Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event

Next message: syzbot: "[syzbot] [kvm?] [kvm-x86?] KASAN: use-after-free Read in kvm_xen_shared_info_init"
Previous message: Ajit Singh: "[PATCH v3 3/3] arm64: dts: qcom: Add Vicharak Axon Mini"
Next in thread: syzbot: "Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Philipp Weber

Date: Tue May 19 2026 - 09:00:52 EST

#syz test

Quiesce HID input in hid_hw_stop() when io_started is true, so that
hidraw_report_event() cannot race with the upcoming hid_disconnect()
that frees the hidraw object.

This is a centralized variant of Edward Adam Davis's per-driver fix
("hwmon: prevent packets from going to driver for probe", 2026-04-28).
Of 15 hid_device_io_start() callers in the tree, 8 lack the matching
io_stop() before hid_hw_stop() in their error paths.

---
drivers/hid/hid-core.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 41a79e43c82b..6b024118d983 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2440,9 +2440,16 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
*
* This is usually called from remove function or from probe when something
* failed and hid_hw_start was called already.
+ *
+ * If the caller enabled HID input via hid_device_io_start() and is unwinding
+ * without an explicit hid_device_io_stop(), quiesce input first so that
+ * in-flight reports cannot reach handlers (e.g. hidraw_report_event) whose
+ * backing objects hid_disconnect() is about to free.
*/
void hid_hw_stop(struct hid_device *hdev)
{
+ if (hdev->io_started)
+ hid_device_io_stop(hdev);
hid_disconnect(hdev);
hdev->ll_driver->stop(hdev);
}
--
2.53.0