On 04.05.24 at 11:25:03 MESZ, Aleksa Savic wrote
> Through hidraw, userspace can cause a status report to be sent
> from the device. The parsing in ccp_raw_event() may happen in
> parallel to a send_usb_cmd() call (which resets the completion
> for tracking the report) if it's running on a different CPU where
> bottom half interrupts are not disabled.
>
> Add a spinlock around the complete_all() in ccp_raw_event() and
> reinit_completion() in send_usb_cmd() to prevent race issues.
>
> Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver")
> Signed-off-by: Aleksa Savic <savicaleksa83@xxxxxxxxx>
> ---
> drivers/hwmon/corsair-cpro.c | 24 +++++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
> index 6ab4d2478b1f..3e63666a61bd 100644
> --- a/drivers/hwmon/corsair-cpro.c
> +++ b/drivers/hwmon/corsair-cpro.c
> @@ -16,6 +16,7 @@
> #include <linux/module.h>
> #include <linux/mutex.h>
> #include <linux/slab.h>
> +#include <linux/spinlock.h>
> #include <linux/types.h>
>
> #define USB_VENDOR_ID_CORSAIR 0x1b1c
> @@ -77,6 +78,8 @@
> struct ccp_device {
> struct hid_device *hdev;
> struct device *hwmon_dev;
> + /* For reinitializing the completion below */
> + spinlock_t wait_input_report_lock;
> struct completion wait_input_report;
> struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */
> u8 *cmd_buffer;
> @@ -118,7 +121,15 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2,
> ccp->cmd_buffer[2] = byte2;
> ccp->cmd_buffer[3] = byte3;
>
> + /*
> + * Disable raw event parsing for a moment to safely reinitialize the
> + * completion. Reinit is done because hidraw could have triggered
> + * the raw event parsing and marked the ccp->wait_input_report
> + * completion as done.
> + */
> + spin_lock_bh(&ccp->wait_input_report_lock);
> reinit_completion(&ccp->wait_input_report);
> + spin_unlock_bh(&ccp->wait_input_report_lock);
>
> ret = hid_hw_output_report(ccp->hdev, ccp->cmd_buffer, OUT_BUFFER_SIZE);
> if (ret < 0)
> @@ -136,11 +147,12 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
> struct ccp_device *ccp = hid_get_drvdata(hdev);
>
> /* only copy buffer when requested */
> - if (completion_done(&ccp->wait_input_report))
> - return 0;
> -
> - memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
> - complete_all(&ccp->wait_input_report);
> + spin_lock(&ccp->wait_input_report_lock);
> + if (!completion_done(&ccp->wait_input_report)) {
> + memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
> + complete_all(&ccp->wait_input_report);
> + }
> + spin_unlock(&ccp->wait_input_report_lock);
>
> return 0;
> }
> @@ -515,7 +527,9 @@ static int ccp_probe(struct hid_device *hdev, const struct hid_device_id *id)
>
> ccp->hdev = hdev;
> hid_set_drvdata(hdev, ccp);
> +
> mutex_init(&ccp->mutex);
> + spin_lock_init(&ccp->wait_input_report_lock);
> init_completion(&ccp->wait_input_report);
>
> hid_device_io_start(hdev);
>
Acked-by: Marius Zachmann <mail@xxxxxxxxxxxxxxxxx>
