* Re: [PATCH v2] HID: wiimote: Fix table layout and whitespace errors
From: Benjamin Tissoires @ 2026-06-01 18:15 UTC (permalink / raw)
To: David Rheinsberg, Jiri Kosina, Bogdan Petru, Joshua Jun,
J. Neuschäfer
Cc: linux-input, linux-kernel
In-Reply-To: <20260326-wiimod-table-v2-1-a11703ccdf41@posteo.net>
On Thu, 26 Mar 2026 15:03:48 +0100, J. Neuschäfer wrote:
> Some tab characters snuck into the data layout table for turntable
> extensions, which resulted in the table only looking right at a tabstop
> of 4, which is uncommon in the kernel. Change them to the equivalent
> amount of spaces, which should look correct in any editor.
>
> While at it, also fix the other whitespace errors (trailing spaces at
> end of line) introduced in the same commit.
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/wiimote), thanks!
[1/1] HID: wiimote: Fix table layout and whitespace errors
https://git.kernel.org/hid/hid/c/12b7731995ca
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* [PATCH v2 0/3] HID: i2c-hid: Fix some PRP0001 touchpads probe after OF/ACPI split
From: 谢致邦 (XIE Zhibang) @ 2026-06-01 18:15 UTC (permalink / raw)
To: linux-input, hansg, dmitry.torokhov
Cc: Yeking, bentiss, dianders, jikos, linux-kernel, superm1,
谢致邦 (XIE Zhibang), Pin-yen Lin, Xu Rao,
Kwok Kin Ming, Dan Carpenter
In-Reply-To: <ahnqMMhD8jn51ch7@google.com>
Before commit b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are
separate modules"), the unified i2c-hid driver handled both PNP0C50 ACPI
devices and hid-over-i2c OF devices. After the split, devices with _HID
"PRP0001" and _DSD compatible "hid-over-i2c" are only probed by
i2c_hid_of, which requires "hid-descr-addr" in the _DSD. Some devices,
for example the Lenovo KaiTian N60d and Inspur CP300L3, provide the HID
descriptor address only through the _DSM method and thus fail to probe.
Patch 1 moves the blacklist check so the function can return early
without wasting an allocation.
Patch 2 moves the _DSM call that gets the HID descriptor address from
i2c-hid-acpi.c to a shared helper in i2c-hid-core.c so both
i2c-hid-acpi.c and i2c-hid-of.c can use it.
Patch 3 calls the common helper as a fallback when "hid-descr-addr" is
missing, and sets safe post-power-on and post-reset-deassert delays.
谢致邦 (XIE Zhibang) (3):
HID: i2c-hid-acpi: Move blacklist check to probe() before
devm_kzalloc()
HID: i2c-hid: Move common ACPI _DSM helper into core
HID: i2c-hid-of: Fall back to ACPI _DSM when hid-descr-addr is missing
drivers/hid/i2c-hid/i2c-hid-acpi.c | 41 +++++++-----------------------
drivers/hid/i2c-hid/i2c-hid-core.c | 35 +++++++++++++++++++++++++
drivers/hid/i2c-hid/i2c-hid-of.c | 30 ++++++++++++++++++++++
drivers/hid/i2c-hid/i2c-hid.h | 11 ++++++++
4 files changed, 85 insertions(+), 32 deletions(-)
--
2.54.0
^ permalink raw reply
* Re: [PATCH v1] HID: i2c-hid-of: Use named initializers for struct i2c_device_id
From: Benjamin Tissoires @ 2026-06-01 18:15 UTC (permalink / raw)
To: Jiri Kosina, Uwe Kleine-König (The Capable Hub)
Cc: linux-input, linux-kernel
In-Reply-To: <20260519160420.1597193-2-u.kleine-koenig@baylibre.com>
On Tue, 19 May 2026 18:04:20 +0200, Uwe Kleine-König (The Capable Hub) wrote:
> While being less compact, using named initializers allows to more easily
> see which members of the structs are assigned which value without having
> to lookup the declaration of the struct. And it's also more robust
> against changes to the struct definition.
>
> This patch doesn't modify the compiled array, only its representation in
> source form benefits. The former was confirmed with x86 and arm64
> builds.
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/i2c-hid), thanks!
[1/1] HID: i2c-hid-of: Use named initializers for struct i2c_device_id
https://git.kernel.org/hid/hid/c/eda0f9e57087
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* [PATCH v2 1/3] HID: i2c-hid-acpi: Move blacklist check to probe() before devm_kzalloc()
From: 谢致邦 (XIE Zhibang) @ 2026-06-01 18:15 UTC (permalink / raw)
To: linux-input, hansg, dmitry.torokhov
Cc: Yeking, bentiss, dianders, jikos, linux-kernel, superm1,
谢致邦 (XIE Zhibang), Pin-yen Lin, Xu Rao,
Kwok Kin Ming, Dan Carpenter
In-Reply-To: <20260601181510.38705-1-Yeking@Red54.com>
Move the check so the function can return early without wasting an
allocation. This is a pure refactoring, no functional change.
Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
---
v2: Merge declaration into assignment.
drivers/hid/i2c-hid/i2c-hid-acpi.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid-acpi.c b/drivers/hid/i2c-hid/i2c-hid-acpi.c
index abd700a101f4..f65fb6396b69 100644
--- a/drivers/hid/i2c-hid/i2c-hid-acpi.c
+++ b/drivers/hid/i2c-hid/i2c-hid-acpi.c
@@ -60,9 +60,6 @@ static int i2c_hid_acpi_get_descriptor(struct i2c_hid_acpi *ihid_acpi)
union acpi_object *obj;
u16 hid_descriptor_address;
- if (acpi_match_device_ids(adev, i2c_hid_acpi_blacklist) == 0)
- return -ENODEV;
-
obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL,
ACPI_TYPE_INTEGER);
if (!obj) {
@@ -93,15 +90,19 @@ static void i2c_hid_acpi_shutdown_tail(struct i2chid_ops *ops)
static int i2c_hid_acpi_probe(struct i2c_client *client)
{
struct device *dev = &client->dev;
+ struct acpi_device *adev = ACPI_COMPANION(dev);
struct i2c_hid_acpi *ihid_acpi;
u16 hid_descriptor_address;
int ret;
+ if (acpi_match_device_ids(adev, i2c_hid_acpi_blacklist) == 0)
+ return -ENODEV;
+
ihid_acpi = devm_kzalloc(&client->dev, sizeof(*ihid_acpi), GFP_KERNEL);
if (!ihid_acpi)
return -ENOMEM;
- ihid_acpi->adev = ACPI_COMPANION(dev);
+ ihid_acpi->adev = adev;
ihid_acpi->ops.shutdown_tail = i2c_hid_acpi_shutdown_tail;
ihid_acpi->ops.restore_sequence = i2c_hid_acpi_restore_sequence;
--
2.54.0
^ permalink raw reply related
* [PATCH v2 2/3] HID: i2c-hid: Move common ACPI _DSM helper into core
From: 谢致邦 (XIE Zhibang) @ 2026-06-01 18:15 UTC (permalink / raw)
To: linux-input, hansg, dmitry.torokhov
Cc: Yeking, bentiss, dianders, jikos, linux-kernel, superm1,
谢致邦 (XIE Zhibang), Pin-yen Lin, Xu Rao,
Kwok Kin Ming, Dan Carpenter
In-Reply-To: <20260601181510.38705-1-Yeking@Red54.com>
Move the _DSM call that gets the HID descriptor address from
i2c-hid-acpi.c to a shared helper in i2c-hid-core.c so both
i2c-hid-acpi.c and i2c-hid-of.c can use it.
Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
---
drivers/hid/i2c-hid/i2c-hid-acpi.c | 32 ++++-----------------------
drivers/hid/i2c-hid/i2c-hid-core.c | 35 ++++++++++++++++++++++++++++++
drivers/hid/i2c-hid/i2c-hid.h | 11 ++++++++++
3 files changed, 50 insertions(+), 28 deletions(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid-acpi.c b/drivers/hid/i2c-hid/i2c-hid-acpi.c
index f65fb6396b69..234789a07047 100644
--- a/drivers/hid/i2c-hid/i2c-hid-acpi.c
+++ b/drivers/hid/i2c-hid/i2c-hid-acpi.c
@@ -25,12 +25,12 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/pm.h>
-#include <linux/uuid.h>
#include "i2c-hid.h"
struct i2c_hid_acpi {
struct i2chid_ops ops;
+ struct i2c_client *client;
struct acpi_device *adev;
};
@@ -48,36 +48,11 @@ static const struct acpi_device_id i2c_hid_acpi_blacklist[] = {
{ }
};
-/* HID I²C Device: 3cdff6f7-4267-4555-ad05-b30a3d8938de */
-static guid_t i2c_hid_guid =
- GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
- 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
-
-static int i2c_hid_acpi_get_descriptor(struct i2c_hid_acpi *ihid_acpi)
-{
- struct acpi_device *adev = ihid_acpi->adev;
- acpi_handle handle = acpi_device_handle(adev);
- union acpi_object *obj;
- u16 hid_descriptor_address;
-
- obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL,
- ACPI_TYPE_INTEGER);
- if (!obj) {
- acpi_handle_err(handle, "Error _DSM call to get HID descriptor address failed\n");
- return -ENODEV;
- }
-
- hid_descriptor_address = obj->integer.value;
- ACPI_FREE(obj);
-
- return hid_descriptor_address;
-}
-
static void i2c_hid_acpi_restore_sequence(struct i2chid_ops *ops)
{
struct i2c_hid_acpi *ihid_acpi = container_of(ops, struct i2c_hid_acpi, ops);
- i2c_hid_acpi_get_descriptor(ihid_acpi);
+ i2c_hid_core_acpi_get_descriptor(&ihid_acpi->client->dev);
}
static void i2c_hid_acpi_shutdown_tail(struct i2chid_ops *ops)
@@ -102,11 +77,12 @@ static int i2c_hid_acpi_probe(struct i2c_client *client)
if (!ihid_acpi)
return -ENOMEM;
+ ihid_acpi->client = client;
ihid_acpi->adev = adev;
ihid_acpi->ops.shutdown_tail = i2c_hid_acpi_shutdown_tail;
ihid_acpi->ops.restore_sequence = i2c_hid_acpi_restore_sequence;
- ret = i2c_hid_acpi_get_descriptor(ihid_acpi);
+ ret = i2c_hid_core_acpi_get_descriptor(dev);
if (ret < 0)
return ret;
hid_descriptor_address = ret;
diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index 3adb16366e93..1e1a8df5686d 100644
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -1405,6 +1405,41 @@ const struct dev_pm_ops i2c_hid_core_pm = {
};
EXPORT_SYMBOL_GPL(i2c_hid_core_pm);
+#ifdef CONFIG_ACPI
+#include <linux/acpi.h>
+
+/* HID I²C Device: 3cdff6f7-4267-4555-ad05-b30a3d8938de */
+static guid_t i2c_hid_guid =
+ GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
+ 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
+
+int i2c_hid_core_acpi_get_descriptor(struct device *dev)
+{
+ struct acpi_device *adev = ACPI_COMPANION(dev);
+ acpi_handle handle;
+ union acpi_object *obj;
+ u16 hid_descriptor_address;
+
+ if (!adev)
+ return -ENODEV;
+
+ handle = acpi_device_handle(adev);
+ obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL,
+ ACPI_TYPE_INTEGER);
+ if (!obj) {
+ acpi_handle_err(handle,
+ "Error _DSM call to get HID descriptor address failed\n");
+ return -ENODEV;
+ }
+
+ hid_descriptor_address = obj->integer.value;
+ ACPI_FREE(obj);
+
+ return hid_descriptor_address;
+}
+EXPORT_SYMBOL_GPL(i2c_hid_core_acpi_get_descriptor);
+#endif
+
MODULE_DESCRIPTION("HID over I2C core driver");
MODULE_AUTHOR("Benjamin Tissoires <benjamin.tissoires@gmail.com>");
MODULE_LICENSE("GPL");
diff --git a/drivers/hid/i2c-hid/i2c-hid.h b/drivers/hid/i2c-hid/i2c-hid.h
index 1724a435c783..bc8661c65b1a 100644
--- a/drivers/hid/i2c-hid/i2c-hid.h
+++ b/drivers/hid/i2c-hid/i2c-hid.h
@@ -44,4 +44,15 @@ void i2c_hid_core_shutdown(struct i2c_client *client);
extern const struct dev_pm_ops i2c_hid_core_pm;
+#ifdef CONFIG_ACPI
+struct device;
+int i2c_hid_core_acpi_get_descriptor(struct device *dev);
+#else
+struct device;
+static inline int i2c_hid_core_acpi_get_descriptor(struct device *dev)
+{
+ return -ENODEV;
+}
+#endif
+
#endif
--
2.54.0
^ permalink raw reply related
* [PATCH v2 3/3] HID: i2c-hid-of: Fall back to ACPI _DSM when hid-descr-addr is missing
From: 谢致邦 (XIE Zhibang) @ 2026-06-01 18:15 UTC (permalink / raw)
To: linux-input, hansg, dmitry.torokhov
Cc: Yeking, bentiss, dianders, jikos, linux-kernel, superm1,
谢致邦 (XIE Zhibang), Pin-yen Lin, Xu Rao,
Kwok Kin Ming, Dan Carpenter
In-Reply-To: <20260601181510.38705-1-Yeking@Red54.com>
Before commit b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are
separate modules"), the unified i2c-hid driver handled both PNP0C50 ACPI
devices and hid-over-i2c OF devices. After the split, devices with _HID
"PRP0001" and _DSD compatible "hid-over-i2c" are only probed by
i2c_hid_of, which requires "hid-descr-addr" in the _DSD. Some devices,
for example the Lenovo KaiTian N60d and Inspur CP300L3, provide the HID
descriptor address only through the _DSM method. Call the common
i2c_hid_core_acpi_get_descriptor() helper as a fallback, and set safe
post-power-on and post-reset-deassert delays.
Fixes: b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules")
Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
---
drivers/hid/i2c-hid/i2c-hid-of.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/drivers/hid/i2c-hid/i2c-hid-of.c b/drivers/hid/i2c-hid/i2c-hid-of.c
index 57379b77e977..e925e2d2cfe0 100644
--- a/drivers/hid/i2c-hid/i2c-hid-of.c
+++ b/drivers/hid/i2c-hid/i2c-hid-of.c
@@ -92,6 +92,36 @@ static int i2c_hid_of_probe(struct i2c_client *client)
ihid_of->ops.power_down = i2c_hid_of_power_down;
ret = device_property_read_u32(dev, "hid-descr-addr", &val);
+ if (ret) {
+ /*
+ * Some devices, for example the Lenovo KaiTian N60d and Inspur
+ * CP300L3, declare their I2C HID touchpad with _HID "PRP0001"
+ * and _DSD compatible "hid-over-i2c" but lack the
+ * "hid-descr-addr" property. Fall back to _DSM to obtain the
+ * HID descriptor address.
+ */
+ int dsm_ret = i2c_hid_core_acpi_get_descriptor(dev);
+
+ if (dsm_ret >= 0) {
+ dev_warn(dev,
+ "hid-descr-addr NOT found, using _DSM fallback. Contact vendor for firmware update!\n");
+ val = dsm_ret;
+
+ /*
+ * Firmware providing the descriptor address only
+ * through _DSM may also lack "post-power-on-delay-ms"
+ * or "post-reset-deassert-delay-ms", leaving the
+ * driver without enough delay before the first HID
+ * descriptor read. Set safe defaults to avoid reading
+ * the descriptor before the device has finished its
+ * internal power-on reset.
+ */
+ ihid_of->post_power_delay_ms = 250;
+ ihid_of->post_reset_delay_ms = 250;
+
+ ret = 0;
+ }
+ }
if (ret) {
dev_err(dev, "HID register address not provided\n");
return -ENODEV;
--
2.54.0
^ permalink raw reply related
* Re: (subset) [PATCH 00/11] HID: storing pointers in 'hid_device_id::driver_data'
From: Benjamin Tissoires @ 2026-06-01 18:18 UTC (permalink / raw)
To: Jiri Kosina, Ping Cheng, Jason Gerecke,
Pawel Zalewski (The Capable Hub)
Cc: linux-kernel, linux-input, Christian A. Ehrhardt,
Christian A. Ehrhardt
In-Reply-To: <20260518-mod-devicetable-hid_device_id-v1-0-a08e3989c283@thegoodpenguin.co.uk>
On Mon, 18 May 2026 17:06:19 +0100, Pawel Zalewski (The Capable Hub) wrote:
> The <linux/mod_devicetable.h> has multiple structs that follow
> the pattern of having either 'driver_data' or 'driver_info'
> fields which are of the 'kernel_ulong_t' type. Then how to
> interpret that field is user defined, some users will treat
> the value as an actual integer, others as a valid pointer to
> dereference.
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/cleanup_driver_data), thanks!
[05/11] HID: hid-belkin: clean up usage of 'driver_data'
https://git.kernel.org/hid/hid/c/4de4b8a5ddc2
[06/11] HID: hid-cypress: clean up usage of 'driver_data'
https://git.kernel.org/hid/hid/c/73e784ddf895
[07/11] HID: hid-gfrm: clean up usage of 'driver_data'
https://git.kernel.org/hid/hid/c/0b8bb8c3c913
[08/11] HID: hid-ite: clean up usage of 'driver_data'
https://git.kernel.org/hid/hid/c/b11dfa6cc3c8
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* Re: (subset) [PATCH v3 0/2] Add support for Microsoft Surface Pro 12in
From: Benjamin Tissoires @ 2026-06-01 18:18 UTC (permalink / raw)
To: linux-kernel, linux-input, linux-arm-msm, devicetree,
Harrison Vanderbyl
Cc: jikos, andersson, konradybcio, robh, krzk+dt, conor+dt,
dmitry.baryshkov
In-Reply-To: <20260529011619.9586-1-harrison.vanderbyl@gmail.com>
On Fri, 29 May 2026 11:16:14 +1000, Harrison Vanderbyl wrote:
> Changes in v3:
>
> Rebase:
> - Rebased on next-20260528
> - Removed ice device tree changes
>
> Device tree:
> - Fixed C++ style comment in &i2c9 to use /* */ style
> - Flattened mdss_dp3 port into &mdss_dp3_out directly
> - Whitespace and formatting nits
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/core), thanks!
[1/2] hid: Pen battery quirk for Surface Pro 12in
https://git.kernel.org/hid/hid/c/3a1e4e77e3ee
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* Re: [PATCH 0/1] HID: wacom: fix slab-out-of-bounds write in kfifo_copy_in
From: Benjamin Tissoires @ 2026-06-01 18:19 UTC (permalink / raw)
To: Jason Gerecke, Ping Cheng, Jinmo Yang
Cc: Jiri Kosina, linux-input, linux-kernel, stable
In-Reply-To: <20260524135203.1996265-1-jinmo44.yang@gmail.com>
On Sun, 24 May 2026 22:52:02 +0900, Jinmo Yang wrote:
> I found the following slab-out-of-bounds write in the wacom HID driver
> while fuzzing with syzkaller on v7.1.0-rc4-next-20260522:
>
> BUG: KASAN: slab-out-of-bounds in kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
> Write of size 3842 at addr ffff888009179000 by task syz.3.9362/61135
>
> CPU: 1 UID: 0 PID: 61135 Comm: syz.3.9362 Not tainted 7.1.0-rc4-next-20260522-dirty #3 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x97/0xe0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0x157/0x4c9 mm/kasan/report.c:482
> kasan_report+0xce/0x100 mm/kasan/report.c:595
> check_region_inline mm/kasan/generic.c:186 [inline]
> kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
> __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
> kfifo_copy_in+0xf3/0x130 lib/kfifo.c:106
> __kfifo_in_r lib/kfifo.c:442 [inline]
> __kfifo_in_r+0x1b2/0x230 lib/kfifo.c:434
> wacom_wac_queue_insert drivers/hid/wacom_sys.c:65 [inline]
> wacom_wac_pen_serial_enforce drivers/hid/wacom_sys.c:165 [inline]
> wacom_raw_event+0x900/0xa90 drivers/hid/wacom_sys.c:179
> __hid_input_report.constprop.0+0x39a/0x4d0 drivers/hid/hid-core.c:2161
> uhid_dev_input2 drivers/hid/uhid.c:618 [inline]
> uhid_char_write+0xa8a/0xfa0 drivers/hid/uhid.c:776
> vfs_write+0x2c0/0xe40 fs/read_write.c:686
> ksys_write+0x1f8/0x250 fs/read_write.c:740
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xee/0x590 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/wacom), thanks!
[1/1] HID: wacom: fix slab-out-of-bounds write in wacom_wac_queue_insert
https://git.kernel.org/hid/hid/c/6b3014ec0e9a
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* Re: [PATCH v2 0/2] HID: wacom: fix sleeping in atomic context in wacom_wac_queue_flush()
From: Benjamin Tissoires @ 2026-06-01 18:19 UTC (permalink / raw)
To: linux-input, dmitry.torokhov, Jinmo Yang
Cc: jikos, stable, Benjamin Tissoires
In-Reply-To: <20260601134124.1560886-1-jinmo44.yang@gmail.com>
On Mon, 01 Jun 2026 22:41:22 +0900, Jinmo Yang wrote:
> wacom_wac_queue_flush() uses GFP_KERNEL for kzalloc, but it can be
> called from atomic context via the .raw_event callback path. Patch 1
> fixes this by switching to GFP_ATOMIC, and patch 2 converts the buffer
> management to use __free(kfree) cleanup as suggested by Dmitry.
>
> Changes since v1:
> - Replaced Suggested-by with Reported-by for Sashiko-bot
> - Added patch 2 to use __free(kfree) cleanup facility (Dmitry)
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/wacom), thanks!
[1/2] HID: wacom: use GFP_ATOMIC in wacom_wac_queue_flush()
https://git.kernel.org/hid/hid/c/55f1ad573e34
[2/2] HID: wacom: use cleanup.h for wacom_wac_queue_flush() buffer management
https://git.kernel.org/hid/hid/c/cb605d48dac9
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* Re: [PATCH] HID: logitech-hidpp: remove excess kernel-doc member in hidpp_scroll_counter
From: Benjamin Tissoires @ 2026-06-01 18:20 UTC (permalink / raw)
To: linux-input, Rosen Penev
Cc: Filipe Laíns, Bastien Nocera, Jiri Kosina, Hans de Goede,
linux-kernel
In-Reply-To: <20260531000150.378695-1-rosenp@gmail.com>
On Sat, 30 May 2026 17:01:50 -0700, Rosen Penev wrote:
> The @dev member described in the kernel-doc does not exist in the
> struct. Remove the stale entry.
>
> Fixes: 0610430e3dea ("HID: logitech-hidpp: add input_device ptr to struct
> hidpp_device")
> Assisted-by: opencode:big-pickle
>
> [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/logitech), thanks!
[1/1] HID: logitech-hidpp: remove excess kernel-doc member in hidpp_scroll_counter
https://git.kernel.org/hid/hid/c/f22a5db8a7d3
Cheers,
--
Benjamin Tissoires <bentiss@kernel.org>
^ permalink raw reply
* Re: [PATCH 02/10] [v3] input: gpio-keys: make legacy gpiolib optional
From: Arnd Bergmann @ 2026-06-01 18:32 UTC (permalink / raw)
To: sashiko-reviews; +Cc: linux-input, Dmitry Torokhov, Hans de Goede, Jin Yao
In-Reply-To: <20260530004519.1C8E81F00893@smtp.kernel.org>
On Sat, May 30, 2026, at 02:45, sashiko-bot@kernel.org wrote:
> [Severity: High]
> Does this change break legacy devices that legitimately provide both a valid
> GPIO and a valid IRQ?
>
> If a legacy platform provides both a valid GPIO and an IRQ, this condition
> now evaluates to false.
>
> By skipping the GPIO request entirely, the driver falls back to treating the
> device as a pure IRQ button. This forces the driver to lose hardware
> debouncing and rely on a simulated release timer instead of checking the
> physical GPIO line.
There are only three drivers that provide the ->irq field. Two are the
ones that I'm changing in this patch, the soc_button_array driver
is the third and none of them set ->irq and ->gpio at the same time.
>> */
>> struct gpio_keys_button {
>> unsigned int code;
>> +#ifdef CONFIG_GPIOLIB_LEGACY
>> int gpio;
>> +#endif
>> int active_low;
>
> [Severity: Medium]
> Will this cause build failures for drivers that assign to this field when
> CONFIG_GPIOLIB_LEGACY is disabled?
Yes, that is the intention of the patch: nothing should set the
->gpio field unless GPIOLIB_LEGACY is set.
> Other modern drivers dynamically create the platform device and pass legacy
> GPIO numbers by directly assigning to this field:
>
> drivers/input/misc/soc_button_array.c:soc_button_device_create() {
> ...
> gpio_keys[n_buttons].gpio = gpio;
> ...
> }
>
> When CONFIG_GPIOLIB_LEGACY is disabled, this results in a compilation failure
> since struct gpio_keys_button no longer has the gpio member.
I previously included a patch force-enable GPIOLIB_LEGACY in this
patch series, see
https://lore.kernel.org/all/npijagtgyad33xxlq46b7kwzydhcgt5tkgd5ihsjl6t4czbqyf@umovipwh73i2/
I made a mistake during a rebase, so my older patch was still
included in my randconfig testing but not in the series I
sent. All the other changes in it are now redundant, bit
the soc_button_array portion indeed still remains.
Hans, Dmitry, do you already have plans to deal with the
soc_button_array driver to move it away from legacy GPIOs?
So far I can see four possible ways we can deal with it,
but none that I actually like:
a) delay the problem, apply my original oneline change
to 'select GPIOLIB_LEGACY' and fix it later, so we
can make GPIOLIB_LEGACY default-disabled in 7.3.
b) add a gpiod member to struct gpio_keys_button and skip
the intermediate gpio number here. Clean it up later.
c) always pass the gpio as an interrupt, as the driver
already does for some machines
d) add dynamic device properties that duplicate the
information from ACPI/DMI, so the driver can
stop using platform data
e) disconnect gpio_keys_button from gpio-keys.c and
register the buttons to the input subsystem
directly from soc_button_device_create().
