Linux Input/HID development
 help / color / mirror / Atom feed
* [PATCH] Input: maplecontrol - set driver data before registering input device
@ 2026-06-30  5:49 Dmitry Torokhov
  2026-06-30  6:00 ` sashiko-bot
  2026-06-30 19:15 ` Florian Fuchs
  0 siblings, 2 replies; 3+ messages in thread
From: Dmitry Torokhov @ 2026-06-30  5:49 UTC (permalink / raw)
  To: Adrian McMenamin, linux-input; +Cc: Florian Fuchs, linux-kernel

Set maple driver data before calling input_register_device() to
ensure that it is available if the device is opened immediately and
the callback is triggered.

Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/input/joystick/maplecontrol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/input/joystick/maplecontrol.c b/drivers/input/joystick/maplecontrol.c
index 7f36f73844a9..6293b6e8148b 100644
--- a/drivers/input/joystick/maplecontrol.c
+++ b/drivers/input/joystick/maplecontrol.c
@@ -112,6 +112,8 @@ static int probe_maple_controller(struct device *dev)
 	pad->dev = idev;
 	pad->mdev = mdev;
 
+	maple_set_drvdata(mdev, pad);
+
 	idev->open = dc_pad_open;
 	idev->close = dc_pad_close;
 
@@ -146,7 +148,6 @@ static int probe_maple_controller(struct device *dev)
 		goto fail;
 
 	mdev->driver = mdrv;
-	maple_set_drvdata(mdev, pad);
 
 	return 0;
 
-- 
2.55.0.rc0.799.gd6f94ed593-goog


-- 
Dmitry

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] Input: maplecontrol - set driver data before registering input device
  2026-06-30  5:49 [PATCH] Input: maplecontrol - set driver data before registering input device Dmitry Torokhov
@ 2026-06-30  6:00 ` sashiko-bot
  2026-06-30 19:15 ` Florian Fuchs
  1 sibling, 0 replies; 3+ messages in thread
From: sashiko-bot @ 2026-06-30  6:00 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: dmitry.torokhov, linux-input

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [Medium] Dangling pointer to freed memory remains in driver data during the probe error path.

Pre-existing issues:
- [Critical] Invalid pointer derivation leading to NULL pointer dereference on device open.
- [High] Race condition exposing uninitialized driver data to hardware callbacks or userspace.
- [High] Race condition during device unbind leading to a NULL pointer dereference in the callback.
--

commit 32d63e0cc91d90b1d5a10a7764828de58888a240
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Input: maplecontrol - set driver data before registering input device

This commit modifies the maplecontrol driver to set the driver data before
calling input_register_device(). This ensures that the driver data is
available immediately if the device is opened and the callback is triggered.

> diff --git a/drivers/input/joystick/maplecontrol.c b/drivers/input/joystick/maplecontrol.c
> index 7f36f73844a91..6293b6e8148b3 100644
> --- a/drivers/input/joystick/maplecontrol.c
> +++ b/drivers/input/joystick/maplecontrol.c
> @@ -146,7 +148,6 @@ static int probe_maple_controller(struct device *dev)
>  		goto fail;
>  
>  	mdev->driver = mdrv;
> -	maple_set_drvdata(mdev, pad);
>  
>  	return 0;

[Severity: Medium]
Since maple_set_drvdata(mdev, pad) was moved before input_register_device(),
does this leave a dangling pointer to freed memory in the error path?

If input_register_device() fails, it jumps to the fail block:

fail:
        input_free_device(idev);
        kfree(pad);
        maple_set_drvdata(mdev, NULL);
        return error;

This executes kfree(pad) before maple_set_drvdata(mdev, NULL), temporarily
leaving a dangling pointer in driver core structures. Should the order be
updated to clear the driver data before freeing pad?

[Severity: High]
This isn't a bug introduced by this patch, but does device removal race with
the maple DMA workqueue leading to a NULL pointer dereference?

When unbinding the device, remove_maple_controller() clears mdev->callback:

drivers/input/joystick/maplecontrol.c:remove_maple_controller() {
    ...
    mdev->callback = NULL;
    input_unregister_device(pad->dev);
    maple_set_drvdata(mdev, NULL);
    kfree(pad);
    ...
}

If the device is still open, input_unregister_device() synchronously invokes
dc_pad_close(), which inadvertently overwrites mdev->callback back to
dc_pad_callback:

drivers/input/joystick/maplecontrol.c:dc_pad_close() {
    ...
    maple_getcond_callback(pad->mdev, dc_pad_callback, 0, MAPLE_FUNC_CONTROLLER);
    ...
}

The driver then executes maple_set_drvdata(mdev, NULL) and frees memory. A
pending maple DMA response running in the workqueue can then trigger
dc_pad_callback(), which fetches the now-NULL drvdata:

drivers/input/joystick/maplecontrol.c:dc_pad_callback() {
    ...
    struct dc_pad *pad = maple_get_drvdata(mapledev);
    struct input_dev *dev = pad->dev;
    ...
}

Could this result in dereferencing pad->dev and crashing the kernel if
triggered by unbinding the device while it is actively opened by local
userspace?

[Severity: High]
This is a pre-existing issue, but is there a race condition exposing
uninitialized driver data to hardware callbacks or userspace in other maple
drivers?

In drivers/input/keyboard/maple_keyb.c:probe_maple_kbd():

    maple_getcond_callback(mdev, dc_kbd_callback, HZ/50, MAPLE_FUNC_KEYBOARD);
    mdev->driver = mdrv;
    maple_set_drvdata(mdev, kbd);

The callback is armed before the driver data is initialized, allowing the
interrupt handler to run and read a NULL pointer.

Similarly, in drivers/input/mouse/maplemouse.c:probe_maple_mouse():

    error = input_register_device(input_dev);
    if (error)
            goto fail_register;

    mdev->driver = mdrv;
    maple_set_drvdata(mdev, mse);

Driver data for the mouse is set after device registration. If the hardware
callback fires immediately or userspace opens the device concurrently,
maple_get_drvdata() will return NULL and the callback could dereference it.

[Severity: Critical]
This is a pre-existing issue, but can this lead to a NULL pointer dereference
on device open?

Looking at dc_mouse_open() in drivers/input/mouse/maplemouse.c:

    struct dc_mouse *mse = maple_get_drvdata(to_maple_dev(&dev->dev));
    maple_getcond_callback(mse->mdev, dc_mouse_callback, HZ/50, MAPLE_FUNC_MOUSE);

The to_maple_dev macro uses container_of to subtract the offset of dev in
struct maple_device, and maple_get_drvdata immediately adds the offset back
via &mdev->dev. This mathematical cancellation means it effectively calls
dev_get_drvdata(&input_dev->dev).

However, the driver data was actually stored in the maple device (&mdev->dev),
not the input device. Thus, dev_get_drvdata returns NULL, and the subsequent
dereference of mse->mdev results in a direct NULL pointer dereference.

The same issue appears in drivers/input/mouse/maplemouse.c:dc_mouse_close():

    struct dc_mouse *mse = maple_get_drvdata(to_maple_dev(&dev->dev));

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/akNYib9hQFNN1fA9@google.com?part=1

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Input: maplecontrol - set driver data before registering input device
  2026-06-30  5:49 [PATCH] Input: maplecontrol - set driver data before registering input device Dmitry Torokhov
  2026-06-30  6:00 ` sashiko-bot
@ 2026-06-30 19:15 ` Florian Fuchs
  1 sibling, 0 replies; 3+ messages in thread
From: Florian Fuchs @ 2026-06-30 19:15 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: Adrian McMenamin, linux-input, linux-kernel

On 29 Jun 22:49, Dmitry Torokhov wrote:
> Set maple driver data before calling input_register_device() to
> ensure that it is available if the device is opened immediately and
> the callback is triggered.
> 
> Cc: stable@vger.kernel.org
> Assisted-by: Antigravity:gemini-3.5-flash
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> ---
>  drivers/input/joystick/maplecontrol.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/input/joystick/maplecontrol.c b/drivers/input/joystick/maplecontrol.c
> index 7f36f73844a9..6293b6e8148b 100644
> --- a/drivers/input/joystick/maplecontrol.c
> +++ b/drivers/input/joystick/maplecontrol.c
> @@ -112,6 +112,8 @@ static int probe_maple_controller(struct device *dev)
>  	pad->dev = idev;
>  	pad->mdev = mdev;
>  
> +	maple_set_drvdata(mdev, pad);
> +
>  	idev->open = dc_pad_open;
>  	idev->close = dc_pad_close;
>  
> @@ -146,7 +148,6 @@ static int probe_maple_controller(struct device *dev)
>  		goto fail;
>  
>  	mdev->driver = mdrv;
> -	maple_set_drvdata(mdev, pad);
>  
>  	return 0;
>  
> -- 
> 2.55.0.rc0.799.gd6f94ed593-goog
> 
> 
> -- 
> Dmitry

Tested-by: Florian Fuchs <fuchsfl@gmail.com>

Regards
Florian

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-30 19:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30  5:49 [PATCH] Input: maplecontrol - set driver data before registering input device Dmitry Torokhov
2026-06-30  6:00 ` sashiko-bot
2026-06-30 19:15 ` Florian Fuchs

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox