From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77D7A36E473 for ; Sun, 3 May 2026 07:26:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777793219; cv=none; b=KQc4xQPfq7h5tKXGDJ3KODccSlmfufRTcfmYkgO2ornfCjcS0TWiDBny2odq7p837JqTMSFEegqLxkbt3szthNSLTxkt+Syg8SlitwvqmtAzYXBAFMXMQDQqpkeA69TJ5MMVUKNYkJsf/GAf7opBWNAsAJLOVt9c73fcHjomUwU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777793219; c=relaxed/simple; bh=MAnhnGSHDh4DLEx17HlkmYqXOA6wnOEn0B10wMuS0ok=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DL0S+0cicjxKRDN4YQcH0rZwATbCx5xunLpjcLM5VQtn12+3a8HqBsoTcXlPisVFu384lZ8Sa3FZXbb1Kh0oibnlU0ZyXrEQAVM4QfHmPfL9ChU7zToCAio84TE1garzgF+v4RVLXqfUgOQrIjwQWhheP4ZznOw59Zw5Ypzm/Mk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MViRjv7S; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MViRjv7S" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2ad9a9be502so17452345ad.0 for ; Sun, 03 May 2026 00:26:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777793218; x=1778398018; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SOg4qBHTe+7jqP3ABxr8VsEBH6RAq2wSVE0e7j4wKpE=; b=MViRjv7SDWq3aY+LO6csNEAFE/EMgX3BjBmRvQs2aumUWOAwoAWTwyRzHVTlSccXJV BLeItDqqWMkgWml9P2ij0j8A8jgtORErzUMjCEm/KPayo4aGaOcogBFJRHOh56YKPBtj tQGQXrwNvVP5t8OItb0ow3GxyyCMFdS6xvjFl+v9mfnOE6Vt5JgP9FJtK02ZtwFvO4tL dRRxY4KxiMGgq1LeMCCdRoskjHKWGCZ42nE6F1q+ABefbgWsDW72U7Karz9WB4P4aXRO 5XbBLkOtwN7vSmHusbQkTvVTSrN1pP23GEfxYyrumdesNqk5/CoSnJcJR2wifoZw98qx fj9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777793218; x=1778398018; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SOg4qBHTe+7jqP3ABxr8VsEBH6RAq2wSVE0e7j4wKpE=; b=L/8eELmzFJ+pqbtcwNLCDE0f0TxrIiPt4QVVxmVan1Cmi2o+mjTRY/EHDLOAg9J2AO 72R0x21fi5rXF1zp3q+mGqwmpwrGo6a3fQTrkaNCxHtO74eyh46liBDmv9MDBrBbiNiw vSyT1y+Npu+Wuvff3Y6DSKLoewOmTBXmlm+a7ob1sCHwajF1ZeIrAweshArKE/WsPiPu wg70mvrwJn6qMCOICzfbRGjGT6vwk60SoG37Je60dD8rZsaNXSSZhWQjM9JdFBIM8+SQ qnDSIiVc6m78KOLy7jrHQ70Z2BFOFD0U1O/99PYEqzGSXkYSpkv7Q9hx65L2edH1WvGz Zrmw== X-Forwarded-Encrypted: i=1; AFNElJ9oo61EhBwk4hKih0eTmiTXBtvPWsmcxgy6N4DlcVIwz/drj/fTwJT0fA86eiFFSh+EnQa2zC+fZvmOKJM=@vger.kernel.org X-Gm-Message-State: AOJu0YzZCsXwCQuzqsdseFaZ1wycYiyiC5f9ck6jwDBcRFVxVyfU2qy3 TMYAAmrLdSbzkyUFlQaFBadVHjxZPSSi/E8SypC0AMGYqLFVGwk6CV5L X-Gm-Gg: AeBDieuLKhg34vXhfDKmvTAeWbtPIVDEieo0ItxQHN4yki31WHUxol0nuihAu5eG+ro 72fEL9ln4jaT4lCiTOwFRPmS2v0xRmuH96T26x+R/VvkVCV/Co6nOWk+6FaBbsc3JsJ3IwoZnVs pdBf1HUtwIMiSuhDN61AZQ03h8wjmGM5icGs6mlIIr6U+htmAD6zp9muy8aTAW5vr3/RYl1egC+ GMzzcVILpBjIPqXCKOO/Dybe89wGDKLlsAc28jM+9kBKI9xyy7+LH/olO5v5pbmPCX8091+Rov+ c/HzfnysCrl3vAPdbTxwtx7NCIuaza+GnkZVDeOF2KmmzdQugKbx7FVl13/dWhqA5sb3YS+JNLt TBZkmdSPTxAkUgm+SA+RSHGTXM79q+8yvsvSEGArJ04LX53WOLwk8HhJ9VgW+vx7jjr4cA/jHbd rMSedDv354BFaLbcuZt26grNPttW3l5Vp1h1ndP+uYUCKu67zFVk1EMd5UG9CG33iRFQXrng== X-Received: by 2002:a17:902:e548:b0:2b0:6e60:9586 with SMTP id d9443c01a7336-2b9f2579a38mr55557645ad.17.1777793217743; Sun, 03 May 2026 00:26:57 -0700 (PDT) Received: from tranquility.wa.lan (60-241-74-71.static.tpgi.com.au. [60.241.74.71]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b9cae16a9esm64942945ad.50.2026.05.03.00.26.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 00:26:57 -0700 (PDT) From: James Ye To: jikos@kernel.org, bentiss@kernel.org, lee@kernel.org, pavel@kernel.org Cc: linux-input@vger.kernel.org, linux-leds@vger.kernel.org, linux-kernel@vger.kernel.org, denis.benato@linux.dev, James Ye Subject: [PATCH 1/6] HID: input: delete hid_battery on disconnect Date: Sun, 3 May 2026 17:26:38 +1000 Message-ID: <20260503072643.2774762-2-jye836@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260503072643.2774762-1-jye836@gmail.com> References: <20260503072643.2774762-1-jye836@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This fixes a use-after-free when an HID device containing a battery is disconnected then reconnected, such as due to binding to a different driver. BUG: KASAN: slab-use-after-free in hidinput_setup_battery.isra.0+0x15a/0x9db [hid] Signed-off-by: James Ye --- drivers/hid/hid-input.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index d73cfa2e73d3..ae0e11c61eb8 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -2408,6 +2408,7 @@ EXPORT_SYMBOL_GPL(hidinput_connect); void hidinput_disconnect(struct hid_device *hid) { struct hid_input *hidinput, *next; + struct hid_battery *bat, *bat_next; list_for_each_entry_safe(hidinput, next, &hid->inputs, list) { list_del(&hidinput->list); @@ -2419,6 +2420,10 @@ void hidinput_disconnect(struct hid_device *hid) kfree(hidinput); } + list_for_each_entry_safe(bat, bat_next, &hid->batteries, list) { + list_del(&bat->list); + } + /* led_work is spawned by input_dev callbacks, but doesn't access the * parent input_dev at all. Once all input devices are removed, we * know that led_work will never get restarted, so we can cancel it -- 2.54.0