Any suggestions?
Arnd
^ permalink raw reply
* Re: [PATCH v2 3/4] regulator: Add driver for MediaTek MT6328 PMIC regulators
From: Mark Brown @ 2026-06-01 18:41 UTC (permalink / raw)
To: y.oudjana
Cc: Rob Herring, Krzysztof Kozlowski, Conor Dooley, Matthias Brugger,
AngeloGioacchino Del Regno, Flora Fu, Alexandre Mergnat,
Liam Girdwood, Dmitry Torokhov, devicetree, linux-kernel,
linux-arm-kernel, linux-mediatek, linux-input
In-Reply-To: <20260531-mt6735-pwrap-mt6328-pmic-v2-3-dac37bf92894@protonmail.com>
[-- Attachment #1: Type: text/plain, Size: 1887 bytes --]
On Sun, May 31, 2026 at 11:10:44AM +0200, Yassine Oudjana via B4 Relay wrote:
> @@ -0,0 +1,500 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * MediaTek MT6328 regulator driver
> + * Based on MT6323 driver.
> + *
> + * Copyright (c) 2016 MediaTek Inc.
> + * Copyright (c) 2022 Yassine Oudjana <y.oudjana@protonmail.com>
> + */
Please make the entire comment a C++ one so things look more
intentional.
> +static const unsigned int ldo_volt_table3[] = {
> + 0, 0, 0, 1800000, 1900000, 2000000, 2100000, 2200000
> +};
Use linear_min_sel for the first three values.
> +static const struct linear_range ldo_volt_range1[] = {
> + REGULATOR_LINEAR_RANGE(700000, 0, 0x7f, 6250)
> +};
If there's just one range there's no need for a lookup table, use
regulator_map_voltage_linar().
> +static int mt6328_get_status(struct regulator_dev *rdev)
> +{
> + int ret;
> + u32 regval;
> + struct mt6328_regulator_info *info = rdev_get_drvdata(rdev);
> +
> + ret = regmap_read(rdev->regmap, info->desc.enable_reg, ®val);
> + if (ret != 0) {
> + dev_err(&rdev->dev, "Failed to get enable reg: %d\n", ret);
> + return ret;
> + }
> +
> + return (regval & info->qi) ? REGULATOR_STATUS_ON : REGULATOR_STATUS_OFF;
> +}
get_status() should report the actual status of the regulator, not what
was configured. If the device can't report this just omit the
operation.
> + if (mt6328_regulators[i].vselctrl_reg) {
> + if (regmap_read(mt6328->regmap,
> + mt6328_regulators[i].vselctrl_reg,
> + ®val) < 0) {
> + dev_err(&pdev->dev,
> + "Failed to read buck ctrl\n");
> + return -EIO;
Better to return the actual error.
> + rdev = devm_regulator_register(&pdev->dev,
> + &mt6328_regulators[i].desc, &config);
> + if (IS_ERR(rdev)) {
> + dev_err(&pdev->dev, "failed to register %s\n",
> + mt6328_regulators[i].desc.name);
> + return PTR_ERR(rdev);
dev_err_probe().
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply
* Re: [PATCH v2 3/3] HID: i2c-hid-of: Fall back to ACPI _DSM when hid-descr-addr is missing
From: sashiko-bot @ 2026-06-01 18:47 UTC (permalink / raw)
Cc: linux-input, dmitry.torokhov
In-Reply-To: <tencent_0EE402E968E17B8EACEDFF0E9EBDDBF17E09@qq.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The i2c-hid-of driver uses the ACPI _DSM fallback to obtain the HID descriptor address but does not provide a restore_sequence callback to re-evaluate the _DSM during hibernation (S4) restore.
--
commit 3ebee1e22f96c1e99e3c6adbd49d92242f2497f9
Author: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
HID: i2c-hid-of: Fall back to ACPI _DSM when hid-descr-addr is missing
This commit updates the i2c-hid-of driver to fall back to the ACPI _DSM
method for obtaining the HID descriptor address when the "hid-descr-addr"
property is missing. It specifically targets devices using the "PRP0001"
_HID with a "hid-over-i2c" compatible string. Safe default power and reset
delays are also configured for these devices.
> diff --git a/drivers/hid/i2c-hid/i2c-hid-of.c b/drivers/hid/i2c-hid/i2c-hid-of.c
> index 57379b77e9778..e925e2d2cfe0d 100644
> --- a/drivers/hid/i2c-hid/i2c-hid-of.c
> +++ b/drivers/hid/i2c-hid/i2c-hid-of.c
> @@ -92,6 +92,36 @@ static int i2c_hid_of_probe(struct i2c_client *client)
> ihid_of->ops.power_down = i2c_hid_of_power_down;
>
> ret = device_property_read_u32(dev, "hid-descr-addr", &val);
> + if (ret) {
> + /*
> + * Some devices, for example the Lenovo KaiTian N60d and Inspur
> + * CP300L3, declare their I2C HID touchpad with _HID "PRP0001"
> + * and _DSD compatible "hid-over-i2c" but lack the
> + * "hid-descr-addr" property. Fall back to _DSM to obtain the
> + * HID descriptor address.
> + */
> + int dsm_ret = i2c_hid_core_acpi_get_descriptor(dev);
[Severity: High]
Does this missing PM callback break S4 hibernation restore?
The native i2c-hid-acpi driver re-evaluates the _DSM method during hibernation
restore via its restore_sequence callback to reinitialize the hardware state,
such as switching the hardware back from PS/2 emulation to I2C-HID mode.
Because this ACPI _DSM fallback is added in i2c_hid_of_probe() without also
wiring up ops.restore_sequence in the OF driver, will these touchpads fail
to resume correctly and become unresponsive after waking from S4?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601181510.38705-1-Yeking@Red54.com?part=3
^ permalink raw reply
* Re: [PATCH v14 1/2] HID: cp2112: Add fwnode support
From: Andy Shevchenko @ 2026-06-01 19:18 UTC (permalink / raw)
To: Danny Kaehn
Cc: Benjamin Tissoires, Andi Shyti, Conor Dooley, Jiri Kosina,
linux-input, Dmitry Torokhov, Ethan Twardy, linux-i2c,
linux-kernel, Leo Huang, Arun D Patil, Willie Thai, Ting-Kai Chen,
Bartosz Golaszewski
In-Reply-To: <20260520-cp2112-dt-v14-1-b1b4b6734b6f@plexus.com>
On Wed, May 20, 2026 at 11:13:06AM -0500, Danny Kaehn wrote:
> Support describing the CP2112's I2C and GPIO interfaces in firmware.
>
> Bindings between the firmware nodes and the functions of the device
> are distinct between ACPI and DeviceTree.
>
> For ACPI, the i2c_adapter will use the child with _ADR equal to Zero
> and the gpio_chip will use the child with _ADR equal to One.
>
> For DeviceTree, the i2c_adapter will use the child with name "i2c",
> but the gpio_chip will share a firmware node with the CP2112.
As we seems settled on the approaches in both cases, I think we are fine
to go
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply
* [PATCH v2] HID: intel-thc-hid: intel-quickspi: reset touch IC on system resume
From: d3z @ 2026-06-01 21:18 UTC (permalink / raw)
To: even.xu, jikos, bentiss
Cc: xinpeng.sun, linux-input, linux-kernel, sakari.ailus,
abhishektamboli9, Danny D .
In-Reply-To: <20260529222210.1532876-1-d3z.the.dev@gmail.com>
From: Danny D. <d3z.the.dev@gmail.com>
On the Surface Pro 10 (Meteor Lake) the touchscreen stops working after a
suspend/resume cycle and only recovers after a reboot. The driver logs
"GET_DEVICE_INFO: recv failed: -11" on resume.
This platform suspends through s2idle: /sys/power/mem_sleep exposes
"[s2idle]" as the only state, there is no "deep"/S3 entry at all. The
touch IC nonetheless loses power across that s2idle suspend, the same
way it does across hibernation. quickspi_resume() only re-selects the
THC port, restores interrupts and DMA and sends a HIDSPI_ON command,
assuming the touch IC kept its power and state. When it has actually
lost power the HIDSPI_ON command is never acknowledged and the
descriptor read fails, leaving the touchscreen dead until the module is
reloaded.
quickspi_restore() already handles this for hibernation by
reconfiguring the THC SPI/LTR settings and running reset_tic() to
re-enumerate the device. Make quickspi_resume() do the same when the
device is not a wake source. A wake-enabled device keeps its power and
state across suspend, so it stays on the light restore path: resetting
it would discard a pending wake touch event and break wake-on-touch.
The non-wake path mirrors the existing quickspi_restore() sequence,
including enabling interrupts before reset_tic(), so it introduces no
new ordering relative to code already in the driver.
This change has been validated on a Surface Pro 10 running the
linux-surface kernel across multiple s2idle suspend/resume cycles; it
has not been tested on a mainline build.
Closes: https://github.com/linux-surface/linux-surface/issues/1799
Signed-off-by: Danny D. <d3z.the.dev@gmail.com>
---
v1 -> v2:
- Only run the full reset when the device is not a wake source
(device_may_wakeup()), so wake-on-touch is no longer disturbed.
- Reword the changelog around s2idle: the SP10 has no "deep"/S3 state, the
touch IC loses power across s2idle.
.../hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 60 +++++++++++++++++--
1 file changed, 56 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
--- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
+++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
@@ -784,20 +784,72 @@ static int quickspi_resume(struct device
if (ret)
return ret;
+ /*
+ * A wake-enabled device keeps its power and state across suspend, so
+ * only restore the THC context. Resetting it here would discard a
+ * pending wake touch event and break wake-on-touch.
+ */
+ if (device_may_wakeup(qsdev->dev)) {
+ thc_interrupt_config(qsdev->thc_hw);
+
+ thc_interrupt_enable(qsdev->thc_hw, true);
+
+ ret = thc_dma_configure(qsdev->thc_hw);
+ if (ret)
+ return ret;
+
+ return thc_interrupt_quiesce(qsdev->thc_hw, false);
+ }
+
+ /*
+ * Otherwise the touch IC may have lost power across suspend. On
+ * platforms that suspend through s2idle (for example the Surface Pro
+ * 10, whose firmware exposes s2idle as the only mem_sleep state) the
+ * IC loses power the same way it does across hibernation. A plain
+ * HIDSPI_ON is then not acknowledged and the descriptor read fails, so
+ * re-enumerate the device through the full reset flow already used by
+ * quickspi_restore().
+ */
+ thc_spi_input_output_address_config(qsdev->thc_hw,
+ qsdev->input_report_hdr_addr,
+ qsdev->input_report_bdy_addr,
+ qsdev->output_report_addr);
+
+ ret = thc_spi_read_config(qsdev->thc_hw, qsdev->spi_freq_val,
+ qsdev->spi_read_io_mode,
+ qsdev->spi_read_opcode,
+ qsdev->spi_packet_size);
+ if (ret)
+ return ret;
+
+ ret = thc_spi_write_config(qsdev->thc_hw, qsdev->spi_freq_val,
+ qsdev->spi_write_io_mode,
+ qsdev->spi_write_opcode,
+ qsdev->spi_packet_size,
+ qsdev->performance_limit);
+ if (ret)
+ return ret;
+
thc_interrupt_config(qsdev->thc_hw);
thc_interrupt_enable(qsdev->thc_hw, true);
- ret = thc_dma_configure(qsdev->thc_hw);
+ /* The touch IC may have lost power, reset it to recover */
+ ret = reset_tic(qsdev);
if (ret)
return ret;
- ret = thc_interrupt_quiesce(qsdev->thc_hw, false);
+ ret = thc_dma_configure(qsdev->thc_hw);
if (ret)
return ret;
- if (!device_may_wakeup(qsdev->dev))
- return quickspi_set_power(qsdev, HIDSPI_ON);
+ thc_ltr_config(qsdev->thc_hw,
+ qsdev->active_ltr_val,
+ qsdev->low_power_ltr_val);
+
+ thc_change_ltr_mode(qsdev->thc_hw, THC_LTR_MODE_ACTIVE);
+
+ qsdev->state = QUICKSPI_ENABLED;
return 0;
}
--
2.43.0
^ permalink raw reply
* Re: [PATCH] HID: intel-thc-hid: intel-quickspi: reset touch IC on system resume
From: d3z @ 2026-06-01 21:30 UTC (permalink / raw)
To: even.xu, xinpeng.sun, jikos, bentiss
Cc: Danny D ., linux-input, linux-kernel, abhishektamboli9,
sakari.ailus
In-Reply-To: <IA1PR11MB60985B856D77963E2DBE47F9F4152@IA1PR11MB6098.namprd11.prod.outlook.com>
From: Danny D. <d3z.the.dev@gmail.com>
Hi Even,
Thanks for the quick reply and for sharing your patch.
First, the missing piece from your mail: my name is Danny D.
(d3z.the.dev@gmail.com) - please use it for any
Signed-off-by/Reported-by/Tested-by.
One note on the starting assumption, though: in its current configuration
this Surface Pro 10 doesn't go to S3 at all. /sys/power/mem_sleep only
offers s2idle:
$ cat /sys/power/mem_sleep
[s2idle]
There's no "deep" entry to select here, so every suspend goes through
s2idle and never reaches PM_SUSPEND_MEM. The touch IC still loses power
across that s2idle suspend - the same as over hibernation - which is what
gives the "recv failed: -11" on resume.
That's the catch with the attached patch: it gates the THC reconfigure on
if (last_suspend_state == PM_SUSPEND_MEM)
i.e. S3 only. On this machine that branch never runs, so it wouldn't bring
the touchscreen back here. Happy to apply it and confirm on the device, but
from the code path alone it can't help while we're s2idle-only.
What I did instead was key off whether the device actually kept power
rather than the suspend type: run the full reset only when the device isn't
a wake source (device_may_wakeup() == false), mirroring quickspi_restore().
A wake-enabled device stays on the light path so wake-on-touch is preserved;
one that lost power goes through reset_tic() re-enumeration. That fires on
both s2idle and S3, which is what makes it work on the SP10.
I've tested this on the Surface Pro 10 across many s2idle suspend/resume
cycles - touch and pen both keep working - and just posted a v2 that adds
the device_may_wakeup() gate.
Could we converge on the wakeup-based condition? I'm glad to test any
revision of your patch on the hardware, and equally glad for you to carry
the fix with my Signed-off-by/Tested-by once it handles the s2idle case.
Thanks,
Danny
^ permalink raw reply
* Re: [PATCH v2] HID: intel-thc-hid: intel-quickspi: reset touch IC on system resume
From: sashiko-bot @ 2026-06-01 21:31 UTC (permalink / raw)
To: d3z; +Cc: dmitry.torokhov, linux-input
In-Reply-To: <20260601211828.112626-1-d3z.the.dev@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Missing cleanup on error paths in `quickspi_resume()` leaves hardware interrupts enabled.
Pre-existing issues:
- [High] Potential Use-After-Free in the IRQ handler during device removal.
- [High] Concurrent execution of hardware initialization (`reset_tic`) between PM callbacks and the IRQ thread.
--
commit 4380dc624b155997446c58c62fab2b9cced12a58
Author: Danny D <d3z.the.dev@gmail.com>
HID: intel-thc-hid: intel-quickspi: reset touch IC on system resume
This commit updates quickspi_resume() to handle s2idle suspend by restoring
the THC context and resetting the touch IC when the device is not a wake
source. It reconfigures the THC SPI/LTR settings and runs reset_tic() to
re-enumerate the device.
Closes: https://github.com/linux-surface/linux-surface/issues/1799
> diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
> index f669235f18839..4ae2e1718b30c 100644
> --- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
> +++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
> @@ -784,20 +784,72 @@ static int quickspi_resume(struct device *device)
[ ... ]
> + thc_interrupt_config(qsdev->thc_hw);
>
> + thc_interrupt_enable(qsdev->thc_hw, true);
>
> - ret = thc_dma_configure(qsdev->thc_hw);
> + /* The touch IC may have lost power, reset it to recover */
> + ret = reset_tic(qsdev);
> + if (ret)
> + return ret;
[Severity: High]
If reset_tic() or the subsequent thc_dma_configure() fails, does this
function return without disabling the hardware interrupts?
It appears thc_interrupt_enable() is called before reset_tic(), but
the error paths directly return without undoing the interrupt enable
or quiescing the hardware. Could this leave the device in an active
state capable of generating unhandled interrupts?
[Severity: High]
This is a pre-existing issue, but the patch newly introduces this
pattern into the resume path. Is it safe to call reset_tic() here
while hardware interrupts are actively enabled?
If a fatal error interrupt occurs during the reset window, the
threaded IRQ handler could catch it and invoke try_recover():
drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c:try_recover() {
...
ret = reset_tic(qsdev);
...
}
Since there doesn't appear to be mutual exclusion protecting the
device state recovery path, could both the PM callback and the IRQ
thread execute acpi_tic_reset() concurrently and corrupt the hardware
state?
> +
> + ret = thc_dma_configure(qsdev->thc_hw);
> + if (ret)
> + return ret;
[ ... ]
[Severity: High]
This isn't a bug introduced by this patch, but does the device
removal process have a use-after-free window in the IRQ handler?
In quickspi_remove(), the DMA buffers are freed before hardware
interrupts are disabled:
drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c:quickspi_remove() {
...
quickspi_dma_deinit(qsdev);
pm_runtime_get_noresume(qsdev->dev);
quickspi_dev_deinit(qsdev);
...
}
Because the IRQ is managed by devm_request_threaded_irq(), it isn't
freed until after quickspi_remove() returns. If an interrupt fires
during this window, could the threaded handler access freed memory?
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c:read_dma_buffer() {
...
prd_tbl = &read_config->prd_tbls[prd_table_index];
mes_len = calc_message_len(prd_tbl, &nent);
...
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601211828.112626-1-d3z.the.dev@gmail.com?part=1
^ permalink raw reply
* Bug report in HID: input: Add support for multiple batteries per device
From: Rafael Passos @ 2026-06-02 1:19 UTC (permalink / raw)
To: lcasmz54; +Cc: bentiss, hadess, jikos, linux-input, linux-kernel, linux-pm, sre
In-Reply-To: <20260314010533.110278-4-lcasmz54@gmail.com>
Hi, I found a bug preventing preventing my laptop from booting
the mainline, and my bisection led me to this patch.
I believe I found the issue already, and will send a patch
following this report.
Decoded trace:
```
jun 01 20:03:15 debbook kernel: Oops: Oops: 0000 [#1] SMP NOPTI
jun 01 20:03:15 debbook kernel: CPU: 4 UID: 0 PID: 257 Comm: (udev-worker) Not tainted 7.1.0-rc6rcpassos #85 PREEMPT(lazy)
jun 01 20:03:15 debbook kernel: Hardware name: HP HP ProBook x360 435 G7/8735, BIOS S80 Ver. 01.17.02 06/07/2024
jun 01 20:03:15 debbook kernel: RIP: 0010:hidinput_setup_battery.isra.0 (/media/wd/code/kernel-dev/linux/drivers/hid/hid-input.c:412 /media/wd/code/kernel-dev/linux/drivers/hid/hid-input.c:523) hid
jun 01 20:03:15 debbook kernel: Code: f3 48 ab 48 8b 85 18 1c 00 00 48 39 c3 74 4b 48 8b 52 68 48 83 e8 38 8b 4a 30 eb 0e 90 48 8b 50 38 48 8d 42 c8 48 39 d3 74 30 <3b> >
All code
========
0: f3 48 ab rep stos %rax,(%rdi)
3: 48 8b 85 18 1c 00 00 mov 0x1c18(%rbp),%rax
a: 48 39 c3 cmp %rax,%rbx
d: 74 4b je 0x5a
f: 48 8b 52 68 mov 0x68(%rdx),%rdx
13: 48 83 e8 38 sub $0x38,%rax
17: 8b 4a 30 mov 0x30(%rdx),%ecx
1a: eb 0e jmp 0x2a
1c: 90 nop
1d: 48 8b 50 38 mov 0x38(%rax),%rdx
21: 48 8d 42 c8 lea -0x38(%rdx),%rax
25: 48 39 d3 cmp %rdx,%rbx
28: 74 30 je 0x5a
2a:* 3b 00 cmp (%rax),%eax <-- trapping instruction
Code starting with the faulting instruction
===========================================
0: 3b 00 cmp (%rax),%eax
jun 01 20:03:15 debbook kernel: RSP: 0018:ffffce87407c76c0 EFLAGS: 00010286
jun 01 20:03:15 debbook kernel: RAX: ffffffffffffffc8 RBX: ffff8db823bb7c18 RCX: 0000000000000007
jun 01 20:03:15 debbook kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffce87407c7718
jun 01 20:03:15 debbook kernel: RBP: ffff8db823bb6000 R08: ffffce87407c77c0 R09: ffffce87407c77bc
jun 01 20:03:15 debbook kernel: R10: ffff8db80df756c0 R11: ffff8db81f7b3000 R12: ffffce87407c76e8
jun 01 20:03:15 debbook kernel: R13: ffff8db80df756c0 R14: ffff8db823bb6000 R15: ffff8db823119600
jun 01 20:03:15 debbook kernel: FS: 00007fe5afebfd80(0000) GS:ffff8dbf6807b000(0000) knlGS:0000000000000000
jun 01 20:03:15 debbook kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
jun 01 20:03:15 debbook kernel: CR2: ffffffffffffffe4 CR3: 000000011ffe4000 CR4: 0000000000350ef0
jun 01 20:03:15 debbook kernel: Call Trace:
jun 01 20:03:15 debbook kernel: <TASK>
jun 01 20:03:15 debbook kernel: ? input_alloc_absinfo (./include/linux/slab.h:950 ./include/linux/slab.h:1188 drivers/input/input.c:442)
jun 01 20:03:15 debbook kernel: hidinput_connect (/media/wd/code/kernel-dev/linux/drivers/hid/hid-input.c:1294 /media/wd/code/kernel-dev/linux/drivers/hid/hid-input.c:2278 /media/wd/code/kernel-dev/linux/drivers/hid/hid-input.c:2345) hid
jun 01 20:03:15 debbook kernel: hid_connect (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2308 (discriminator 1)) hid
jun 01 20:03:15 debbook kernel: ? vfree.part.0 (mm/vmalloc.c:3475)
jun 01 20:03:15 debbook kernel: hid_hw_start (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2426 /media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2417) hid
jun 01 20:03:15 debbook kernel: mt_probe (/media/wd/code/kernel-dev/linux/drivers/hid/hid-multitouch.c:2028) hid_multitouch
jun 01 20:03:15 debbook kernel: ? devres_open_group (./include/linux/spinlock.h:408 ./include/linux/spinlock.h:619 drivers/base/devres.c:263 drivers/base/devres.c:617)
jun 01 20:03:15 debbook kernel: hid_device_probe (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2822 /media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2859) hid
jun 01 20:03:15 debbook kernel: really_probe (drivers/base/dd.c:631 drivers/base/dd.c:709)
jun 01 20:03:15 debbook kernel: ? __pfx___device_attach_driver (drivers/base/dd.c:908 (discriminator 1))
jun 01 20:03:15 debbook kernel: __driver_probe_device (drivers/base/dd.c:871)
jun 01 20:03:15 debbook kernel: driver_probe_device (drivers/base/dd.c:901)
jun 01 20:03:15 debbook kernel: __device_attach_driver (drivers/base/dd.c:1029)
jun 01 20:03:15 debbook kernel: bus_for_each_drv (drivers/base/bus.c:500)
jun 01 20:03:15 debbook kernel: __device_attach (drivers/base/dd.c:1101)
jun 01 20:03:15 debbook kernel: ? __pfx___hid_bus_reprobe_drivers (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:3111) hid
jun 01 20:03:15 debbook kernel: device_reprobe (drivers/base/bus.c:847 drivers/base/bus.c:881)
jun 01 20:03:15 debbook kernel: ? __hid_bus_reprobe_drivers (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:3094) hid
jun 01 20:03:15 debbook kernel: bus_for_each_dev (drivers/base/bus.c:383)
jun 01 20:03:15 debbook kernel: ? __pfx___hid_bus_driver_added (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:2900) hid
jun 01 20:03:15 debbook kernel: __hid_bus_driver_added (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:3106) hid
jun 01 20:03:15 debbook kernel: bus_for_each_drv (drivers/base/bus.c:500)
jun 01 20:03:15 debbook kernel: ? __pfx_sensor_hub_driver_init (hid-sensor-hub.mod.c:?) hid_sensor_hub
jun 01 20:03:15 debbook kernel: __hid_register_driver (/media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:3134 /media/wd/code/kernel-dev/linux/drivers/hid/hid-core.c:3118) hid
jun 01 20:03:15 debbook kernel: do_one_initcall (init/main.c:1392)
jun 01 20:03:15 debbook kernel: do_init_module (kernel/module/main.c:3106)
jun 01 20:03:15 debbook kernel: init_module_from_file (kernel/module/main.c:3777)
jun 01 20:03:15 debbook kernel: idempotent_init_module (kernel/module/main.c:3789)
jun 01 20:03:15 debbook kernel: __x64_sys_finit_module (kernel/module/main.c:3815 kernel/module/main.c:3799 kernel/module/main.c:3799)
jun 01 20:03:15 debbook kernel: do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
jun 01 20:03:15 debbook kernel: ? do_sys_openat2 (./include/linux/fs.h:2553 fs/open.c:1363)
jun 01 20:03:15 debbook kernel: ? __x64_sys_openat (fs/open.c:1370 fs/open.c:1386 fs/open.c:1381 fs/open.c:1381)
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./arch/x86/include/asm/entry-common.h:63 ./include/linux/irq-entry-common.h:210 ./include/linux/irq-entry-common.h:230 ./include/linux/entry-common.h:318 arch/x86/entry/syscall_64.c:100)
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./arch/x86/include/asm/entry-common.h:63 ./include/linux/irq-entry-common.h:210 ./include/linux/irq-entry-common.h:230 ./include/linux/entry-common.h:318 arch/x86/entry/syscall_64.c:100)
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./arch/x86/include/asm/entry-common.h:63 ./include/linux/irq-entry-common.h:210 ./include/linux/irq-entry-common.h:230 ./include/linux/entry-common.h:318 arch/x86/entry/syscall_64.c:100)
jun 01 20:03:15 debbook kernel: ? __x64_sys_openat (fs/open.c:1370 fs/open.c:1386 fs/open.c:1381 fs/open.c:1381)
jun 01 20:03:15 debbook kernel: ? __fput (./include/linux/percpu_counter.h:71 ./include/linux/percpu_counter.h:272 fs/file_table.c:99 fs/file_table.c:523)
jun 01 20:03:15 debbook kernel: ? __x64_sys_close (fs/open.c:1507 fs/open.c:1492 fs/open.c:1492)
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./arch/x86/include/asm/entry-common.h:63 ./include/linux/irq-entry-common.h:210 ./include/linux/irq-entry-common.h:230 ./include/linux/entry-common.h:318 arch/x86/entry/syscall_64.c:100)
jun 01 20:03:15 debbook kernel: ? from_kgid_munged (kernel/user_namespace.c:406 kernel/user_namespace.c:512 kernel/user_namespace.c:536)
jun 01 20:03:15 debbook kernel: ? __do_sys_getgid (kernel/sys.c:1042 (discriminator 2))
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./arch/x86/include/asm/entry-common.h:63 ./include/linux/irq-entry-common.h:210 ./include/linux/irq-entry-common.h:230 ./include/linux/entry-common.h:318 arch/x86/entry/syscall_64.c:100)
jun 01 20:03:15 debbook kernel: ? do_syscall_64 (./include/linux/randomize_kstack.h:57 arch/x86/entry/syscall_64.c:92)
jun 01 20:03:15 debbook kernel: entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
jun 01 20:03:15 debbook kernel: RIP: 0033:0x7fe5affd3c69
jun 01 20:03:15 debbook kernel: Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> >
All code
========
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 rex.W <-- trapping instruction
...
