Linux Input/HID development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jann Horn" <jannh@google.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH v2 3/3] HID: rapoo: fix missing hid_is_usb() check
Date: Fri, 03 Jul 2026 16:02:17 +0000	[thread overview]
Message-ID: <20260703160218.17EFE1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-hid-usbcheck-v2-3-c5ed7bc94772@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing hid_hw_stop() cleanup on error paths in rapoo_probe() causes hardware resource leaks and a Use-After-Free.
--

commit ed7992bab1a88e74142aa29aa65b4061257a86cb
Author: Jann Horn <jannh@google.com>

HID: rapoo: fix missing hid_is_usb() check

This commit adds a hid_is_usb() check before calling to_usb_interface() to
handle uhid devices reporting BUS_USB without an actual USB parent. It also
adds a USB_HID dependency for hid_is_usb().

[ ... ]

> diff --git a/drivers/hid/hid-rapoo.c b/drivers/hid/hid-rapoo.c
> index 4c81f3086de43..5c9c396fabf77 100644
> --- a/drivers/hid/hid-rapoo.c
> +++ b/drivers/hid/hid-rapoo.c
> @@ -36,7 +36,7 @@ static int rapoo_probe(struct hid_device *hdev, const struct hid_device_id *id)
>  		return ret;
>  	}
>  
> -	if (hdev->bus == BUS_USB) {
> +	if (hid_is_usb(hdev)) {
>  		struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
>  
>  		if (intf->cur_altsetting->desc.bInterfaceNumber != 1)

[Severity: High]
This is a pre-existing issue, but are we missing hid_hw_stop() calls on the
error paths later in rapoo_probe()?

If devm_input_allocate_device() fails, the code returns -ENOMEM directly:

	input = devm_input_allocate_device(&hdev->dev);
	if (!input)
		return -ENOMEM;

Similarly, if input_register_device() fails, it returns the error:

	ret = input_register_device(input);
	if (ret)
		return ret;

When returning these errors after hid_hw_start() has succeeded, the HID core
probe fails and sets hdev->driver to NULL, but hid_hw_stop() is never called
to stop the hardware and kill active URBs.

When the device is later unplugged, usbhid_disconnect() frees the usbhid
structure, but skips hid_hw_stop() because hdev->driver is NULL.

Because active USB URBs are not killed, when the USB core later flushes the
endpoints and cancels the URBs, the completion handler hid_irq_in() attempts
to clear state bits in the already-freed usbhid structure, like calling
clear_bit(HID_IN_RUNNING, &usbhid->iofl).

This results in a use-after-free write memory corruption. While this requires
local physical access to the USB port and specific conditions like memory
pressure to induce a probe failure, it guarantees memory corruption when
triggered.

Would it be better to add an error label that calls hid_hw_stop() when the
input device allocation or registration fails?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-hid-usbcheck-v2-0-c5ed7bc94772@google.com?part=3

      reply	other threads:[~2026-07-03 16:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 15:45 [PATCH v2 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
2026-07-03 15:45 ` [PATCH v2 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
2026-07-03 15:58   ` sashiko-bot
2026-07-03 15:45 ` [PATCH v2 2/3] HID: huawei: " Jann Horn
2026-07-03 15:45 ` [PATCH v2 3/3] HID: rapoo: " Jann Horn
2026-07-03 16:02   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703160218.17EFE1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=jannh@google.com \
    --cc=linux-input@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox