Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
0 views
Skip to first unread message
syzbot
8:52 AM (8 hours ago) 8:52 AM
to ker...@phwe.de, ker...@phwe.de, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> #syz test
This crash does not have a reproducer. I cannot test it.
>
> Quiesce HID input in hid_hw_stop() when io_started is true, so that
> hidraw_report_event() cannot race with the upcoming hid_disconnect()
> that frees the hidraw object.
>
> This is a centralized variant of Edward Adam Davis's per-driver fix
> ("hwmon: prevent packets from going to driver for probe", 2026-04-28).
> Of 15 hid_device_io_start() callers in the tree, 8 lack the matching
> io_stop() before hid_hw_stop() in their error paths.
>
> ---
> drivers/hid/hid-core.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 41a79e43c82b..6b024118d983 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -2440,9 +2440,16 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
> *
> * This is usually called from remove function or from probe when something
> * failed and hid_hw_start was called already.
> + *
> + * If the caller enabled HID input via hid_device_io_start() and is unwinding
> + * without an explicit hid_device_io_stop(), quiesce input first so that
> + * in-flight reports cannot reach handlers (e.g. hidraw_report_event) whose
> + * backing objects hid_disconnect() is about to free.
> */
> void hid_hw_stop(struct hid_device *hdev)
> {
> + if (hdev->io_started)
> + hid_device_io_stop(hdev);
> hid_disconnect(hdev);
> hdev->ll_driver->stop(hdev);
> }
> --
> 2.53.0
>
This crash does not have a reproducer. I cannot test it.
>
> Quiesce HID input in hid_hw_stop() when io_started is true, so that
> hidraw_report_event() cannot race with the upcoming hid_disconnect()
> that frees the hidraw object.
>
> This is a centralized variant of Edward Adam Davis's per-driver fix
> ("hwmon: prevent packets from going to driver for probe", 2026-04-28).
> Of 15 hid_device_io_start() callers in the tree, 8 lack the matching
> io_stop() before hid_hw_stop() in their error paths.
>
> ---
> drivers/hid/hid-core.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 41a79e43c82b..6b024118d983 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -2440,9 +2440,16 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
> *
> * This is usually called from remove function or from probe when something
> * failed and hid_hw_start was called already.
> + *
> + * If the caller enabled HID input via hid_device_io_start() and is unwinding
> + * without an explicit hid_device_io_stop(), quiesce input first so that
> + * in-flight reports cannot reach handlers (e.g. hidraw_report_event) whose
> + * backing objects hid_disconnect() is about to free.
> */
> void hid_hw_stop(struct hid_device *hdev)
> {
> + if (hdev->io_started)
> + hid_device_io_stop(hdev);
> hid_disconnect(hdev);
> hdev->ll_driver->stop(hdev);
> }
> --
> 2.53.0
>
Reply all
Reply to author
Forward
0 new messages