Code starting with the faulting instruction
===========================================
0: 48 rex.W
...
jun 01 20:03:15 debbook kernel: RSP: 002b:00007ffc4716a3d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
jun 01 20:03:15 debbook kernel: RAX: ffffffffffffffda RBX: 0000555df96b8430 RCX: 00007fe5affd3c69
jun 01 20:03:15 debbook kernel: RDX: 0000000000000004 RSI: 00007fe5afd7344d RDI: 0000000000000050
jun 01 20:03:15 debbook kernel: RBP: 0000000000000004 R08: 0000000000000000 R09: 0000555df962b170
jun 01 20:03:15 debbook kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000020000
jun 01 20:03:15 debbook kernel: R13: 00007fe5afd7344d R14: 0000555df96bb2e0 R15: 0000000000000000
jun 01 20:03:15 debbook kernel: </TASK>
jun 01 20:03:15 debbook kernel: Modules linked in: hid_sensor_hub(+) drm_buddy amdxcp drm_panel_backlight_quirks gpu_sched drm_ttm_helper ttm drm_exec i2c_algo_bit drm_s>
```
Thanks,
Rafael Passos
^ permalink raw reply
* [PATCH] HID: usbhid: switch HIDBP devices to boot protocol
From: Xu Rao @ 2026-06-02 1:48 UTC (permalink / raw)
To: jikos; +Cc: bentiss, linux-usb, linux-input, linux-kernel, raoxu
usbkbd and usbmouse are HID Boot Protocol drivers. They do not
parse report descriptors before decoding interrupt reports; instead,
they interpret input data as the fixed boot keyboard and boot mouse
formats.
The HID specification defines SET_PROTOCOL as the class request
to select report or boot protocol. Boot subclass devices may power
up or return from reset in report protocol, and hosts are expected
to select the protocol they intend to use.
Do not depend on firmware or a previous driver to leave the
interface in boot protocol. Send SET_PROTOCOL(BOOT) during probe
before the interrupt URB can be opened.
Keep failures non-fatal. Some devices may reject the request while
still sending boot-compatible reports. For those devices, the
existing driver behavior is preferable.
Signed-off-by: Xu Rao <raoxu@uniontech.com>
---
drivers/hid/usbhid/usbkbd.c | 22 ++++++++++++++++++++++
drivers/hid/usbhid/usbmouse.c | 22 ++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/drivers/hid/usbhid/usbkbd.c b/drivers/hid/usbhid/usbkbd.c
index 6b33e6ad0846..f3b83f0396c8 100644
--- a/drivers/hid/usbhid/usbkbd.c
+++ b/drivers/hid/usbhid/usbkbd.c
@@ -233,6 +233,26 @@ static void usb_kbd_close(struct input_dev *dev)
usb_kill_urb(kbd->irq);
}
+static void usb_kbd_set_boot_protocol(struct usb_device *dev,
+ struct usb_interface *iface)
+{
+ struct usb_host_interface *interface = iface->cur_altsetting;
+ int error;
+
+ /*
+ * usbkbd does not parse report descriptors. Make the device produce
+ * the fixed boot report format that the driver decodes.
+ */
+ error = usb_control_msg_send(dev, 0, HID_REQ_SET_PROTOCOL,
+ USB_DIR_OUT | USB_TYPE_CLASS |
+ USB_RECIP_INTERFACE, HID_BOOT_PROTOCOL,
+ interface->desc.bInterfaceNumber, NULL, 0,
+ USB_CTRL_SET_TIMEOUT, GFP_KERNEL);
+ if (error < 0)
+ dev_dbg(&iface->dev, "failed to set boot protocol: %d\n",
+ error);
+}
+
static int usb_kbd_alloc_mem(struct usb_device *dev, struct usb_kbd *kbd)
{
if (!(kbd->irq = usb_alloc_urb(0, GFP_KERNEL)))
@@ -289,6 +309,8 @@ static int usb_kbd_probe(struct usb_interface *iface,
if (usb_kbd_alloc_mem(dev, kbd))
goto fail2;
+ usb_kbd_set_boot_protocol(dev, iface);
+
kbd->usbdev = dev;
kbd->dev = input_dev;
spin_lock_init(&kbd->leds_lock);
diff --git a/drivers/hid/usbhid/usbmouse.c b/drivers/hid/usbhid/usbmouse.c
index 7cc4f9558e5f..c1b9d95f957e 100644
--- a/drivers/hid/usbhid/usbmouse.c
+++ b/drivers/hid/usbhid/usbmouse.c
@@ -103,6 +103,26 @@ static void usb_mouse_close(struct input_dev *dev)
usb_kill_urb(mouse->irq);
}
+static void usb_mouse_set_boot_protocol(struct usb_device *dev,
+ struct usb_interface *intf)
+{
+ struct usb_host_interface *interface = intf->cur_altsetting;
+ int error;
+
+ /*
+ * usbmouse does not parse report descriptors. Make the device produce
+ * the fixed boot report format that the driver decodes.
+ */
+ error = usb_control_msg_send(dev, 0, HID_REQ_SET_PROTOCOL,
+ USB_DIR_OUT | USB_TYPE_CLASS |
+ USB_RECIP_INTERFACE, HID_BOOT_PROTOCOL,
+ interface->desc.bInterfaceNumber, NULL, 0,
+ USB_CTRL_SET_TIMEOUT, GFP_KERNEL);
+ if (error < 0)
+ dev_dbg(&intf->dev, "failed to set boot protocol: %d\n",
+ error);
+}
+
static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_id *id)
{
struct usb_device *dev = interface_to_usbdev(intf);
@@ -138,6 +158,8 @@ static int usb_mouse_probe(struct usb_interface *intf, const struct usb_device_i
if (!mouse->irq)
goto fail2;
+ usb_mouse_set_boot_protocol(dev, intf);
+
mouse->usbdev = dev;
mouse->dev = input_dev;
--
2.50.1
^ permalink raw reply related
* [PATCH] HID: Input: Add battery list cleanup in hidinput_disconnect()
From: Rafael Passos @ 2026-06-02 1:50 UTC (permalink / raw)
To: linux-input, lcasmz54, bentiss
Cc: hadess, jikos, linux-kernel, linux-pm, sre, kernel, Rafael Passos
The batteries list (hdev->batteries) is not cleaned up during
hidinput_disconnect(), but struct hid_battery entries are allocated
with devm_kzalloc.
When a driver is unbound (e.g. during devicereprobe), devm frees those
entries while their list_head nodesremain dangling in hdev->batteries,
which persists across rebinds.
Fixes: 4a58ae85c3f9 ("HID: input: Add support for multiple batteries per device")
Signed-off-by: Rafael Passos <rafael@rcpassos.me>
---
Hi, I hope there is time to land this in this cycle.
Tell me if I should make any changes.
I built and tested it againts the mainline.
Bug report link:
https://lore.kernel.org/all/20260602011949.2825852-1-rafael@rcpassos.me/
drivers/hid/hid-input.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index d73cfa2e73d3..95815e140fdf 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -2408,6 +2408,15 @@ EXPORT_SYMBOL_GPL(hidinput_connect);
void hidinput_disconnect(struct hid_device *hid)
{
struct hid_input *hidinput, *next;
+#ifdef CONFIG_HID_BATTERY_STRENGTH
+ {
+ struct hid_battery *bat, *tmp;
+
+ list_for_each_entry_safe(bat, tmp, &hid->batteries, list) {
+ list_del_init(&bat->list);
+ }
+ }
+#endif
list_for_each_entry_safe(hidinput, next, &hid->inputs, list) {
list_del(&hidinput->list);
--
2.53.0
^ permalink raw reply related
* Re: [bug report] Potential atomicity bug in drivers/input/joydev.c, between joydev_0x_read() and joydev_ioctl_common()
From: Ginger @ 2026-06-02 1:50 UTC (permalink / raw)
To: Dmitry Torokhov; +Cc: linux-input
In-Reply-To: <ah2-X1_innZZTAMZ@google.com>
Hi Dmitry,
Many thanks for the clarification.
In that case, may I kindly ask if it is necessary to fix joydev with locks,
or we can leave it this way and let it just tolerate some inconsistencies?
Regards,
Ginger
On Tue, Jun 2, 2026 at 1:22 AM Dmitry Torokhov
<dmitry.torokhov@gmail.com> wrote:
>
> Hi Ginger,
>
> On Mon, Jun 01, 2026 at 03:07:05PM +0800, Ginger wrote:
> > Dear Linux kernel maintainers,
> >
> > My research-based static analyzer found a potential atomicity bug
> > within the 'drivers/input' subsystem, more specifically, in
> > 'drivers/input/joydev.c'.
> >
> > This potential issue is present as of git commit
> > eb3f4b7426cfd2b79d65b7d37155480b32259a11 of the mainline kernel.
> >
> > Potential concurrent triggering executions:
> > T0:
> > joydev_0x_read
> > --> spin_lock_irq(&input->event_lock);
> > --> read from joydev->abs
> > --> spin_unlock_irq(&input->event_lock);
> >
> > T1:
> > joydev_ioctl_common
> > --> case JSIOCSCORR:
> > --> write to joydev->abs[i] (no unlocked)
> >
> > The above trace is meant to demonstrate an illustrative example of the issue:
> > IMHO, in 'joydev_0x_read', the 'input->event_lock' is adopted to
> > serialize the read
> > accesses to joydev's fields like 'abs' and 'keypam' or input's fields
> > like 'input->key.
> > However, in either case, the write-side accesses to these fields are
> > not similarly
> > serialized.
>
> Yes, there is lack of locking in joydev. Some of this might be OK (if
> we prevent tearing on reads/writes) since the data may actually be
> obsolete immediately after we read it, while in many places we
> actually do need consistency, especially when we adjust key and axis
> maps.
>
> Thanks.
>
> --
> Dmitry
^ permalink raw reply
* Re: [PATCH] HID: Input: Add battery list cleanup in hidinput_disconnect()
From: sashiko-bot @ 2026-06-02 2:03 UTC (permalink / raw)
To: Rafael Passos; +Cc: dmitry.torokhov, linux-input
In-Reply-To: <20260602015029.2838058-1-rafael@rcpassos.me>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The patch introduces a Use-After-Free (UAF) and a soft-lockup race condition by manually unlinking `devm`-managed battery structures from `hid->batteries` during `hidinput_disconnect()`.
--
commit f0760b781af9f4b5e629ebfa0c88970cbaaea8fe
Author: Rafael Passos <rafael@rcpassos.me>
HID: Input: Add battery list cleanup in hidinput_disconnect()
The batteries list (hdev->batteries) is not cleaned up during
hidinput_disconnect(), but struct hid_battery entries are allocated
with devm_kzalloc. When a driver is unbound, devm frees those entries
while their list_head nodes remain dangling in hdev->batteries.
> diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
> index d73cfa2e73d33..95815e140fdf2 100644
> --- a/drivers/hid/hid-input.c
> +++ b/drivers/hid/hid-input.c
> @@ -2408,6 +2408,15 @@ EXPORT_SYMBOL_GPL(hidinput_connect);
> void hidinput_disconnect(struct hid_device *hid)
> {
> struct hid_input *hidinput, *next;
> +#ifdef CONFIG_HID_BATTERY_STRENGTH
> + {
> + struct hid_battery *bat, *tmp;
> +
> + list_for_each_entry_safe(bat, tmp, &hid->batteries, list) {
> + list_del_init(&bat->list);
[Severity: High]
Does this introduce a use-after-free and a race condition?
If a driver releases its devres group before calling hid_hw_stop(), the
battery structures allocated with devm_kzalloc() will be freed early. For
example, wacom_mode_change_work() in drivers/hid/wacom_sys.c acts like
this:
wacom_mode_change_work()
wacom_release_resources(wacom1);
hid_hw_stop(wacom1->hdev);
Since wacom_release_resources() releases the devres group, the battery
memory is freed before hid_hw_stop() calls hidinput_disconnect(). When we
reach this loop, we will iterate over and modify already-freed memory.
Additionally, hid_hw_stop() can be called asynchronously without holding
hdev->driver_input_lock. Modifying hid->batteries here can race with
concurrent readers like hidinput_update_battery(), which iterates over
the list, potentially causing a crash or infinite loop.
Could the cleanup be handled by adding a custom action during battery setup
via devm_add_action_or_reset(), so it is guaranteed to happen exactly when
the devm resource is freed?
> + }
> + }
> +#endif
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260602015029.2838058-1-rafael@rcpassos.me?part=1
^ permalink raw reply
* [PATCH v2] HID: Input: Add battery list cleanup with devm action
From: Rafael Passos @ 2026-06-02 3:05 UTC (permalink / raw)
To: linux-input, lcasmz54, bentiss
Cc: hadess, jikos, linux-kernel, linux-pm, sre, kernel, Rafael Passos
The batteries list (hdev->batteries) is not cleaned up during
hidinput_disconnect(), but struct hid_battery entries are allocated
with devm_kzalloc.
When a driver is unbound (e.g. during devicereprobe), devm frees those
entries while their list_head nodesremain dangling in hdev->batteries,
which persists across rebinds.
Fixes: 4a58ae85c3f9 ("HID: input: Add support for multiple batteries per device")
Signed-off-by: Rafael Passos <rafael@rcpassos.me>
---
Hi, I hope there is time to land this in this cycle.
Tell me if I should make any changes.
I built and tested it againts the mainline.
I dont have devices with multiple batteries to test.
Bug report link:
https://lore.kernel.org/all/20260602011949.2825852-1-rafael@rcpassos.me/
I received a sashiko review, and looked at wacom drivers for inspiration.
Changes in v2:
- removed list deletion from hidinput_disconnect
- new hidinput_cleanup_battery method
- register the cleanup call using devm action
in hidinput_setup_battery
If my searching was corect, this shoul be called when devres releases its group
The commit message changed, because it referenced the
hidinput_disconnect method.
Original patch: https://lore.kernel.org/linux-input/20260602020352.4256D1F00893@smtp.kernel.org/T/#t
The sashiko review: https://sashiko.dev/#/patchset/20260602015029.2838058-1-rafael@rcpassos.me?part=1
drivers/hid/hid-input.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index d73cfa2e73d3..c7b8c4ff7a33 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -519,6 +519,13 @@ static struct hid_battery *hidinput_find_battery(struct hid_device *dev,
return NULL;
}
+static void hidinput_cleanup_battery(void *res)
+{
+ struct hid_battery *bat = res;
+
+ list_del(&bat->list);
+}
+
static int hidinput_setup_battery(struct hid_device *dev, unsigned report_type,
struct hid_field *field, bool is_percentage)
{
@@ -610,6 +617,12 @@ static int hidinput_setup_battery(struct hid_device *dev, unsigned report_type,
power_supply_powers(bat->ps, &dev->dev);
list_add_tail(&bat->list, &dev->batteries);
+
+ error = devm_add_action_or_reset(&dev->dev,
+ hidinput_cleanup_battery, bat);
+ if (error)
+ return error;
+
return 0;
err_free_name:
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v2] HID: Input: Add battery list cleanup with devm action
From: Lucas Zampieri @ 2026-06-02 3:44 UTC (permalink / raw)
To: Rafael Passos
Cc: linux-input, Benjamin Tissoires, Jiri Kosina, Sebastian Reichel,
Bastien Nocera, linux-kernel, linux-pm, kernel
In-Reply-To: <20260602030519.3097058-1-rafael@rcpassos.me>
Hi Rafael,
Thanks for catching this and the quick fix. Turns out this is the
hidinput_cleanup_battery() hunk we dropped in the devm conversion
(patch 1/3), figuring devm would handle the cleanup. It frees the
hid_battery structs fine, but never unlinks them from hdev->batteries,
which outlives the devm scope, so the list dangles into freed memory on
the next probe. My bad.
Acked-by: Lucas Zampieri <lcasmz54@gmail.com>
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox