From nobody Fri Sep 12 07:26:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FF1FC636D4 for ; Sun, 12 Feb 2023 19:01:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229707AbjBLTBb (ORCPT ); Sun, 12 Feb 2023 14:01:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37956 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229652AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00E2111143 for ; Sun, 12 Feb 2023 11:01:20 -0800 (PST) Received: by mail-ej1-x634.google.com with SMTP id p26so26954075ejx.13 for ; Sun, 12 Feb 2023 11:01:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=B88ResL5MKyi+eeaFgmYo0rRmsmI1uZYG2og4OKsozA=; b=WAS4+1vax/pjuTBuGl3DbIy3p6dvxT7L99NbfEeWm1CBRL12bh8TVDsO68DB+d1nZn F8GeVyJKtte/6vyFoF8BwDLFsQ7hhmy5zTX9GdriGouBSxNZ12PUMPPwen9ycWXUIV6a U05xBD7Sh+Uue52xEsuemKC+z6BSoz0YpkPEs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B88ResL5MKyi+eeaFgmYo0rRmsmI1uZYG2og4OKsozA=; b=J9N8QFALujImjZ85ThlCUGJwpFTKHH6+91Bh2pIQE5ZATyxJjnADaQ0DysoNLPrhwJ +B8zh3cy5XRqaVOTMRGnhunAtCIqciG791t/FUpJyfqiAEfXYdRKslPZvtZqLUbq5pVW JFXfcdCHXuYZ0vrIrhxu3L1IcGIF+jNvO3y7Nhw+9xp50k2H5Bjz16VpzFNdEMf8j2Yw krjR3QH7R5DRoSN/XB+2ow2xELLt4S/X/6QhUWeCcCPhXNrZIYG9U/vGAnGl14F8YPZu NsIsahFSCpX4OfsGP5fPrq0q7anXu5IUi81XAxvr3tNl1/gPsWLTJn4c9Jkum6gn4ZBb hFuA== X-Gm-Message-State: AO0yUKW6zJ1dxCKlgJXzHxvjaektgttRgj5i26cthwLrXX1qzIEenyyo qxdg9tdKFMk/xA2p17+Hg4ncBg== X-Google-Smtp-Source: AK7set9i8cFESlwh12jM8HFp2TGIicjd7Mu0Kma6JgyT/L8YrweE8xeYb9h9I7iYUGuJRN7kVBGjYQ== X-Received: by 2002:a17:906:2cc4:b0:878:5372:a34b with SMTP id r4-20020a1709062cc400b008785372a34bmr22015554ejr.45.1676228479445; Sun, 12 Feb 2023 11:01:19 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:19 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 18:59:59 +0000 Subject: [PATCH v4 1/5] HID: bigben: use spinlock to protect concurrent accesses MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=5460; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=3NArKOjH3xImJ9Rwlp+QDLBUcHoiaaOhmhkn3ROIjHE=; b=5px4vRLV1eHL9HPgHtUpqWdWAIbITrvZlNReB8lV8M7fRjdYnermUhmYbbfbMdNKGeqd8AIo0TJ4 4fV5N/U4ArgruGb2zOKlTr/MGyYxX0jX8DQH1EOcN8et+elaRkjN X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org bigben driver has a worker that may access data concurrently. Proct the accesses using a spinlock. Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3O= FMINIPAD gamepad") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 52 ++++++++++++++++++++++++++++++++++++++++++= ++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index e8b16665860d..ed3d2d7bc1dd 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] =3D { struct bigben_device { struct hid_device *hid; struct hid_report *report; + spinlock_t lock; bool removed; u8 led_state; /* LED1 =3D 1 .. LED4 =3D 8 */ u8 right_motor_on; /* right motor off/on 0/1 */ @@ -190,12 +191,27 @@ static void bigben_worker(struct work_struct *work) struct bigben_device *bigben =3D container_of(work, struct bigben_device, worker); struct hid_field *report_field =3D bigben->report->field[0]; + bool do_work_led =3D false; + bool do_work_ff =3D false; + u8 *buf; + u32 len; + unsigned long flags; =20 if (bigben->removed || !report_field) return; =20 + buf =3D hid_alloc_report_buf(bigben->report, GFP_KERNEL); + if (!buf) + return; + + len =3D hid_report_len(bigben->report); + + /* LED work */ + spin_lock_irqsave(&bigben->lock, flags); + if (bigben->work_led) { bigben->work_led =3D false; + do_work_led =3D true; report_field->value[0] =3D 0x01; /* 1 =3D led message */ report_field->value[1] =3D 0x08; /* reserved value, always 8 */ report_field->value[2] =3D bigben->led_state; @@ -204,11 +220,22 @@ static void bigben_worker(struct work_struct *work) report_field->value[5] =3D 0x00; /* padding */ report_field->value[6] =3D 0x00; /* padding */ report_field->value[7] =3D 0x00; /* padding */ - hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); + hid_output_report(bigben->report, buf); + } + + spin_unlock_irqrestore(&bigben->lock, flags); + + if (do_work_led) { + hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, + bigben->report->type, HID_REQ_SET_REPORT); } =20 + /* FF work */ + spin_lock_irqsave(&bigben->lock, flags); + if (bigben->work_ff) { bigben->work_ff =3D false; + do_work_ff =3D true; report_field->value[0] =3D 0x02; /* 2 =3D rumble effect message */ report_field->value[1] =3D 0x08; /* reserved value, always 8 */ report_field->value[2] =3D bigben->right_motor_on; @@ -217,8 +244,17 @@ static void bigben_worker(struct work_struct *work) report_field->value[5] =3D 0x00; /* padding */ report_field->value[6] =3D 0x00; /* padding */ report_field->value[7] =3D 0x00; /* padding */ - hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); + hid_output_report(bigben->report, buf); + } + + spin_unlock_irqrestore(&bigben->lock, flags); + + if (do_work_ff) { + hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, + bigben->report->type, HID_REQ_SET_REPORT); } + + kfree(buf); } =20 static int hid_bigben_play_effect(struct input_dev *dev, void *data, @@ -228,6 +264,7 @@ static int hid_bigben_play_effect(struct input_dev *dev= , void *data, struct bigben_device *bigben =3D hid_get_drvdata(hid); u8 right_motor_on; u8 left_motor_force; + unsigned long flags; =20 if (!bigben) { hid_err(hid, "no device data\n"); @@ -242,9 +279,12 @@ static int hid_bigben_play_effect(struct input_dev *de= v, void *data, =20 if (right_motor_on !=3D bigben->right_motor_on || left_motor_force !=3D bigben->left_motor_force) { + spin_lock_irqsave(&bigben->lock, flags); bigben->right_motor_on =3D right_motor_on; bigben->left_motor_force =3D left_motor_force; bigben->work_ff =3D true; + spin_unlock_irqrestore(&bigben->lock, flags); + schedule_work(&bigben->worker); } =20 @@ -259,6 +299,7 @@ static void bigben_set_led(struct led_classdev *led, struct bigben_device *bigben =3D hid_get_drvdata(hid); int n; bool work; + unsigned long flags; =20 if (!bigben) { hid_err(hid, "no device data\n"); @@ -267,6 +308,7 @@ static void bigben_set_led(struct led_classdev *led, =20 for (n =3D 0; n < NUM_LEDS; n++) { if (led =3D=3D bigben->leds[n]) { + spin_lock_irqsave(&bigben->lock, flags); if (value =3D=3D LED_OFF) { work =3D (bigben->led_state & BIT(n)); bigben->led_state &=3D ~BIT(n); @@ -274,6 +316,7 @@ static void bigben_set_led(struct led_classdev *led, work =3D !(bigben->led_state & BIT(n)); bigben->led_state |=3D BIT(n); } + spin_unlock_irqrestore(&bigben->lock, flags); =20 if (work) { bigben->work_led =3D true; @@ -307,8 +350,12 @@ static enum led_brightness bigben_get_led(struct led_c= lassdev *led) static void bigben_remove(struct hid_device *hid) { struct bigben_device *bigben =3D hid_get_drvdata(hid); + unsigned long flags; =20 + spin_lock_irqsave(&bigben->lock, flags); bigben->removed =3D true; + spin_unlock_irqrestore(&bigben->lock, flags); + cancel_work_sync(&bigben->worker); hid_hw_stop(hid); } @@ -362,6 +409,7 @@ static int bigben_probe(struct hid_device *hid, set_bit(FF_RUMBLE, hidinput->input->ffbit); =20 INIT_WORK(&bigben->worker, bigben_worker); + spin_lock_init(&bigben->lock); =20 error =3D input_ff_create_memless(hidinput->input, NULL, hid_bigben_play_effect); --=20 2.25.1 From nobody Fri Sep 12 07:26:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 770FBC636D7 for ; Sun, 12 Feb 2023 19:01:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229721AbjBLTB1 (ORCPT ); Sun, 12 Feb 2023 14:01:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229576AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 657D911144 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id qb15so24954587ejc.1 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uRPvAiBkeLUL9hlg8+pXXPP3amhZpL1tscetpufbF0M=; b=eYSJq9GNuJsNBNK8O1hPFzBkCeZz6NILexaR/TajgPMMu3EcS2hpUXsTZBZ4pT9Shl pmj0/I7BZvvgFvdU1os1Y+OWDY0XFk0I4GWTLH7f4PouTJrTwFMbM5ZSJMQD1O7L3ng8 uR0/JHyy9jOwc9BB2igVFCOqnUSD9L2BwVW5Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uRPvAiBkeLUL9hlg8+pXXPP3amhZpL1tscetpufbF0M=; b=NjVWgj+x7gEc++SpqjdfNa15XYlA8uU7Q0wvsYIWTRrGM/J+l22FIp9CMha9qmmkJT aosNUDWDdCW7eS5JHCGnfjnY2LwKE7ezcSxeLEU5hipV+xtdcO0dlOUtePOIls5HiZwJ zn2hxqiTLwzOf2Ys9n2VXORYj2UTUEde7+Jve6zFH/bpUmyRVG6fjIf7zXIWEqgDJ25W ItgDM7GdlPnaolinsDmbmLKYrdiSb4wOUYZ8FnzvSO9Ome+jpQw81464yFosoBCJGY/Z Wg9V58STgcXTxNbNVhmLlCKygJmBpQEXdov57B4ZjUMFUH84Tn63dJC67WA00STLu2MY aYdQ== X-Gm-Message-State: AO0yUKX3eU+wpqc16AyBU8H9ZYei1bRXKLzyd3lEduE0dLUNRJqJ6euL yq0SNkMPYyFURAXvTO4BnWOKGA== X-Google-Smtp-Source: AK7set96kZND7hdGmA2oJPkYoZNRV8kjhk8xYY52MzofUZ42iuET58D6spngjEQ0zvgiirTer2heug== X-Received: by 2002:a17:907:8d17:b0:8af:346a:c186 with SMTP id tc23-20020a1709078d1700b008af346ac186mr15082146ejc.24.1676228479927; Sun, 12 Feb 2023 11:01:19 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:19 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:00 +0000 Subject: [PATCH v4 2/5] HID: bigben_worker() remove unneeded check on report_field MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=1130; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=erpS3Lwu6lI02igZY1eCc+3rq7i9mxiiO+QpEzGNGZU=; b=zxcicO+6OXIqSiidn0/stqb7E4CL0SQUxJ/RENYMcH8Z8HVV+3rEVBYO/Q9ZkSkBvwK+5Bjiptll 4iHsurZyDhM6xSfL4Mr6BqHuD0QGvQ85HNCPRMyKhhgnrvqC62gx X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org bigben_worker() checks report_field to be non-NULL. The check has been added in commit 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") to prevent a NULL pointer crash. However, the true root cause was a missing check for output reports, patched in commit c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), where the type-confused report list_entry was overlapping with a NULL pointer, which was then causing the crash. Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index ed3d2d7bc1dd..b98c5f31c184 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -197,7 +197,7 @@ static void bigben_worker(struct work_struct *work) u32 len; unsigned long flags; =20 - if (bigben->removed || !report_field) + if (bigben->removed) return; =20 buf =3D hid_alloc_report_buf(bigben->report, GFP_KERNEL); --=20 2.25.1 From nobody Fri Sep 12 07:26:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33F98C64EC7 for ; Sun, 12 Feb 2023 19:01:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229743AbjBLTBh (ORCPT ); Sun, 12 Feb 2023 14:01:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229675AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB82D1114F for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: by mail-ej1-x62f.google.com with SMTP id rp23so26992915ejb.7 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=TyokCJZIa2ZQoXHftGYbkR/Hf/+3N97gcyYGtTAHCbw=; b=bB8tp9fI2j5AWnUdXrllQeMkiT82AF+v/J63cnFKPFKA8Wrga377dFzJEvuhtjeeY+ wO+ZVRco/qYOu8i0lzEhVl7LH8worGePd3VAOewZauJJZiCfYqySIp6CJJD4TujKSBeU aTiH+GU2OZERYYF8VI9S86XB1IzxU0GwzwN14= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TyokCJZIa2ZQoXHftGYbkR/Hf/+3N97gcyYGtTAHCbw=; b=w5SAxBZhne9nRiWcPFVicSfdGY0cF5qHO6VFz1KeJ3GPnr9Hjp4eFwaEgp3eIF2VOB V7aUSLyKTtMo5tVRKkPNbvjqhDioSQWhun5+V5C2BQj1u8EafqVtPyHese8oawdrLX6v a7U9p4GXj0v5lxCJPrzny5gEewAH6/+6TBrPcgyvI4q/tylwg/MK60Bjc2q/VaPd86ls RocSjoP7wItIXJXs9BlpeOo7wrW7PDR9oZ5QMZq4dNDdLqMnXBDZAWo8CeBo0W7TnDfX C3K48Xe/Jy5BsGSoekkZe2TsL4NYh4qxsfzO1gxQClTNkQVO2HbQ5QTjdQI+2xSCMCdq W5bQ== X-Gm-Message-State: AO0yUKVbuEnyGk/ZZty14oQN/8SQLTS/kWLn5uMHwSRQBQpQJlFMg0jG typYNR5ESx3kdKrPa2/OJ1szLw== X-Google-Smtp-Source: AK7set+VpPkn6J5FxG7nhuPjSQssPVHwo5+ewL9BCF15ESp2RGTGW04BS6l5dfVbmbA/pc4Y7drfMw== X-Received: by 2002:a17:906:cb92:b0:889:5ca0:146e with SMTP id mf18-20020a170906cb9200b008895ca0146emr21753666ejb.16.1676228480557; Sun, 12 Feb 2023 11:01:20 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:20 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:01 +0000 Subject: [PATCH v4 3/5] HID: bigben: use spinlock to safely schedule workers MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=2127; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=MYGmtcK5MTdP0vFzx8JLN9Po931xJSB7z7FwhIXyl+U=; b=iFVDjOCX3HA+8r29BmEEv0xZGr/hxue/0Bmh0Az/QiCIXbTODweCqO5W7zIHo2HFfkW8neC2m/KO EOYkpQwODoIif/BHyDetJ19fzHumaoxcUUuLooAdXWrUN688K35Y X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Use spinlocks to deal with workers introducing a wrapper bigben_schedule_work(), and several spinlock checks. Otherwise, bigben_set_led() may schedule bigben->worker after the structure has been freed, causing a use-after-free. Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled w= ork during removal") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index b98c5f31c184..9d6560db762b 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -185,6 +185,15 @@ struct bigben_device { struct work_struct worker; }; =20 +static inline void bigben_schedule_work(struct bigben_device *bigben) +{ + unsigned long flags; + + spin_lock_irqsave(&bigben->lock, flags); + if (!bigben->removed) + schedule_work(&bigben->worker); + spin_unlock_irqrestore(&bigben->lock, flags); +} =20 static void bigben_worker(struct work_struct *work) { @@ -197,9 +206,6 @@ static void bigben_worker(struct work_struct *work) u32 len; unsigned long flags; =20 - if (bigben->removed) - return; - buf =3D hid_alloc_report_buf(bigben->report, GFP_KERNEL); if (!buf) return; @@ -285,7 +291,7 @@ static int hid_bigben_play_effect(struct input_dev *dev= , void *data, bigben->work_ff =3D true; spin_unlock_irqrestore(&bigben->lock, flags); =20 - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); } =20 return 0; @@ -320,7 +326,7 @@ static void bigben_set_led(struct led_classdev *led, =20 if (work) { bigben->work_led =3D true; - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); } return; } @@ -450,7 +456,7 @@ static int bigben_probe(struct hid_device *hid, bigben->left_motor_force =3D 0; bigben->work_led =3D true; bigben->work_ff =3D true; - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); =20 hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); =20 --=20 2.25.1 From nobody Fri Sep 12 07:26:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33992C05027 for ; Sun, 12 Feb 2023 19:01:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229737AbjBLTBl (ORCPT ); Sun, 12 Feb 2023 14:01:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229710AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CCA511154 for ; Sun, 12 Feb 2023 11:01:22 -0800 (PST) Received: by mail-ej1-x62d.google.com with SMTP id n10so84967ejc.4 for ; Sun, 12 Feb 2023 11:01:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=JFcY+bgKoDrC/H0bVLU6it2ZHgkh/f7Ekd9zsWQOEVc=; b=dNK2qmmHCtAzB4KpGYlLCtqr9R7St2AoRSxXm4HFC4HAui/u3fd0DgrzSQvGx4gMTY f2MST7yFwHDr5Nzv3Pjp0aNT81xgWJYOVAG6dr9FwMzEEgQzvhSw/lQdTuXhTkULZ0ej ibUOViY0qUP0lflvXT8J01bXIV/HiRehhQz6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JFcY+bgKoDrC/H0bVLU6it2ZHgkh/f7Ekd9zsWQOEVc=; b=m2Oz26bnUTOXmM95N+8s7zv7RtT9WH5GjYiO2W4qfJGDifyAcP6sAcycW3JhALhp5j mGPRZO/iFXeP315A86toK11z6MKwDbE/qSSMWSmN1ZSiab64rl2BkE3olGQdawnCyYIn Uapy+QrwBXYZP9dt+Ls6s7NJqLoP5pZpGFzxRnb03HmUI6mleA824RhhtmqNjzXryeVS GEn8bxi3HL9ixPuaDA0usGyH5ilaEWiol3RDyjvAJSPEmz4RhDaiZ5ohEnfIZu3EGo+H NfPbIf2sVy7cPBbiBhTW34e3RxF0EboVDU12LkNDnlwDEtTzL9MV5Gu1ZyxHNV50blcX eY2A== X-Gm-Message-State: AO0yUKUm7iWzWTDvft8h9i72J2Rpk4u3MP1vVdrFPNPwnj4EWKZK9t58 YjzOTh35106UlK5rP/gGtCy7/AGeQe/G0IzDDNDxjw== X-Google-Smtp-Source: AK7set8TUPodI0WDiQv04uyLfevxRr6Y899ajMBpnUoSIHzm/tFITh4mMDLIHgAnzXnyxZ4Ho7MO7Q== X-Received: by 2002:a17:906:4483:b0:84d:4e4f:1f85 with SMTP id y3-20020a170906448300b0084d4e4f1f85mr22610930ejo.59.1676228481102; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:20 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:02 +0000 Subject: [PATCH v4 4/5] HID: asus: use spinlock to protect concurrent accesses MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230125-hid-unregister-leds-v4-4-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=3021; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=ONfjFFZvRr7z1Z/TfoWEdeddjrbTUcDqYbO9jYkZVbc=; b=Dx2+LKtx4jUiOR1CtfLcBqeYzDp7LxXsNtwhbZ5nk0ZMEVNfgjgzvSnTvqrur3DasjLfkd+Gh6yo oMFS4LnSAlEdntvAlTcYXH/YfYHU//dJuxg60fk9exdjq/UOI7MI X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org asus driver has a worker that may access data concurrently. Proct the accesses using a spinlock. Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") Signed-off-by: Pietro Borrello --- drivers/hid/hid-asus.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index f99752b998f3..9f767baf39fb 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -98,6 +98,7 @@ struct asus_kbd_leds { struct hid_device *hdev; struct work_struct work; unsigned int brightness; + spinlock_t lock; bool removed; }; =20 @@ -495,7 +496,12 @@ static void asus_kbd_backlight_set(struct led_classdev= *led_cdev, { struct asus_kbd_leds *led =3D container_of(led_cdev, struct asus_kbd_leds, cdev); + unsigned long flags; + + spin_lock_irqsave(&led->lock, flags); led->brightness =3D brightness; + spin_unlock_irqrestore(&led->lock, flags); + schedule_work(&led->work); } =20 @@ -503,8 +509,14 @@ static enum led_brightness asus_kbd_backlight_get(stru= ct led_classdev *led_cdev) { struct asus_kbd_leds *led =3D container_of(led_cdev, struct asus_kbd_leds, cdev); + enum led_brightness brightness; + unsigned long flags; =20 - return led->brightness; + spin_lock_irqsave(&led->lock, flags); + brightness =3D led->brightness; + spin_unlock_irqrestore(&led->lock, flags); + + return brightness; } =20 static void asus_kbd_backlight_work(struct work_struct *work) @@ -512,11 +524,14 @@ static void asus_kbd_backlight_work(struct work_struc= t *work) struct asus_kbd_leds *led =3D container_of(work, struct asus_kbd_leds, wo= rk); u8 buf[] =3D { FEATURE_KBD_REPORT_ID, 0xba, 0xc5, 0xc4, 0x00 }; int ret; + unsigned long flags; =20 if (led->removed) return; =20 + spin_lock_irqsave(&led->lock, flags); buf[4] =3D led->brightness; + spin_unlock_irqrestore(&led->lock, flags); =20 ret =3D asus_kbd_set_report(led->hdev, buf, sizeof(buf)); if (ret < 0) @@ -584,6 +599,7 @@ static int asus_kbd_register_leds(struct hid_device *hd= ev) drvdata->kbd_backlight->cdev.brightness_set =3D asus_kbd_backlight_set; drvdata->kbd_backlight->cdev.brightness_get =3D asus_kbd_backlight_get; INIT_WORK(&drvdata->kbd_backlight->work, asus_kbd_backlight_work); + spin_lock_init(&drvdata->kbd_backlight->lock); =20 ret =3D devm_led_classdev_register(&hdev->dev, &drvdata->kbd_backlight->c= dev); if (ret < 0) { @@ -1119,9 +1135,13 @@ static int asus_probe(struct hid_device *hdev, const= struct hid_device_id *id) static void asus_remove(struct hid_device *hdev) { struct asus_drvdata *drvdata =3D hid_get_drvdata(hdev); + unsigned long flags; =20 if (drvdata->kbd_backlight) { + spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags); drvdata->kbd_backlight->removed =3D true; + spin_unlock_irqrestore(&drvdata->kbd_backlight->lock, flags); + cancel_work_sync(&drvdata->kbd_backlight->work); } =20 --=20 2.25.1 From nobody Fri Sep 12 07:26:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77817C05027 for ; Sun, 12 Feb 2023 19:01:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229758AbjBLTBo (ORCPT ); Sun, 12 Feb 2023 14:01:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229711AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E9D41115F for ; Sun, 12 Feb 2023 11:01:23 -0800 (PST) Received: by mail-ej1-x635.google.com with SMTP id hx15so26956965ejc.11 for ; Sun, 12 Feb 2023 11:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=hh/UKIXKiKTQVDUlV3UWWD570IF4/BDU9PZ9FyIy/sA=; b=J6PKRYKBYEmGAVL7rt2WCxbffU3b3leYr48LgyvRq7CkFj6mUzXrORML7jFnb6mwty 6n7PW6cyXzTBqDxYry33A9GK8Q6+NgcuWdTrHORV8ESmbxzXV64cx4HA/ZwwgzGhPRn6 VxPXWoMy6CSwvwfSaMaSu5/oXrZaDAI4aL7FY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hh/UKIXKiKTQVDUlV3UWWD570IF4/BDU9PZ9FyIy/sA=; b=T0aRBZslyIXVlI90NzUp0j5Qo7Ac8ciTrfK5lCtu/fStK//GdXSK5ZWRW7ZWnquKsa CI/O3wzx8ymqsvgiMUURr3ZfOoJmPFdknKo1I1ZrtmfGUqz+FoLxXJww7adzpJHu8u4/ lOjn3T0Md0XtCiiuAlBtKMimL6fsn1pNsTbdtk3ww6g5LgH/EbZbTFLSsdzXc7VWjmHu 6btSbyEPnND2LhDLHnKGEty8tRdHIOF6GvKO+1+x3Wcc4QA/AbDshg0whWNNlz74FN6b jh8HfFHWxc6g0KT7Hmsf9atEwiwhUoSjOMu2OdT7bVZAcFuOleO67LXdFXgV5qRVh5uw 4mMg== X-Gm-Message-State: AO0yUKWG06bkf7x6b94QQBdM0RJ1iBB+PIfEFibyoVcVE1Wf6aP6Tbc6 Qd2D5hREl3X9f3ShZTuk+gzEnw== X-Google-Smtp-Source: AK7set+O6uJQ6LGcIo1ASlmFFEsONi8bY7xs/6WombXPge6kUrTCiR5SuK7e78P2rg7Htz5c36EU+A== X-Received: by 2002:a17:906:9f0c:b0:8af:7b80:82ba with SMTP id fy12-20020a1709069f0c00b008af7b8082bamr7161002ejc.20.1676228481708; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:21 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:03 +0000 Subject: [PATCH v4 5/5] HID: asus: use spinlock to safely schedule workers MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20230125-hid-unregister-leds-v4-5-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=1688; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=oZoYiaaa/o7giXPl4cCeWsb4GMTS11aKqe6P5yflgp0=; b=hw2c1ER525F2ulFom6GZr679UyhjUVgz9rGkWUCc4nT8BRAR7ysnPWu6TpF5JYhc8RhQ/r19Oo6e 6EOWtZAsAZ6g0Hn7vkZQ8incLmf9T/aHWShWTTRgs3SfybShzfAC X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Use spinlocks to deal with workers introducing a wrapper asus_schedule_work(), and several spinlock checks. Otherwise, asus_kbd_backlight_set() may schedule led->work after the structure has been freed, causing a use-after-free. Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") Signed-off-by: Pietro Borrello --- drivers/hid/hid-asus.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index 9f767baf39fb..d1094bb1aa42 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -491,6 +491,16 @@ static int rog_nkey_led_init(struct hid_device *hdev) return ret; } =20 +static void asus_schedule_work(struct asus_kbd_leds *led) +{ + unsigned long flags; + + spin_lock_irqsave(&led->lock, flags); + if (!led->removed) + schedule_work(&led->work); + spin_unlock_irqrestore(&led->lock, flags); +} + static void asus_kbd_backlight_set(struct led_classdev *led_cdev, enum led_brightness brightness) { @@ -502,7 +512,7 @@ static void asus_kbd_backlight_set(struct led_classdev = *led_cdev, led->brightness =3D brightness; spin_unlock_irqrestore(&led->lock, flags); =20 - schedule_work(&led->work); + asus_schedule_work(led); } =20 static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led= _cdev) @@ -526,9 +536,6 @@ static void asus_kbd_backlight_work(struct work_struct = *work) int ret; unsigned long flags; =20 - if (led->removed) - return; - spin_lock_irqsave(&led->lock, flags); buf[4] =3D led->brightness; spin_unlock_irqrestore(&led->lock, flags); --=20 2.25.1