* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
@ 2026-04-27 5:05 ` Edward Adam Davis
2026-04-27 6:03 ` syzbot
2026-04-27 9:18 ` Edward Adam Davis
` (8 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Edward Adam Davis @ 2026-04-27 5:05 UTC (permalink / raw)
To: syzbot+9eebf5f6544c5e873858; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 61afec5915ec..0b588e002834 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2353,14 +2353,16 @@ EXPORT_SYMBOL_GPL(hid_connect);
void hid_disconnect(struct hid_device *hdev)
{
+ unsigned claimed = hdev->claimed;
+ hdev->claimed = 0;
+
device_remove_file(&hdev->dev, &dev_attr_country);
- if (hdev->claimed & HID_CLAIMED_INPUT)
+ if (claimed & HID_CLAIMED_INPUT)
hidinput_disconnect(hdev);
- if (hdev->claimed & HID_CLAIMED_HIDDEV)
+ if (claimed & HID_CLAIMED_HIDDEV)
hdev->hiddev_disconnect(hdev);
- if (hdev->claimed & HID_CLAIMED_HIDRAW)
+ if (claimed & HID_CLAIMED_HIDRAW)
hidraw_disconnect(hdev);
- hdev->claimed = 0;
hid_bpf_disconnect_device(hdev);
}
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
2026-04-27 5:05 ` Edward Adam Davis
@ 2026-04-27 9:18 ` Edward Adam Davis
2026-04-27 12:49 ` syzbot
2026-04-27 13:11 ` Edward Adam Davis
` (7 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Edward Adam Davis @ 2026-04-27 9:18 UTC (permalink / raw)
To: syzbot+9eebf5f6544c5e873858; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 0b588e002834..8739f794d80a 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2144,12 +2144,18 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
}
if (hdrv && hdrv->raw_event && hid_match_report(hid, report)) {
+ printk("before psu raw event, hid: %p claimed: %u, size: %u, "
+ "data: %p, %s\n", hid, hid->claimed, size, data,
+ __func__);
ret = hdrv->raw_event(hid, report, data, size);
+ printk("after psu raw event, hid: %p claimed: %u, %s\n",
+ hid, hid->claimed, __func__);
if (ret < 0)
goto unlock;
}
ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ printk("after report raw event, hid: %p, %s\n", hid, __func__);
unlock:
if (!lock_already_taken)
@@ -2818,8 +2824,11 @@ static int hid_device_probe(struct device *dev)
hdev->io_started = false;
clear_bit(ffs(HID_STAT_REPROBED), &hdev->status);
- if (!hdev->driver)
+ if (!hdev->driver) {
+ printk("before hid dev probe, hid: %p, %s\n", hdev, __func__);
ret = __hid_device_probe(hdev, hdrv);
+ printk("after hid dev probe, hid: %p, %s\n", hdev, __func__);
+ }
if (!hdev->io_started)
up(&hdev->driver_input_lock);
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 9:18 ` Edward Adam Davis
@ 2026-04-27 12:49 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-27 12:49 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hidraw_report_event
before psu raw event, hid: ffff88805fe30000 claimed: 4, size: 1, data: ffff888046630000, __hid_input_report
after psu raw event, hid: ffff88805fe30000 claimed: 4, __hid_input_report
==================================================================
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff88805d993108 by task ktimers/1/30
CPU: 1 UID: 0 PID: 30 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5844
rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
spin_lock include/linux/spinlock_rt.h:45 [inline]
hidraw_report_event+0x5d/0x3a0 drivers/hid/hidraw.c:577
hid_report_raw_event+0x311/0x1730 drivers/hid/hid-core.c:2076
__hid_input_report drivers/hid/hid-core.c:2157 [inline]
hid_input_report+0x2ff/0x660 drivers/hid/hid-core.c:2180
hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x3b3/0x5e0 drivers/usb/core/hcd.c:1657
dummy_timer+0x8a9/0x47d0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x405/0xb10 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x18f/0x260 kernel/time/hrtimer.c:2011
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1155
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5930:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
hidraw_connect+0x57/0x430 drivers/hid/hidraw.c:606
hid_connect+0x5bf/0x19d0 drivers/hid/hid-core.c:2283
hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2393
corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
__hid_device_probe drivers/hid/hid-core.c:2789 [inline]
hid_device_probe+0x5ec/0x810 drivers/hid/hid-core.c:2827
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2973
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5930:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x1c5/0x6c0 mm/slub.c:6561
hidraw_disconnect+0x4f/0x60 drivers/hid/hidraw.c:662
hid_disconnect drivers/hid/hid-core.c:2368 [inline]
hid_hw_stop+0x101/0x1e0 drivers/hid/hid-core.c:2413
corsairpsu_probe+0x327/0x3c0 drivers/hwmon/corsair-psu.c:826
__hid_device_probe drivers/hid/hid-core.c:2789 [inline]
hid_device_probe+0x5ec/0x810 drivers/hid/hid-core.c:2827
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2973
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88805d993000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
freed 512-byte region [ffff88805d993000, ffff88805d993200)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d990
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe14c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813fe14c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6438, tgid 6438 (syz-executor), ts 146028154099, free_ts 138107673454
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
mca_alloc net/ipv6/mcast.c:871 [inline]
__ipv6_dev_mc_inc+0x44f/0xa50 net/ipv6/mcast.c:961
ipv6_add_dev+0xe9f/0x1410 net/ipv6/addrconf.c:475
addrconf_notify+0x771/0x1050 net/ipv6/addrconf.c:3662
notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2288 [inline]
call_netdevice_notifiers net/core/dev.c:2302 [inline]
register_netdevice+0x18d5/0x1ed0 net/core/dev.c:11466
register_netdev+0x40/0x60 net/core/dev.c:11544
sit_init_net+0x228/0x5d0 net/ipv6/sit.c:1860
ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
setup_net+0x118/0x340 net/core/net_namespace.c:446
page last free pid 6296 tgid 6296 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943
__slab_free+0x252/0x2a0 mm/slub.c:5608
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_node_track_caller_noprof+0x323/0x7e0 mm/slub.c:5403
kmemdup_noprof+0x2b/0x70 mm/util.c:138
kmemdup_noprof include/linux/fortify-string.h:763 [inline]
neigh_sysctl_register+0xae/0xa90 net/core/neighbour.c:3861
addrconf_sysctl_register+0xb3/0x1c0 net/ipv6/addrconf.c:7379
ipv6_add_dev+0xd82/0x1410 net/ipv6/addrconf.c:460
addrconf_notify+0x771/0x1050 net/ipv6/addrconf.c:3662
notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2288 [inline]
call_netdevice_notifiers net/core/dev.c:2302 [inline]
register_netdevice+0x18d5/0x1ed0 net/core/dev.c:11466
veth_newlink+0x67b/0xb70 drivers/net/veth.c:1889
rtnl_newlink_create+0x329/0xb70 net/core/rtnetlink.c:3863
__rtnl_newlink net/core/rtnetlink.c:3994 [inline]
rtnl_newlink+0x166a/0x1bb0 net/core/rtnetlink.c:4109
Memory state around the buggy address:
ffff88805d993000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805d993080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805d993100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805d993180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805d993200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7080e32d Add linux-next specific files for 20260424
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131d92ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12fe4506580000
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
2026-04-27 5:05 ` Edward Adam Davis
2026-04-27 9:18 ` Edward Adam Davis
@ 2026-04-27 13:11 ` Edward Adam Davis
2026-04-27 14:09 ` syzbot
2026-04-27 23:21 ` Hillf Danton
` (6 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Edward Adam Davis @ 2026-04-27 13:11 UTC (permalink / raw)
To: syzbot+9eebf5f6544c5e873858; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 0b588e002834..a688f5edf9fb 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2144,12 +2144,18 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
}
if (hdrv && hdrv->raw_event && hid_match_report(hid, report)) {
+ printk("before psu raw event, hid: %p claimed: %u, size: %u, "
+ "data: %p, lk (%p) cnt: %u, %s\n", hid, hid->claimed, size, data,
+ &hid->driver_input_lock,
+ hid->driver_input_lock.count,
+ __func__);
ret = hdrv->raw_event(hid, report, data, size);
if (ret < 0)
goto unlock;
}
ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ printk("after report raw event, hid: %p, ret: %d, %s\n", hid, ret, __func__);
unlock:
if (!lock_already_taken)
@@ -2818,8 +2824,15 @@ static int hid_device_probe(struct device *dev)
hdev->io_started = false;
clear_bit(ffs(HID_STAT_REPROBED), &hdev->status);
- if (!hdev->driver)
+ if (!hdev->driver) {
+ printk("before hid dev probe, hid: %p claimed: %u, lk (%p) cnt: %u, %s\n",
+ hdev, hdev->claimed,
+ &hdev->driver_input_lock,
+ hdev->driver_input_lock.count,
+ __func__);
ret = __hid_device_probe(hdev, hdrv);
+ printk("after hid dev probe, hid: %p claimed: %u, ret: %d, %s\n", hdev, hdev->claimed, ret, __func__);
+ }
if (!hdev->io_started)
up(&hdev->driver_input_lock);
@@ -3002,6 +3015,11 @@ struct hid_device *hid_allocate_device(void)
INIT_LIST_HEAD(&hdev->debug_list);
spin_lock_init(&hdev->debug_list_lock);
sema_init(&hdev->driver_input_lock, 1);
+ printk("before psu raw event, hid: %p claimed: %u, "
+ "lk (%p) cnt: %u, %s\n", hdev, hdev->claimed,
+ &hdev->driver_input_lock,
+ hdev->driver_input_lock.count,
+ __func__);
mutex_init(&hdev->ll_open_lock);
kref_init(&hdev->ref);
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 13:11 ` Edward Adam Davis
@ 2026-04-27 14:09 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-27 14:09 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hidraw_report_event
before psu raw event, hid: ffff8880398f0000 claimed: 4, size: 1, data: ffff88803b938000, lk (ffff8880398f18e0) cnt: 0, __hid_input_report
==================================================================
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff888042804908 by task ktimers/1/30
CPU: 1 UID: 0 PID: 30 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5844
rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
spin_lock include/linux/spinlock_rt.h:45 [inline]
hidraw_report_event+0x5d/0x3a0 drivers/hid/hidraw.c:577
hid_report_raw_event+0x311/0x1730 drivers/hid/hid-core.c:2076
__hid_input_report drivers/hid/hid-core.c:2157 [inline]
hid_input_report+0x2ea/0x630 drivers/hid/hid-core.c:2180
hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x3b3/0x5e0 drivers/usb/core/hcd.c:1657
dummy_timer+0x8a9/0x47d0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x405/0xb10 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x18f/0x260 kernel/time/hrtimer.c:2011
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1155
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6609:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
hidraw_connect+0x57/0x430 drivers/hid/hidraw.c:606
hid_connect+0x5bf/0x19d0 drivers/hid/hid-core.c:2283
hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2393
corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
__hid_device_probe drivers/hid/hid-core.c:2789 [inline]
hid_device_probe+0x65b/0x8e0 drivers/hid/hid-core.c:2831
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2977
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888042804800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
freed 512-byte region [ffff888042804800, ffff888042804a00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42804
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe14c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813fe14c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5897, tgid 5897 (syz-executor), ts 92047685272, free_ts 91305001513
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
rxrpc_alloc_peer+0x7d/0x340 net/rxrpc/peer_object.c:229
rxrpc_service_prealloc_one+0x1f4/0xe20 net/rxrpc/call_accept.c:73
afs_charge_preallocation+0x394/0x4e0 fs/afs/rxrpc.c:758
afs_open_socket+0x33c/0x3f0 fs/afs/rxrpc.c:112
afs_net_init+0x6ce/0x8f0 fs/afs/main.c:116
ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
setup_net+0x118/0x340 net/core/net_namespace.c:446
copy_net_ns+0x50e/0x730 net/core/net_namespace.c:579
create_new_namespaces+0x3e7/0x6a0 kernel/nsproxy.c:132
page last free pid 32 tgid 32 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xbdc/0x1420 mm/memory.c:3474
__kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x779/0xb40 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888042804800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888042804880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042804900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888042804980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888042804a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7080e32d Add linux-next specific files for 20260424
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14d46b6c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1086916a580000
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (2 preceding siblings ...)
2026-04-27 13:11 ` Edward Adam Davis
@ 2026-04-27 23:21 ` Hillf Danton
2026-04-27 23:57 ` syzbot
2026-04-28 1:04 ` Edward Adam Davis
` (5 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Hillf Danton @ 2026-04-27 23:21 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000
#syz test
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -280,7 +280,7 @@ static void hid_irq_in(struct urb *urb)
case 0: /* success */
usbhid->retry_delay = 0;
if (!test_bit(HID_OPENED, &usbhid->iofl))
- break;
+ return;
usbhid_mark_busy(usbhid);
if (!test_bit(HID_RESUME_RUNNING, &usbhid->iofl)) {
hid_input_report(urb->context, HID_INPUT_REPORT,
--
^ permalink raw reply [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 23:21 ` Hillf Danton
@ 2026-04-27 23:57 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-27 23:57 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hidraw_report_event
==================================================================
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff888034486d08 by task ktimers/0/16
CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5844
rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
spin_lock include/linux/spinlock_rt.h:45 [inline]
hidraw_report_event+0x5d/0x3a0 drivers/hid/hidraw.c:577
hid_report_raw_event+0x311/0x1730 drivers/hid/hid-core.c:2076
__hid_input_report drivers/hid/hid-core.c:2152 [inline]
hid_input_report+0x44e/0x580 drivers/hid/hid-core.c:2174
hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x3b3/0x5e0 drivers/usb/core/hcd.c:1657
dummy_timer+0x8a9/0x47d0 drivers/usb/gadget/udc/dummy_hcd.c:2005
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x405/0xb10 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x18f/0x260 kernel/time/hrtimer.c:2011
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1155
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5722:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
hidraw_connect+0x57/0x430 drivers/hid/hidraw.c:606
hid_connect+0x5bf/0x19d0 drivers/hid/hid-core.c:2277
hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2387
corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
__hid_device_probe drivers/hid/hid-core.c:2783 [inline]
hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2820
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2964
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5722:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x1c5/0x6c0 mm/slub.c:6561
hidraw_disconnect+0x4f/0x60 drivers/hid/hidraw.c:662
hid_disconnect drivers/hid/hid-core.c:2362 [inline]
hid_hw_stop+0x101/0x1e0 drivers/hid/hid-core.c:2407
corsairpsu_probe+0x327/0x3c0 drivers/hwmon/corsair-psu.c:826
__hid_device_probe drivers/hid/hid-core.c:2783 [inline]
hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2820
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2964
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1448
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888034486c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
freed 512-byte region [ffff888034486c00, ffff888034486e00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34484
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe18c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813fe18c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21287101631, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_node_track_caller_noprof+0x60b/0x7e0 mm/slub.c:5403
__do_krealloc mm/slub.c:6706 [inline]
krealloc_node_align_noprof+0x19a/0x390 mm/slub.c:6765
add_sysfs_param+0xd4/0xb80 kernel/params.c:648
kernel_add_sysfs_param+0x7f/0xe0 kernel/params.c:797
param_sysfs_builtin+0x199/0x250 kernel/params.c:836
param_sysfs_builtin_init+0x23/0x30 kernel/params.c:972
do_one_initcall+0x250/0x870 init/main.c:1392
do_initcall_level+0x104/0x190 init/main.c:1454
do_initcalls+0x59/0xa0 init/main.c:1470
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1703
page_owner free stack trace missing
Memory state around the buggy address:
ffff888034486c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034486c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034486d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888034486d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034486e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 39704f00 Add linux-next specific files for 20260427
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1459b2d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dea2372337a7c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11e062ce580000
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (3 preceding siblings ...)
2026-04-27 23:21 ` Hillf Danton
@ 2026-04-28 1:04 ` Edward Adam Davis
2026-04-28 4:05 ` syzbot
2026-04-28 3:51 ` Hillf Danton
` (4 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Edward Adam Davis @ 2026-04-28 1:04 UTC (permalink / raw)
To: syzbot+9eebf5f6544c5e873858; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/drivers/hwmon/corsair-psu.c b/drivers/hwmon/corsair-psu.c
index dddbd2463f8d..4e766bf32189 100644
--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -823,6 +823,7 @@ static int corsairpsu_probe(struct hid_device *hdev, const struct hid_device_id
fail_and_close:
hid_hw_close(hdev);
fail_and_stop:
+ hid_device_io_stop(hdev);
hid_hw_stop(hdev);
return ret;
}
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (4 preceding siblings ...)
2026-04-28 1:04 ` Edward Adam Davis
@ 2026-04-28 3:51 ` Hillf Danton
2026-04-28 4:37 ` syzbot
2026-04-28 4:12 ` [PATCH] hwmon: prevent packets from going to driver for probe Edward Adam Davis
` (3 subsequent siblings)
9 siblings, 1 reply; 20+ messages in thread
From: Hillf Danton @ 2026-04-28 3:51 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000
#syz test
--- x/drivers/hid/hid-core.c
+++ y/drivers/hid/hid-core.c
@@ -2404,8 +2404,8 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
*/
void hid_hw_stop(struct hid_device *hdev)
{
- hid_disconnect(hdev);
hdev->ll_driver->stop(hdev);
+ hid_disconnect(hdev);
}
EXPORT_SYMBOL_GPL(hid_hw_stop);
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -279,6 +279,8 @@ static void hid_irq_in(struct urb *urb)
switch (urb->status) {
case 0: /* success */
usbhid->retry_delay = 0;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ return;
if (!test_bit(HID_OPENED, &usbhid->iofl))
break;
usbhid_mark_busy(usbhid);
--
^ permalink raw reply [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-28 3:51 ` Hillf Danton
@ 2026-04-28 4:37 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-28 4:37 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in __pm_runtime_resume
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
Read of size 1 at addr ffff888025619f40 by task syz.4.22/6495
CPU: 0 UID: 0 PID: 6495 Comm: syz.4.22 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5844
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
_raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
rtlock_slowlock kernel/locking/rtmutex.c:1913 [inline]
rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
__rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
rt_spin_lock+0x157/0x400 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:45 [inline]
__pm_runtime_resume+0x10f/0x170 drivers/base/power/runtime.c:1196
pm_runtime_get_active include/linux/pm_runtime.h:520 [inline]
pm_runtime_resume_and_get include/linux/pm_runtime.h:539 [inline]
usb_autopm_get_interface+0x20/0xf0 drivers/usb/core/driver.c:1867
hid_hw_power include/linux/hid.h:1239 [inline]
hidraw_open+0x24d/0x8a0 drivers/hid/hidraw.c:302
chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:947
vfs_open+0x3b/0x350 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x2e43/0x38a0 fs/namei.c:4858
do_file_open+0x23e/0x4a0 fs/namei.c:4887
do_sys_openat2+0x113/0x200 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc684ded60e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007fc684485b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fc6844866c0 RCX: 00007fc684ded60e
RDX: 0000000000000002 RSI: 00007fc684485c00 RDI: ffffffffffffff9c
RBP: 00007fc684485c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
R13: 00007fc6850a6038 R14: 00007fc6850a5fa0 R15: 00007ffda357f558
</TASK>
Allocated by task 10:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
hid_alloc_buffers drivers/hid/usbhid/hid-core.c:863 [inline]
usbhid_start+0x94b/0x24b0 drivers/hid/usbhid/hid-core.c:1108
hid_hw_start+0x65/0x120 drivers/hid/hid-core.c:2382
corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
__hid_device_probe drivers/hid/hid-core.c:2783 [inline]
hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2820
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2964
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1450
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 10:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x1c5/0x6c0 mm/slub.c:6561
hid_free_buffers drivers/hid/usbhid/hid-core.c:979 [inline]
usbhid_stop+0x6c1/0x890 drivers/hid/usbhid/hid-core.c:1273
hid_hw_stop+0x64/0x1e0 drivers/hid/hid-core.c:2407
corsairpsu_probe+0x327/0x3c0 drivers/hwmon/corsair-psu.c:826
__hid_device_probe drivers/hid/hid-core.c:2783 [inline]
hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2820
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2964
usbhid_probe+0xbb3/0x1080 drivers/hid/usbhid/hid-core.c:1450
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888025619f40
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
freed 8-byte region [ffff888025619f40, ffff888025619f48)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888025619ec0 pfn:0x25619
flags: 0x80000000000200(workingset|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000200 ffff88813fe18500 ffffea0000ce7ed0 ffffea000095a890
raw: ffff888025619ec0 000000080080007d 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 12827494800, free_ts 5034338554
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
usb_control_msg+0x73/0x3e0 drivers/usb/core/message.c:157
get_port_status drivers/usb/core/hub.c:607 [inline]
hub_ext_port_status+0x116/0x820 drivers/usb/core/hub.c:624
usb_hub_port_status drivers/usb/core/hub.c:674 [inline]
hub_activate+0x6eb/0x1a80 drivers/usb/core/hub.c:1185
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 10 tgid 10 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943
vfree+0x251/0x3b0 mm/vmalloc.c:3472
delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3392
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888025619e00: fa fc fc fc fa fc fc fc 00 fc fc fc fa fc fc fc
ffff888025619e80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
>ffff888025619f00: fa fc fc fc 06 fc fc fc fa fc fc fc 00 fc fc fc
^
ffff888025619f80: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
ffff88802561a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: 39704f00 Add linux-next specific files for 20260427
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15516f02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dea2372337a7c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14adb2d2580000
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH] hwmon: prevent packets from going to driver for probe
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (5 preceding siblings ...)
2026-04-28 3:51 ` Hillf Danton
@ 2026-04-28 4:12 ` Edward Adam Davis
2026-04-28 8:00 ` [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event Hillf Danton
` (2 subsequent siblings)
9 siblings, 0 replies; 20+ messages in thread
From: Edward Adam Davis @ 2026-04-28 4:12 UTC (permalink / raw)
To: syzbot+9eebf5f6544c5e873858
Cc: bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
A race condition exists between hid_input_report() and the point
immediately following the execution of hid_device_io_start() within
corsairpsu_probe(). If the probe operation fails after "io start" has
been initiated, this race condition will result in a uaf vulnerability
[1].
CPU0 CPU1
==== ====
corsairpsu_probe()
hid_device_io_start()
... unlock driver_input_lock
hid_hw_stop()
kfree(hidraw) __hid_input_report()
... acquire driver_input_lock
hid_report_raw_event()
hidraw_report_event()
... access hidraw's list_lock // trigger uaf
Consequently, when corsairpsu_probe() fails and hid_hw_stop() needs to
be executed, the io_started flag is first cleared while holding the
driver_input_lock to prevent potential race conditions involving input
reports.
[1]
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
Call Trace:
hidraw_report_event+0x5d/0x3a0 drivers/hid/hidraw.c:577
hid_report_raw_event+0x311/0x1730 drivers/hid/hid-core.c:2076
__hid_input_report drivers/hid/hid-core.c:2152 [inline]
hid_input_report+0x44e/0x580 drivers/hid/hid-core.c:2174
hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x3b3/0x5e0 drivers/usb/core/hcd.c:1657
dummy_timer+0x8a9/0x47d0 drivers/usb/gadget/udc/dummy_hcd.c:2005
Allocated by task 10:
hidraw_connect+0x57/0x430 drivers/hid/hidraw.c:606
hid_connect+0x5bf/0x19d0 drivers/hid/hid-core.c:2277
hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2387
corsairpsu_probe+0xd9/0x3c0 drivers/hwmon/corsair-psu.c:782
Freed by task 10:
hidraw_disconnect+0x4f/0x60 drivers/hid/hidraw.c:662
hid_disconnect drivers/hid/hid-core.c:2362 [inline]
hid_hw_stop+0x101/0x1e0 drivers/hid/hid-core.c:2407
corsairpsu_probe+0x327/0x3c0 drivers/hwmon/corsair-psu.c:826
Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
Reported-by: syzbot+9eebf5f6544c5e873858@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
Tested-by: syzbot+9eebf5f6544c5e873858@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/hwmon/corsair-psu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hwmon/corsair-psu.c b/drivers/hwmon/corsair-psu.c
index dddbd2463f8d..4e766bf32189 100644
--- a/drivers/hwmon/corsair-psu.c
+++ b/drivers/hwmon/corsair-psu.c
@@ -823,6 +823,7 @@ static int corsairpsu_probe(struct hid_device *hdev, const struct hid_device_id
fail_and_close:
hid_hw_close(hdev);
fail_and_stop:
+ hid_device_io_stop(hdev);
hid_hw_stop(hdev);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (6 preceding siblings ...)
2026-04-28 4:12 ` [PATCH] hwmon: prevent packets from going to driver for probe Edward Adam Davis
@ 2026-04-28 8:00 ` Hillf Danton
2026-04-28 8:51 ` syzbot
2026-04-28 11:33 ` Hillf Danton
2026-04-28 20:27 ` Hillf Danton
9 siblings, 1 reply; 20+ messages in thread
From: Hillf Danton @ 2026-04-28 8:00 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000
#syz test
--- x/drivers/hid/hid-core.c
+++ y/drivers/hid/hid-core.c
@@ -2404,8 +2404,8 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
*/
void hid_hw_stop(struct hid_device *hdev)
{
- hid_disconnect(hdev);
hdev->ll_driver->stop(hdev);
+ hid_disconnect(hdev);
}
EXPORT_SYMBOL_GPL(hid_hw_stop);
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -279,6 +279,8 @@ static void hid_irq_in(struct urb *urb)
switch (urb->status) {
case 0: /* success */
usbhid->retry_delay = 0;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ return;
if (!test_bit(HID_OPENED, &usbhid->iofl))
break;
usbhid_mark_busy(usbhid);
@@ -1278,6 +1280,15 @@ static int usbhid_power(struct hid_devic
struct usbhid_device *usbhid = hid->driver_data;
int r = 0;
+ mutex_lock(&usbhid->mutex);
+
+ r = -ENODEV;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ goto out;
+ if (!test_bit(HID_STARTED, &usbhid->iofl))
+ goto out;
+
+ r = 0;
switch (lvl) {
case PM_HINT_FULLON:
r = usb_autopm_get_interface(usbhid->intf);
@@ -1287,6 +1298,8 @@ static int usbhid_power(struct hid_devic
usb_autopm_put_interface(usbhid->intf);
break;
}
+out:
+ mutex_unlock(&usbhid->mutex);
return r;
}
--
^ permalink raw reply [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-28 8:00 ` [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event Hillf Danton
@ 2026-04-28 8:51 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-28 8:51 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: trying to register non-static key in usbhid_power
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 6580 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:986
register_lock_class+0xcc/0x2e0 kernel/locking/lockdep.c:1301
__lock_acquire+0xad/0x2cf0 kernel/locking/lockdep.c:5114
lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870
__mutex_lock_common kernel/locking/rtmutex_api.c:534 [inline]
mutex_lock_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:553
usbhid_power+0x56/0x190 drivers/hid/usbhid/hid-core.c:1283
hid_hw_power include/linux/hid.h:1239 [inline]
hidraw_open+0x24d/0x8a0 drivers/hid/hidraw.c:302
chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:947
vfs_open+0x3b/0x350 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x2e43/0x38a0 fs/namei.c:4858
do_file_open+0x23e/0x4a0 fs/namei.c:4887
do_sys_openat2+0x113/0x200 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fce44f9d60e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007fce4463db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fce4463e6c0 RCX: 00007fce44f9d60e
RDX: 0000000000000002 RSI: 00007fce4463dc00 RDI: ffffffffffffff9c
RBP: 00007fce4463dc00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
R13: 00007fce45256038 R14: 00007fce45255fa0 R15: 00007ffd81c3c108
</TASK>
Tested on:
commit: 39704f00 Add linux-next specific files for 20260427
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11dc1896580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dea2372337a7c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=175e0a73980000
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (7 preceding siblings ...)
2026-04-28 8:00 ` [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event Hillf Danton
@ 2026-04-28 11:33 ` Hillf Danton
2026-04-28 12:03 ` syzbot
2026-04-28 20:27 ` Hillf Danton
9 siblings, 1 reply; 20+ messages in thread
From: Hillf Danton @ 2026-04-28 11:33 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000
#syz test
--- x/drivers/hid/hid-core.c
+++ y/drivers/hid/hid-core.c
@@ -2404,8 +2404,8 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
*/
void hid_hw_stop(struct hid_device *hdev)
{
- hid_disconnect(hdev);
hdev->ll_driver->stop(hdev);
+ hid_disconnect(hdev);
}
EXPORT_SYMBOL_GPL(hid_hw_stop);
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -279,6 +279,8 @@ static void hid_irq_in(struct urb *urb)
switch (urb->status) {
case 0: /* success */
usbhid->retry_delay = 0;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ return;
if (!test_bit(HID_OPENED, &usbhid->iofl))
break;
usbhid_mark_busy(usbhid);
@@ -1278,6 +1280,11 @@ static int usbhid_power(struct hid_devic
struct usbhid_device *usbhid = hid->driver_data;
int r = 0;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ return -ENODEV;
+ if (!test_bit(HID_STARTED, &usbhid->iofl))
+ return -ENODEV;
+
switch (lvl) {
case PM_HINT_FULLON:
r = usb_autopm_get_interface(usbhid->intf);
--
^ permalink raw reply [flat|nested] 20+ messages in thread* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-28 11:33 ` Hillf Danton
@ 2026-04-28 12:03 ` syzbot
0 siblings, 0 replies; 20+ messages in thread
From: syzbot @ 2026-04-28 12:03 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in usbhid_power
=========================================================[ 164.792757][ T6670] ==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in usbhid_power+0x56/0x170 drivers/hid/usbhid/hid-core.c:1283
Read of size 8 at addr ffff88805a2e6988 by task syz.3.20/6670
CPU: 0 UID: 0 PID: 6670 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:82 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
usbhid_power+0x56/0x170 drivers/hid/usbhid/hid-core.c:1283
hid_hw_power include/linux/hid.h:1239 [inline]
hidraw_open+0x24d/0x8a0 drivers/hid/hidraw.c:302
chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:947
vfs_open+0x3b/0x350 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x2e43/0x38a0 fs/namei.c:4858
do_file_open+0x23e/0x4a0 fs/namei.c:4887
do_sys_openat2+0x113/0x200 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6b2f1ad60e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f6b2e84db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f6b2e84e6c0 RCX: 00007f6b2f1ad60e
RDX: 0000000000000002 RSI: 00007f6b2e84dc00 RDI: ffffffffffffff9c
RBP: 00007f6b2e84dc00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
R13: 00007f6b2f466038 R14: 00007f6b2f465fa0 R15: 00007fff63a84eb8
</TASK>
Allocated by task 16:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
kmem_cache_alloc_node_noprof+0x22a/0x6e0 mm/slub.c:4950
kmalloc_reserve net/core/skbuff.c:613 [inline]
__alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713
skb_copy+0x188/0x800 net/core/skbuff.c:2182
mac80211_hwsim_tx_frame_no_nl+0xe82/0x1650 drivers/net/wireless/virtual/mac80211_hwsim.c:1991
mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2400
mac80211_hwsim_beacon_tx+0x3e8/0x870 drivers/net/wireless/virtual/mac80211_hwsim.c:2501
__iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:772
ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:808
mac80211_hwsim_beacon+0xbb/0x180 drivers/net/wireless/virtual/mac80211_hwsim.c:2531
__run_hrtimer kernel/time/hrtimer.c:1930 [inline]
__hrtimer_run_queues+0x405/0xb10 kernel/time/hrtimer.c:1994
hrtimer_run_softirq+0x18f/0x260 kernel/time/hrtimer.c:2011
handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
__do_softirq kernel/softirq.c:660 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1155
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 1510:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x1c5/0x6c0 mm/slub.c:6561
skb_kfree_head net/core/skbuff.c:1075 [inline]
skb_free_head net/core/skbuff.c:1087 [inline]
skb_release_data+0x828/0xa60 net/core/skbuff.c:1114
skb_release_all net/core/skbuff.c:1189 [inline]
__kfree_skb+0x5d/0x210 net/core/skbuff.c:1203
ieee80211_iface_work+0xbdb/0x1390 net/mac80211/iface.c:1851
cfg80211_wiphy_work+0x2cf/0x460 net/wireless/core.c:513
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88805a2e6700
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 648 bytes inside of
freed 704-byte region [ffff88805a2e6700, ffff88805a2e69c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a2e4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88801dac5c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800130013 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88801dac5c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000800130013 00000000f5000000 0000000000000000
head: 0080000000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6675, tgid 6675 (udevd), ts 163875825764, free_ts 163818248807
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x33c/0x3d0 mm/slub.c:7251
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
kmem_cache_alloc_node_noprof+0x4f4/0x6e0 mm/slub.c:4950
kmalloc_reserve net/core/skbuff.c:613 [inline]
__alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713
netlink_sendmsg+0x5d4/0xb40 net/netlink/af_netlink.c:1869
sock_sendmsg_nosec+0x112/0x150 net/socket.c:797
__sock_sendmsg net/socket.c:812 [inline]
____sys_sendmsg+0x55c/0x870 net/socket.c:2716
___sys_sendmsg+0x2a5/0x360 net/socket.c:2770
__sys_sendmsg net/socket.c:2802 [inline]
__do_sys_sendmsg net/socket.c:2807 [inline]
__se_sys_sendmsg net/socket.c:2805 [inline]
__x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2805
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 32 tgid 32 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:621 [inline]
__device_release_driver drivers/base/dd.c:1352 [inline]
device_release_driver_internal+0x4d9/0x870 drivers/base/dd.c:1375
bus_remove_device+0x45a/0x570 drivers/base/bus.c:657
device_del+0x52b/0x900 drivers/base/core.c:3895
usb_disable_device+0x3d4/0x8d0 drivers/usb/core/message.c:1478
usb_disconnect+0x315/0x970 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1cf9/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xbee/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff88805a2e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805a2e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805a2e6980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff88805a2e6a00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff88805a2e6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 39704f00 Add linux-next specific files for 20260427
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=161652ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dea2372337a7c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=146a7236580000
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event
2026-04-27 3:28 [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event syzbot
` (8 preceding siblings ...)
2026-04-28 11:33 ` Hillf Danton
@ 2026-04-28 20:27 ` Hillf Danton
2026-04-28 21:19 ` syzbot
9 siblings, 1 reply; 20+ messages in thread
From: Hillf Danton @ 2026-04-28 20:27 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000
#syz test
--- x/drivers/hid/hid-core.c
+++ y/drivers/hid/hid-core.c
@@ -2404,8 +2404,8 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
*/
void hid_hw_stop(struct hid_device *hdev)
{
- hid_disconnect(hdev);
hdev->ll_driver->stop(hdev);
+ hid_disconnect(hdev);
}
EXPORT_SYMBOL_GPL(hid_hw_stop);
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -279,6 +279,8 @@ static void hid_irq_in(struct urb *urb)
switch (urb->status) {
case 0: /* success */
usbhid->retry_delay = 0;
+ if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+ return;
if (!test_bit(HID_OPENED, &usbhid->iofl))
break;
usbhid_mark_busy(usbhid);
@@ -1278,6 +1280,9 @@ static int usbhid_power(struct hid_devic
struct usbhid_device *usbhid = hid->driver_data;
int r = 0;
+ if (hid->claimed == 0)
+ return -ENODEV;
+
switch (lvl) {
case PM_HINT_FULLON:
r = usb_autopm_get_interface(usbhid->intf);
--
^ permalink raw reply [flat|nested] 20+ messages in thread