* [PATCH 0/3] hid: fix missing hid_is_usb() checks in three drivers
@ 2026-07-03 15:16 Jann Horn
2026-07-03 15:16 ` [PATCH 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Jann Horn @ 2026-07-03 15:16 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Ilpo Järvinen, Mario Limonciello, Luke D. Jones, Miao Li,
linux-input, linux-kernel, Jann Horn, stable
This fixes missing hid_is_usb() checks before to_usb_interface() in
three HID drivers.
I've split it into three patches so that they can have separate "Fixes"
tags, hopefully they are easier to stable-backport this way.
Signed-off-by: Jann Horn <jannh@google.com>
---
Jann Horn (3):
HID: asus: fix missing hid_is_usb() check
HID: huawei: fix missing hid_is_usb() check
HID: rapoo: fix missing hid_is_usb() check
drivers/hid/hid-asus.c | 2 +-
drivers/hid/hid-huawei.c | 5 +++--
drivers/hid/hid-rapoo.c | 2 +-
3 files changed, 5 insertions(+), 4 deletions(-)
---
base-commit: 51512e22efe813d8223de27f6fd02a8a48ea2323
change-id: 20260703-hid-usbcheck-9163e6cf6015
Best regards,
--
Jann Horn <jannh@google.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/3] HID: asus: fix missing hid_is_usb() check
2026-07-03 15:16 [PATCH 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
@ 2026-07-03 15:16 ` Jann Horn
2026-07-03 15:32 ` sashiko-bot
2026-07-03 15:16 ` [PATCH 2/3] HID: huawei: " Jann Horn
2026-07-03 15:16 ` [PATCH 3/3] HID: rapoo: " Jann Horn
2 siblings, 1 reply; 6+ messages in thread
From: Jann Horn @ 2026-07-03 15:16 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Ilpo Järvinen, Mario Limonciello, Luke D. Jones, Miao Li,
linux-input, linux-kernel, Jann Horn, stable
to_usb_interface() can only be used on a hid_device whose parent is really
USB; uhid can create devices that identify as being on BUS_USB, but don't
actually have a USB parent.
Fix the use of to_usb_interface() without a hid_is_usb() check.
I have verified that it is currently possible to trigger a kernel splat due
to this bug in an ASAN build, and that this commit fixes the issue.
Fixes: 00e005c952f7 ("hid-asus: check ROG Ally MCU version and warn")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
drivers/hid/hid-asus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 3f5e96900b67..befa990b3210 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -753,7 +753,7 @@ static int asus_kbd_register_leds(struct hid_device *hdev)
return ret;
}
- if (drvdata->quirks & QUIRK_ROG_ALLY_XPAD) {
+ if ((drvdata->quirks & QUIRK_ROG_ALLY_XPAD) && hid_is_usb(hdev)) {
intf = to_usb_interface(hdev->dev.parent);
udev = interface_to_usbdev(intf);
validate_mcu_fw_version(hdev,
--
2.55.0.rc0.799.gd6f94ed593-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] HID: huawei: fix missing hid_is_usb() check
2026-07-03 15:16 [PATCH 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
2026-07-03 15:16 ` [PATCH 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
@ 2026-07-03 15:16 ` Jann Horn
2026-07-03 15:16 ` [PATCH 3/3] HID: rapoo: " Jann Horn
2 siblings, 0 replies; 6+ messages in thread
From: Jann Horn @ 2026-07-03 15:16 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Ilpo Järvinen, Mario Limonciello, Luke D. Jones, Miao Li,
linux-input, linux-kernel, Jann Horn, stable
to_usb_interface() can only be used on a hid_device whose parent is really
USB; uhid can create devices that identify as being on BUS_USB, but don't
actually have a USB parent.
Fix the use of to_usb_interface() without a hid_is_usb() check.
I have verified that it is currently possible to trigger a kernel splat due
to this bug in an ASAN build, and that this commit fixes the issue.
Fixes: e93faaca84b7 ("HID: huawei: fix CD30 keyboard report descriptor issue")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
drivers/hid/hid-huawei.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-huawei.c b/drivers/hid/hid-huawei.c
index 6a616bf21b38..ee3fc6f68475 100644
--- a/drivers/hid/hid-huawei.c
+++ b/drivers/hid/hid-huawei.c
@@ -44,11 +44,12 @@ static const __u8 huawei_cd30_kbd_rdesc_fixed[] = {
static const __u8 *huawei_report_fixup(struct hid_device *hdev, __u8 *rdesc,
unsigned int *rsize)
{
- struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
+ struct usb_interface *intf = hid_is_usb(hdev) ?
+ to_usb_interface(hdev->dev.parent) : NULL;
switch (hdev->product) {
case USB_DEVICE_ID_HUAWEI_CD30KBD:
- if (intf->cur_altsetting->desc.bInterfaceNumber == 1) {
+ if (!intf || intf->cur_altsetting->desc.bInterfaceNumber == 1) {
if (*rsize != sizeof(huawei_cd30_kbd_rdesc_fixed) ||
memcmp(huawei_cd30_kbd_rdesc_fixed, rdesc,
sizeof(huawei_cd30_kbd_rdesc_fixed)) != 0) {
--
2.55.0.rc0.799.gd6f94ed593-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] HID: rapoo: fix missing hid_is_usb() check
2026-07-03 15:16 [PATCH 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
2026-07-03 15:16 ` [PATCH 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
2026-07-03 15:16 ` [PATCH 2/3] HID: huawei: " Jann Horn
@ 2026-07-03 15:16 ` Jann Horn
2026-07-03 15:29 ` sashiko-bot
2 siblings, 1 reply; 6+ messages in thread
From: Jann Horn @ 2026-07-03 15:16 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Ilpo Järvinen, Mario Limonciello, Luke D. Jones, Miao Li,
linux-input, linux-kernel, Jann Horn, stable
to_usb_interface() can only be used on a hid_device whose parent is really
USB; uhid can create devices that identify as being on BUS_USB, but don't
actually have a USB parent.
Fix the use of to_usb_interface() without a hid_is_usb() check.
I have verified that it is currently possible to trigger a kernel splat due
to this bug in an ASAN build, and that this commit fixes the issue.
Fixes: 00e005c952f7 ("hid-asus: check ROG Ally MCU version and warn")Fixes: b3b1c68fb726 ("HID: rapoo: Add support for side buttons on RAPOO 0x2015 mouse")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
drivers/hid/hid-rapoo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-rapoo.c b/drivers/hid/hid-rapoo.c
index 4c81f3086de4..5c9c396fabf7 100644
--- a/drivers/hid/hid-rapoo.c
+++ b/drivers/hid/hid-rapoo.c
@@ -36,7 +36,7 @@ static int rapoo_probe(struct hid_device *hdev, const struct hid_device_id *id)
return ret;
}
- if (hdev->bus == BUS_USB) {
+ if (hid_is_usb(hdev)) {
struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
if (intf->cur_altsetting->desc.bInterfaceNumber != 1)
--
2.55.0.rc0.799.gd6f94ed593-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 3/3] HID: rapoo: fix missing hid_is_usb() check
2026-07-03 15:16 ` [PATCH 3/3] HID: rapoo: " Jann Horn
@ 2026-07-03 15:29 ` sashiko-bot
0 siblings, 0 replies; 6+ messages in thread
From: sashiko-bot @ 2026-07-03 15:29 UTC (permalink / raw)
To: Jann Horn; +Cc: dmitry.torokhov, linux-input
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Low] Missing Kconfig dependency `depends on USB_HID` for `CONFIG_HID_RAPOO` causes a linker error.
- [Low] Malformed `Fixes:` tags in the commit message.
--
commit ac5c5d7fc93db76e1ff4b587da9d47600a05ff83
Author: Jann Horn <jannh@google.com>
HID: rapoo: fix missing hid_is_usb() check
This commit fixes a potential splat by verifying a HID device is actually on
a USB bus before casting its parent to a usb_interface.
> I have verified that it is currently possible to trigger a kernel splat due
> to this bug in an ASAN build, and that this commit fixes the issue.
>
> Fixes: 00e005c952f7 ("hid-asus: check ROG Ally MCU version and warn")Fixes: b3b1c68fb726 ("HID: rapoo: Add support for side buttons on RAPOO 0x2015 mouse")
[Severity: Low]
This isn't a bug, but there are two Fixes tags concatenated on the same line.
Could this break automated patch parsing tools and stable backporting scripts
that expect each tag to be on a separate line?
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
>
> diff --git a/drivers/hid/hid-rapoo.c b/drivers/hid/hid-rapoo.c
> index 4c81f3086de43..5c9c396fabf77 100644
> --- a/drivers/hid/hid-rapoo.c
> +++ b/drivers/hid/hid-rapoo.c
[ ... ]
> @@ -36,7 +36,7 @@ static int rapoo_probe(struct hid_device *hdev, const struct hid_device_id *id)
> return ret;
> }
>
> - if (hdev->bus == BUS_USB) {
> + if (hid_is_usb(hdev)) {
[Severity: Low]
Does the introduction of hid_is_usb() in rapoo_probe() require an update to
the CONFIG_HID_RAPOO entry in drivers/hid/Kconfig?
Because hid_is_usb() is defined and exported exclusively by the usbhid module,
if a user configures the kernel with CONFIG_HID_RAPOO=y and CONFIG_USB_HID=n
(or m), will this cause a build failure during the linking stage due to an
undefined reference?
Should CONFIG_HID_RAPOO now explicitly depend on USB_HID?
> struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
>
> if (intf->cur_altsetting->desc.bInterfaceNumber != 1)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-hid-usbcheck-v1-0-e80259ff625d@google.com?part=3
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/3] HID: asus: fix missing hid_is_usb() check
2026-07-03 15:16 ` [PATCH 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
@ 2026-07-03 15:32 ` sashiko-bot
0 siblings, 0 replies; 6+ messages in thread
From: sashiko-bot @ 2026-07-03 15:32 UTC (permalink / raw)
To: Jann Horn; +Cc: dmitry.torokhov, linux-input
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing pointer invalidation after `devm_kfree` causes a deterministic Use-After-Free on the failure path.
--
commit d3bce769a13470fb7e8717746a98294d5eb006c9
Author: Jann Horn <jannh@google.com>
HID: asus: fix missing hid_is_usb() check
to_usb_interface() can only be used on a hid_device whose parent is really
USB; uhid can create devices that identify as being on BUS_USB, but don't
actually have a USB parent. Fix the use of to_usb_interface() without a
hid_is_usb() check.
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 3f5e96900b67a..befa990b3210e 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -753,7 +753,7 @@ static int asus_kbd_register_leds(struct hid_device *hdev)
> return ret;
> }
>
> - if (drvdata->quirks & QUIRK_ROG_ALLY_XPAD) {
> + if ((drvdata->quirks & QUIRK_ROG_ALLY_XPAD) && hid_is_usb(hdev)) {
> intf = to_usb_interface(hdev->dev.parent);
> udev = interface_to_usbdev(intf);
> validate_mcu_fw_version(hdev,
[Severity: High]
This is a pre-existing issue, but does the failure path in this function leave
a dangling pointer that can cause a use-after-free?
If asus_hid_register_listener() fails later in asus_kbd_register_leds():
ret = asus_hid_register_listener(&drvdata->kbd_backlight->listener);
if (ret < 0) {
/* No need to have this still around */
devm_kfree(&hdev->dev, drvdata->kbd_backlight);
}
The memory allocated for drvdata->kbd_backlight is freed, but the pointer is
not set to NULL.
Then asus_probe() catches the failure, emits a warning, but improperly allows
probe to succeed:
if (is_vendor && (drvdata->quirks & QUIRK_USE_KBD_BACKLIGHT) &&
(asus_has_report_id(hdev, FEATURE_KBD_REPORT_ID)) &&
(asus_kbd_register_leds(hdev)))
hid_warn(hdev, "Failed to initialize backlight.\n");
If this occurs, could a subsequent call to asus_remove() or asus_resume()
dereference the freed memory?
if (drvdata->kbd_backlight) {
asus_hid_unregister_listener(&drvdata->kbd_backlight->listener);
spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags);
drvdata->kbd_backlight->removed = true;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-hid-usbcheck-v1-0-e80259ff625d@google.com?part=1
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-07-03 15:32 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 15:16 [PATCH 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
2026-07-03 15:16 ` [PATCH 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
2026-07-03 15:32 ` sashiko-bot
2026-07-03 15:16 ` [PATCH 2/3] HID: huawei: " Jann Horn
2026-07-03 15:16 ` [PATCH 3/3] HID: rapoo: " Jann Horn
2026-07-03 15:29 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox