From patchwork Sun Feb 12 18:59:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 653058 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D362C636D3 for ; Sun, 12 Feb 2023 19:01:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229503AbjBLTB0 (ORCPT ); Sun, 12 Feb 2023 14:01:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229653AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8953411146 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: by mail-ej1-x62b.google.com with SMTP id rp23so26992856ejb.7 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=B88ResL5MKyi+eeaFgmYo0rRmsmI1uZYG2og4OKsozA=; b=WAS4+1vax/pjuTBuGl3DbIy3p6dvxT7L99NbfEeWm1CBRL12bh8TVDsO68DB+d1nZn F8GeVyJKtte/6vyFoF8BwDLFsQ7hhmy5zTX9GdriGouBSxNZ12PUMPPwen9ycWXUIV6a U05xBD7Sh+Uue52xEsuemKC+z6BSoz0YpkPEs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B88ResL5MKyi+eeaFgmYo0rRmsmI1uZYG2og4OKsozA=; b=n8UNyFyYO5yMMU9sZOgwfUWNSyjwot/7ZoOguIcYiQ0Nnn+60cVQcwIWt/QbpFu2H1 yk7iIBqInMWcmCpP6XRmQgLHdSChBcS3przt72sqH4vfSHLJWVj0gP4DW0Qa8ZvAR6zd jNlNYqKqRHFa7amifudz/1h28ygScivw7p6+Dg2RR6hL/147noR1jhraLlfV7WcSDiam 2oVL+wEXoukrlZVeOAAIbToq9aHnwsTh+dMyh1jyOddqTUyTl0MZ6t18SPmgPiW+Co+l EH/FnrgOE0G2lx9ngiWZ6JNqs7NIFq27AOvoXEgmCoSieLo1i075ongR3lF3YlT40BRh W0Xg== X-Gm-Message-State: AO0yUKULODX6QW2L+9Rq4otmQLnO9RhCkp9rJ2sVfNXnYlORyTxcoHrn zuc/AFK6h/ZROhSZydaOFMCd5fUhPGYnuV4RhOlKaw== X-Google-Smtp-Source: AK7set9i8cFESlwh12jM8HFp2TGIicjd7Mu0Kma6JgyT/L8YrweE8xeYb9h9I7iYUGuJRN7kVBGjYQ== X-Received: by 2002:a17:906:2cc4:b0:878:5372:a34b with SMTP id r4-20020a1709062cc400b008785372a34bmr22015554ejr.45.1676228479445; Sun, 12 Feb 2023 11:01:19 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:19 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 18:59:59 +0000 Subject: [PATCH v4 1/5] HID: bigben: use spinlock to protect concurrent accesses MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=5460; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=3NArKOjH3xImJ9Rwlp+QDLBUcHoiaaOhmhkn3ROIjHE=; b=5px4vRLV1eHL9HPgHtUpqWdWAIbITrvZlNReB8lV8M7fRjdYnermUhmYbbfbMdNKGeqd8AIo0TJ4 4fV5N/U4ArgruGb2zOKlTr/MGyYxX0jX8DQH1EOcN8et+elaRkjN X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org bigben driver has a worker that may access data concurrently. Proct the accesses using a spinlock. Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 52 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index e8b16665860d..ed3d2d7bc1dd 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] = { struct bigben_device { struct hid_device *hid; struct hid_report *report; + spinlock_t lock; bool removed; u8 led_state; /* LED1 = 1 .. LED4 = 8 */ u8 right_motor_on; /* right motor off/on 0/1 */ @@ -190,12 +191,27 @@ static void bigben_worker(struct work_struct *work) struct bigben_device *bigben = container_of(work, struct bigben_device, worker); struct hid_field *report_field = bigben->report->field[0]; + bool do_work_led = false; + bool do_work_ff = false; + u8 *buf; + u32 len; + unsigned long flags; if (bigben->removed || !report_field) return; + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); + if (!buf) + return; + + len = hid_report_len(bigben->report); + + /* LED work */ + spin_lock_irqsave(&bigben->lock, flags); + if (bigben->work_led) { bigben->work_led = false; + do_work_led = true; report_field->value[0] = 0x01; /* 1 = led message */ report_field->value[1] = 0x08; /* reserved value, always 8 */ report_field->value[2] = bigben->led_state; @@ -204,11 +220,22 @@ static void bigben_worker(struct work_struct *work) report_field->value[5] = 0x00; /* padding */ report_field->value[6] = 0x00; /* padding */ report_field->value[7] = 0x00; /* padding */ - hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); + hid_output_report(bigben->report, buf); + } + + spin_unlock_irqrestore(&bigben->lock, flags); + + if (do_work_led) { + hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, + bigben->report->type, HID_REQ_SET_REPORT); } + /* FF work */ + spin_lock_irqsave(&bigben->lock, flags); + if (bigben->work_ff) { bigben->work_ff = false; + do_work_ff = true; report_field->value[0] = 0x02; /* 2 = rumble effect message */ report_field->value[1] = 0x08; /* reserved value, always 8 */ report_field->value[2] = bigben->right_motor_on; @@ -217,8 +244,17 @@ static void bigben_worker(struct work_struct *work) report_field->value[5] = 0x00; /* padding */ report_field->value[6] = 0x00; /* padding */ report_field->value[7] = 0x00; /* padding */ - hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); + hid_output_report(bigben->report, buf); + } + + spin_unlock_irqrestore(&bigben->lock, flags); + + if (do_work_ff) { + hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, + bigben->report->type, HID_REQ_SET_REPORT); } + + kfree(buf); } static int hid_bigben_play_effect(struct input_dev *dev, void *data, @@ -228,6 +264,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, struct bigben_device *bigben = hid_get_drvdata(hid); u8 right_motor_on; u8 left_motor_force; + unsigned long flags; if (!bigben) { hid_err(hid, "no device data\n"); @@ -242,9 +279,12 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, if (right_motor_on != bigben->right_motor_on || left_motor_force != bigben->left_motor_force) { + spin_lock_irqsave(&bigben->lock, flags); bigben->right_motor_on = right_motor_on; bigben->left_motor_force = left_motor_force; bigben->work_ff = true; + spin_unlock_irqrestore(&bigben->lock, flags); + schedule_work(&bigben->worker); } @@ -259,6 +299,7 @@ static void bigben_set_led(struct led_classdev *led, struct bigben_device *bigben = hid_get_drvdata(hid); int n; bool work; + unsigned long flags; if (!bigben) { hid_err(hid, "no device data\n"); @@ -267,6 +308,7 @@ static void bigben_set_led(struct led_classdev *led, for (n = 0; n < NUM_LEDS; n++) { if (led == bigben->leds[n]) { + spin_lock_irqsave(&bigben->lock, flags); if (value == LED_OFF) { work = (bigben->led_state & BIT(n)); bigben->led_state &= ~BIT(n); @@ -274,6 +316,7 @@ static void bigben_set_led(struct led_classdev *led, work = !(bigben->led_state & BIT(n)); bigben->led_state |= BIT(n); } + spin_unlock_irqrestore(&bigben->lock, flags); if (work) { bigben->work_led = true; @@ -307,8 +350,12 @@ static enum led_brightness bigben_get_led(struct led_classdev *led) static void bigben_remove(struct hid_device *hid) { struct bigben_device *bigben = hid_get_drvdata(hid); + unsigned long flags; + spin_lock_irqsave(&bigben->lock, flags); bigben->removed = true; + spin_unlock_irqrestore(&bigben->lock, flags); + cancel_work_sync(&bigben->worker); hid_hw_stop(hid); } @@ -362,6 +409,7 @@ static int bigben_probe(struct hid_device *hid, set_bit(FF_RUMBLE, hidinput->input->ffbit); INIT_WORK(&bigben->worker, bigben_worker); + spin_lock_init(&bigben->lock); error = input_ff_create_memless(hidinput->input, NULL, hid_bigben_play_effect); From patchwork Sun Feb 12 19:00:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 653839 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28F02C636D4 for ; Sun, 12 Feb 2023 19:01:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229647AbjBLTB0 (ORCPT ); Sun, 12 Feb 2023 14:01:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229629AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65E9B11145 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id n10so84899ejc.4 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uRPvAiBkeLUL9hlg8+pXXPP3amhZpL1tscetpufbF0M=; b=eYSJq9GNuJsNBNK8O1hPFzBkCeZz6NILexaR/TajgPMMu3EcS2hpUXsTZBZ4pT9Shl pmj0/I7BZvvgFvdU1os1Y+OWDY0XFk0I4GWTLH7f4PouTJrTwFMbM5ZSJMQD1O7L3ng8 uR0/JHyy9jOwc9BB2igVFCOqnUSD9L2BwVW5Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uRPvAiBkeLUL9hlg8+pXXPP3amhZpL1tscetpufbF0M=; b=5lJUOWcSsLdpCx+zVnl1bgNLxCe9ZBdQnG0QLS+ZWkJudnnMWqX+SuLA4fHvLyLy3v E8ahNfhfZZyOsCxxOC+MeRdxico3yvmE8WUmQNfD/yLZaIG1JSapcZxLmKnJJZt6hUOU 08lU2W9LjHbSdjI0tavPx7FEtVa2CexRpHLgGf/4PaoOSk63MK1V/1AD3oMDb12wjFyS ClpLmGCDUXCWhhiXK7uvahP6W5JYOBlSEwPhzY/QoO78UQRY8V9cwwMhVpwyG/Rg3kDe du+L0strX8Xa8c57s+XaQ7PkiZyLbTWbYGVFhuJFqz5S+G++XoFkfdzy7McQh2RfK5dD dsYw== X-Gm-Message-State: AO0yUKXlFnQIR9NU71Hb8AKY1ialbVWFSRszVBGdzO3V+N+5vBQlRO4X Q63V5ByLb/23FIeG/bCenSQKgw== X-Google-Smtp-Source: AK7set96kZND7hdGmA2oJPkYoZNRV8kjhk8xYY52MzofUZ42iuET58D6spngjEQ0zvgiirTer2heug== X-Received: by 2002:a17:907:8d17:b0:8af:346a:c186 with SMTP id tc23-20020a1709078d1700b008af346ac186mr15082146ejc.24.1676228479927; Sun, 12 Feb 2023 11:01:19 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:19 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:00 +0000 Subject: [PATCH v4 2/5] HID: bigben_worker() remove unneeded check on report_field MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=1130; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=erpS3Lwu6lI02igZY1eCc+3rq7i9mxiiO+QpEzGNGZU=; b=zxcicO+6OXIqSiidn0/stqb7E4CL0SQUxJ/RENYMcH8Z8HVV+3rEVBYO/Q9ZkSkBvwK+5Bjiptll 4iHsurZyDhM6xSfL4Mr6BqHuD0QGvQ85HNCPRMyKhhgnrvqC62gx X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org bigben_worker() checks report_field to be non-NULL. The check has been added in commit 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") to prevent a NULL pointer crash. However, the true root cause was a missing check for output reports, patched in commit c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), where the type-confused report list_entry was overlapping with a NULL pointer, which was then causing the crash. Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index ed3d2d7bc1dd..b98c5f31c184 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -197,7 +197,7 @@ static void bigben_worker(struct work_struct *work) u32 len; unsigned long flags; - if (bigben->removed || !report_field) + if (bigben->removed) return; buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); From patchwork Sun Feb 12 19:00:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 653059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CD18C05027 for ; Sun, 12 Feb 2023 19:01:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229712AbjBLTBZ (ORCPT ); Sun, 12 Feb 2023 14:01:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229615AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB9D111151 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: by mail-ej1-x62e.google.com with SMTP id qw12so27057600ejc.2 for ; Sun, 12 Feb 2023 11:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=TyokCJZIa2ZQoXHftGYbkR/Hf/+3N97gcyYGtTAHCbw=; b=bB8tp9fI2j5AWnUdXrllQeMkiT82AF+v/J63cnFKPFKA8Wrga377dFzJEvuhtjeeY+ wO+ZVRco/qYOu8i0lzEhVl7LH8worGePd3VAOewZauJJZiCfYqySIp6CJJD4TujKSBeU aTiH+GU2OZERYYF8VI9S86XB1IzxU0GwzwN14= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TyokCJZIa2ZQoXHftGYbkR/Hf/+3N97gcyYGtTAHCbw=; b=G/Tb9/p1y0kngB30n0I+kJodVFKv1azQkkV9Myje4fRYrhdzLfgaeeFY0GLqWV2DMy dVYcA75IYg8c6A/9lB1CYzSkT+djJfYI7QcFNbLfVnUPj9auLt7L6NxfGbJr9bnqcRM7 5rXxj/jyx0Io/LYtHGUVS72/LaRtWR5Jt0qCpy1FwY3l1Bsnxx7WKO/WgroEzGo9A6Q/ 0hlB8p2WO0YaSJff+ijYyte/AL0vvDrwz9nzwdV5qfeSYxz3QjqelyCobz9CovPXm/QH 7MCZ025qS5wfPMmQ5OlKGt4Vw5y3+LsNn3VLXFuPPbLSqos/mfZ3rs/IQRnYvvu88vEB 6h0g== X-Gm-Message-State: AO0yUKXElDR5QToBppa8+v3uX6je2MME43QdGFuN3wsfu8+GSkPyTCZN ml+upDV2MSbm+lpLf1Rk43l7Yw== X-Google-Smtp-Source: AK7set+VpPkn6J5FxG7nhuPjSQssPVHwo5+ewL9BCF15ESp2RGTGW04BS6l5dfVbmbA/pc4Y7drfMw== X-Received: by 2002:a17:906:cb92:b0:889:5ca0:146e with SMTP id mf18-20020a170906cb9200b008895ca0146emr21753666ejb.16.1676228480557; Sun, 12 Feb 2023 11:01:20 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:20 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:01 +0000 Subject: [PATCH v4 3/5] HID: bigben: use spinlock to safely schedule workers MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=2127; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=MYGmtcK5MTdP0vFzx8JLN9Po931xJSB7z7FwhIXyl+U=; b=iFVDjOCX3HA+8r29BmEEv0xZGr/hxue/0Bmh0Az/QiCIXbTODweCqO5W7zIHo2HFfkW8neC2m/KO EOYkpQwODoIif/BHyDetJ19fzHumaoxcUUuLooAdXWrUN688K35Y X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Use spinlocks to deal with workers introducing a wrapper bigben_schedule_work(), and several spinlock checks. Otherwise, bigben_set_led() may schedule bigben->worker after the structure has been freed, causing a use-after-free. Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") Signed-off-by: Pietro Borrello --- drivers/hid/hid-bigbenff.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c index b98c5f31c184..9d6560db762b 100644 --- a/drivers/hid/hid-bigbenff.c +++ b/drivers/hid/hid-bigbenff.c @@ -185,6 +185,15 @@ struct bigben_device { struct work_struct worker; }; +static inline void bigben_schedule_work(struct bigben_device *bigben) +{ + unsigned long flags; + + spin_lock_irqsave(&bigben->lock, flags); + if (!bigben->removed) + schedule_work(&bigben->worker); + spin_unlock_irqrestore(&bigben->lock, flags); +} static void bigben_worker(struct work_struct *work) { @@ -197,9 +206,6 @@ static void bigben_worker(struct work_struct *work) u32 len; unsigned long flags; - if (bigben->removed) - return; - buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); if (!buf) return; @@ -285,7 +291,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, bigben->work_ff = true; spin_unlock_irqrestore(&bigben->lock, flags); - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); } return 0; @@ -320,7 +326,7 @@ static void bigben_set_led(struct led_classdev *led, if (work) { bigben->work_led = true; - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); } return; } @@ -450,7 +456,7 @@ static int bigben_probe(struct hid_device *hid, bigben->left_motor_force = 0; bigben->work_led = true; bigben->work_ff = true; - schedule_work(&bigben->worker); + bigben_schedule_work(bigben); hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); From patchwork Sun Feb 12 19:00:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 653838 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88903C64ED6 for ; Sun, 12 Feb 2023 19:01:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229479AbjBLTB2 (ORCPT ); Sun, 12 Feb 2023 14:01:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229703AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CD8911155 for ; Sun, 12 Feb 2023 11:01:22 -0800 (PST) Received: by mail-ej1-x631.google.com with SMTP id jg8so27027296ejc.6 for ; Sun, 12 Feb 2023 11:01:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=JFcY+bgKoDrC/H0bVLU6it2ZHgkh/f7Ekd9zsWQOEVc=; b=dNK2qmmHCtAzB4KpGYlLCtqr9R7St2AoRSxXm4HFC4HAui/u3fd0DgrzSQvGx4gMTY f2MST7yFwHDr5Nzv3Pjp0aNT81xgWJYOVAG6dr9FwMzEEgQzvhSw/lQdTuXhTkULZ0ej ibUOViY0qUP0lflvXT8J01bXIV/HiRehhQz6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JFcY+bgKoDrC/H0bVLU6it2ZHgkh/f7Ekd9zsWQOEVc=; b=umurzH5SAHDWwEo6Zde+gaJZUDyTkB5QXxh4L3JHxcpi0HulXQee8GtR2POGEIFCVV Kn4chcUb0BJ7BpyXOkQA7sd2yiALanamdWJz37ugqNyPNt7EkrWf30/VZyPRULf/CRYJ ZiiSNBgzLmkPPYNSvn76069j6QW+oNI7y1Oivyg9r6ZIGr4QHYRE1u4mrdS5QZKn/np3 Y0RwkKtJWey1k2OegtGDlBZBqzBnGoYP/Y5UL68FL3bP3cKMCUTtOWAZG70aDO3ApJe4 acNsH0oQ+vUlwC/M3zLXjXSUYO+NUQ2b5l8pkZPmk/6ZKELJjIIH0jRzNRSTgDQBqx/8 N6rA== X-Gm-Message-State: AO0yUKWd6UXStVxhaR59F09BOlySNHv95a1if3qZ+fJOdvge2OHBJ1/a EQdc+hHuhr/94NVGscayzAgBIg== X-Google-Smtp-Source: AK7set8TUPodI0WDiQv04uyLfevxRr6Y899ajMBpnUoSIHzm/tFITh4mMDLIHgAnzXnyxZ4Ho7MO7Q== X-Received: by 2002:a17:906:4483:b0:84d:4e4f:1f85 with SMTP id y3-20020a170906448300b0084d4e4f1f85mr22610930ejo.59.1676228481102; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:20 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:02 +0000 Subject: [PATCH v4 4/5] HID: asus: use spinlock to protect concurrent accesses MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v4-4-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=3021; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=ONfjFFZvRr7z1Z/TfoWEdeddjrbTUcDqYbO9jYkZVbc=; b=Dx2+LKtx4jUiOR1CtfLcBqeYzDp7LxXsNtwhbZ5nk0ZMEVNfgjgzvSnTvqrur3DasjLfkd+Gh6yo oMFS4LnSAlEdntvAlTcYXH/YfYHU//dJuxg60fk9exdjq/UOI7MI X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org asus driver has a worker that may access data concurrently. Proct the accesses using a spinlock. Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") Signed-off-by: Pietro Borrello --- drivers/hid/hid-asus.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index f99752b998f3..9f767baf39fb 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -98,6 +98,7 @@ struct asus_kbd_leds { struct hid_device *hdev; struct work_struct work; unsigned int brightness; + spinlock_t lock; bool removed; }; @@ -495,7 +496,12 @@ static void asus_kbd_backlight_set(struct led_classdev *led_cdev, { struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds, cdev); + unsigned long flags; + + spin_lock_irqsave(&led->lock, flags); led->brightness = brightness; + spin_unlock_irqrestore(&led->lock, flags); + schedule_work(&led->work); } @@ -503,8 +509,14 @@ static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led_cdev) { struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds, cdev); + enum led_brightness brightness; + unsigned long flags; - return led->brightness; + spin_lock_irqsave(&led->lock, flags); + brightness = led->brightness; + spin_unlock_irqrestore(&led->lock, flags); + + return brightness; } static void asus_kbd_backlight_work(struct work_struct *work) @@ -512,11 +524,14 @@ static void asus_kbd_backlight_work(struct work_struct *work) struct asus_kbd_leds *led = container_of(work, struct asus_kbd_leds, work); u8 buf[] = { FEATURE_KBD_REPORT_ID, 0xba, 0xc5, 0xc4, 0x00 }; int ret; + unsigned long flags; if (led->removed) return; + spin_lock_irqsave(&led->lock, flags); buf[4] = led->brightness; + spin_unlock_irqrestore(&led->lock, flags); ret = asus_kbd_set_report(led->hdev, buf, sizeof(buf)); if (ret < 0) @@ -584,6 +599,7 @@ static int asus_kbd_register_leds(struct hid_device *hdev) drvdata->kbd_backlight->cdev.brightness_set = asus_kbd_backlight_set; drvdata->kbd_backlight->cdev.brightness_get = asus_kbd_backlight_get; INIT_WORK(&drvdata->kbd_backlight->work, asus_kbd_backlight_work); + spin_lock_init(&drvdata->kbd_backlight->lock); ret = devm_led_classdev_register(&hdev->dev, &drvdata->kbd_backlight->cdev); if (ret < 0) { @@ -1119,9 +1135,13 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id) static void asus_remove(struct hid_device *hdev) { struct asus_drvdata *drvdata = hid_get_drvdata(hdev); + unsigned long flags; if (drvdata->kbd_backlight) { + spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags); drvdata->kbd_backlight->removed = true; + spin_unlock_irqrestore(&drvdata->kbd_backlight->lock, flags); + cancel_work_sync(&drvdata->kbd_backlight->work); } From patchwork Sun Feb 12 19:00:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pietro Borrello X-Patchwork-Id: 653057 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6526DC05027 for ; Sun, 12 Feb 2023 19:01:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229720AbjBLTB1 (ORCPT ); Sun, 12 Feb 2023 14:01:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229479AbjBLTBY (ORCPT ); Sun, 12 Feb 2023 14:01:24 -0500 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E7FA11157 for ; Sun, 12 Feb 2023 11:01:23 -0800 (PST) Received: by mail-ej1-x630.google.com with SMTP id lu11so27051128ejb.3 for ; Sun, 12 Feb 2023 11:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=diag.uniroma1.it; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=hh/UKIXKiKTQVDUlV3UWWD570IF4/BDU9PZ9FyIy/sA=; b=J6PKRYKBYEmGAVL7rt2WCxbffU3b3leYr48LgyvRq7CkFj6mUzXrORML7jFnb6mwty 6n7PW6cyXzTBqDxYry33A9GK8Q6+NgcuWdTrHORV8ESmbxzXV64cx4HA/ZwwgzGhPRn6 VxPXWoMy6CSwvwfSaMaSu5/oXrZaDAI4aL7FY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hh/UKIXKiKTQVDUlV3UWWD570IF4/BDU9PZ9FyIy/sA=; b=zX9aPdUcZJ/akS27XAFlQtADL2avUNF6eg+dTRAtiDiOiFVmEkXLXY5B3Ia/8WTfcK ieMapWklFK6VW0yYQozhhgJU+eza40/10Fcy2phA6dS6fATr6XNOsIAPMeCYkIuMQSvk 91lUNnsd8l9TTyV9qXjJDyCHystB0h8naQvr7gh3xBqWa6we2IBA4tQhOtKMnlRw2sVS mOF/aCTicsH2pwxOD28Z1Kc8hUpuorbFg8mBLUfjXnzESHa7gMxgnF7DcnsXDrx+JUjo sSt2VvuVZSxbEr9Tn4SAAJH+SlTzLNT1+gFAga20UCLzkWSZXgPL5uwVNWecediTlgdR zY8w== X-Gm-Message-State: AO0yUKU+3yQ7q/PXSXJ0nFt0zNs1Q7Oie8IX/nFZ9G+g3wn/Py1nUWSw D48PIy8ybtogEksug3yeBang1g== X-Google-Smtp-Source: AK7set+O6uJQ6LGcIo1ASlmFFEsONi8bY7xs/6WombXPge6kUrTCiR5SuK7e78P2rg7Htz5c36EU+A== X-Received: by 2002:a17:906:9f0c:b0:8af:7b80:82ba with SMTP id fy12-20020a1709069f0c00b008af7b8082bamr7161002ejc.20.1676228481708; Sun, 12 Feb 2023 11:01:21 -0800 (PST) Received: from [192.168.17.2] (wolkje-127.labs.vu.nl. [130.37.198.127]) by smtp.gmail.com with ESMTPSA id l26-20020a170906079a00b008966488a5f1sm5714368ejc.144.2023.02.12.11.01.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Feb 2023 11:01:21 -0800 (PST) From: Pietro Borrello Date: Sun, 12 Feb 2023 19:00:03 +0000 Subject: [PATCH v4 5/5] HID: asus: use spinlock to safely schedule workers MIME-Version: 1.0 Message-Id: <20230125-hid-unregister-leds-v4-5-7860c5763c38@diag.uniroma1.it> References: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> In-Reply-To: <20230125-hid-unregister-leds-v4-0-7860c5763c38@diag.uniroma1.it> To: Jiri Kosina , Benjamin Tissoires , Hanno Zulla , Hanno Zulla , Greg Kroah-Hartman Cc: Cristiano Giuffrida , "Bos, H.J." , Jakob Koschel , Jiri Kosina , Roderick Colenbrander , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Pietro Borrello X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1676228478; l=1688; i=borrello@diag.uniroma1.it; s=20221223; h=from:subject:message-id; bh=oZoYiaaa/o7giXPl4cCeWsb4GMTS11aKqe6P5yflgp0=; b=hw2c1ER525F2ulFom6GZr679UyhjUVgz9rGkWUCc4nT8BRAR7ysnPWu6TpF5JYhc8RhQ/r19Oo6e 6EOWtZAsAZ6g0Hn7vkZQ8incLmf9T/aHWShWTTRgs3SfybShzfAC X-Developer-Key: i=borrello@diag.uniroma1.it; a=ed25519; pk=4xRQbiJKehl7dFvrG33o2HpveMrwQiUPKtIlObzKmdY= Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org Use spinlocks to deal with workers introducing a wrapper asus_schedule_work(), and several spinlock checks. Otherwise, asus_kbd_backlight_set() may schedule led->work after the structure has been freed, causing a use-after-free. Fixes: af22a610bc38 ("HID: asus: support backlight on USB keyboards") Signed-off-by: Pietro Borrello --- drivers/hid/hid-asus.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index 9f767baf39fb..d1094bb1aa42 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -491,6 +491,16 @@ static int rog_nkey_led_init(struct hid_device *hdev) return ret; } +static void asus_schedule_work(struct asus_kbd_leds *led) +{ + unsigned long flags; + + spin_lock_irqsave(&led->lock, flags); + if (!led->removed) + schedule_work(&led->work); + spin_unlock_irqrestore(&led->lock, flags); +} + static void asus_kbd_backlight_set(struct led_classdev *led_cdev, enum led_brightness brightness) { @@ -502,7 +512,7 @@ static void asus_kbd_backlight_set(struct led_classdev *led_cdev, led->brightness = brightness; spin_unlock_irqrestore(&led->lock, flags); - schedule_work(&led->work); + asus_schedule_work(led); } static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led_cdev) @@ -526,9 +536,6 @@ static void asus_kbd_backlight_work(struct work_struct *work) int ret; unsigned long flags; - if (led->removed) - return; - spin_lock_irqsave(&led->lock, flags); buf[4] = led->brightness; spin_unlock_irqrestore(&led->lock, flags);