
}

Since cougar_bind_shared_data() already holds cougar_udev_list_lock when
calling devm_add_action_or_reset(), will this attempt to re-acquire the
already held mutex block all further probes?

[Severity: High]
This is a pre-existing issue, but is there a race condition between
kref_put() and list lookup that could cause a use-after-free of the
cougar_shared structure?

During device unbind, cougar_remove_shared_data() calls
kref_put(&shared->kref) without holding cougar_udev_list_lock. If the
refcount drops to 0, cougar_release_shared_data() blocks on the lock.

Concurrently, a new device probe calling cougar_bind_shared_data() holds
the lock and traverses the list:

drivers/hid/hid-cougar.c:cougar_bind_shared_data() {
    ...
    mutex_lock(&cougar_udev_list_lock);
    list_for_each_entry(shared, &cougar_udev_list, list) {
        ...
        kref_get(&shared->kref);
        ...
    }
}

Could it find the zero-refcount object, increment it, and then after the lock
is dropped, the blocked release function frees it, leaving the newly
probed device with a dangling pointer?

[Severity: High]
This is a pre-existing issue, but does the probe function dereference
hdev->collection without verifying that any collections were actually
parsed?

drivers/hid/hid-cougar.c:cougar_probe() {
    ...
    if (hdev->collection->usage == COUGAR_VENDOR_USAGE) {
    ...
}

If a USB device supplies a HID report descriptor containing no collections,
hid_parse() succeeds but hdev->collection remains NULL. Will this
unconditional access cause a panic on probe?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260714131611.269929-1-yaojiale02@163.com?part=1

      parent reply	other threads:[~2026-07-14 13:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 13:16 [PATCH 1/4] HID: cougar: fix out-of-bounds read in cougar_raw_event Jiale Yao
2026-07-14 13:16 ` [PATCH 2/4] HID: corsair-void: fix out-of-bounds read in corsair_void_raw_event Jiale Yao
2026-07-14 13:16 ` [PATCH 3/4] HID: mcp2221: fix out-of-bounds read in mcp2221_raw_event Jiale Yao
2026-07-14 13:52   ` sashiko-bot
2026-07-14 13:16 ` [PATCH 4/4] HID: cp2112: fix out-of-bounds read in cp2112_raw_event Jiale Yao
2026-07-14 14:04   ` sashiko-bot
2026-07-14 13:32 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714133217.69FA21F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=yaojiale02@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox