From: sashiko-bot@kernel.org
To: "Jann Horn" <jannh@google.com>
Cc: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org
Subject: Re: [PATCH v2 3/3] HID: rapoo: fix missing hid_is_usb() check
Date: Fri, 03 Jul 2026 16:02:17 +0000 [thread overview]
Message-ID: <20260703160218.17EFE1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-hid-usbcheck-v2-3-c5ed7bc94772@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing hid_hw_stop() cleanup on error paths in rapoo_probe() causes hardware resource leaks and a Use-After-Free.
--
commit ed7992bab1a88e74142aa29aa65b4061257a86cb
Author: Jann Horn <jannh@google.com>
HID: rapoo: fix missing hid_is_usb() check
This commit adds a hid_is_usb() check before calling to_usb_interface() to
handle uhid devices reporting BUS_USB without an actual USB parent. It also
adds a USB_HID dependency for hid_is_usb().
[ ... ]
> diff --git a/drivers/hid/hid-rapoo.c b/drivers/hid/hid-rapoo.c
> index 4c81f3086de43..5c9c396fabf77 100644
> --- a/drivers/hid/hid-rapoo.c
> +++ b/drivers/hid/hid-rapoo.c
> @@ -36,7 +36,7 @@ static int rapoo_probe(struct hid_device *hdev, const struct hid_device_id *id)
> return ret;
> }
>
> - if (hdev->bus == BUS_USB) {
> + if (hid_is_usb(hdev)) {
> struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
>
> if (intf->cur_altsetting->desc.bInterfaceNumber != 1)
[Severity: High]
This is a pre-existing issue, but are we missing hid_hw_stop() calls on the
error paths later in rapoo_probe()?
If devm_input_allocate_device() fails, the code returns -ENOMEM directly:
input = devm_input_allocate_device(&hdev->dev);
if (!input)
return -ENOMEM;
Similarly, if input_register_device() fails, it returns the error:
ret = input_register_device(input);
if (ret)
return ret;
When returning these errors after hid_hw_start() has succeeded, the HID core
probe fails and sets hdev->driver to NULL, but hid_hw_stop() is never called
to stop the hardware and kill active URBs.
When the device is later unplugged, usbhid_disconnect() frees the usbhid
structure, but skips hid_hw_stop() because hdev->driver is NULL.
Because active USB URBs are not killed, when the USB core later flushes the
endpoints and cancels the URBs, the completion handler hid_irq_in() attempts
to clear state bits in the already-freed usbhid structure, like calling
clear_bit(HID_IN_RUNNING, &usbhid->iofl).
This results in a use-after-free write memory corruption. While this requires
local physical access to the USB port and specific conditions like memory
pressure to induce a probe failure, it guarantees memory corruption when
triggered.
Would it be better to add an error label that calls hid_hw_stop() when the
input device allocation or registration fails?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-hid-usbcheck-v2-0-c5ed7bc94772@google.com?part=3
prev parent reply other threads:[~2026-07-03 16:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 15:45 [PATCH v2 0/3] hid: fix missing hid_is_usb() checks in three drivers Jann Horn
2026-07-03 15:45 ` [PATCH v2 1/3] HID: asus: fix missing hid_is_usb() check Jann Horn
2026-07-03 15:58 ` sashiko-bot
2026-07-03 15:45 ` [PATCH v2 2/3] HID: huawei: " Jann Horn
2026-07-03 15:45 ` [PATCH v2 3/3] HID: rapoo: " Jann Horn
2026-07-03 16:02 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703160218.17EFE1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jannh@google.com \
--cc=linux-input@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox