Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event

Next message: Bartosz Golaszewski: "[PATCH v16 02/12] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue"
Previous message: Muchun Song: "Re: [PATCH 2/2] drivers/base/memory: fix memory block reference leak in poison accounting"
In reply to: syzbot: "Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event"
Next in thread: syzbot: "Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Mon Apr 27 2026 - 05:20:24 EST

#syz test

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 0b588e002834..8739f794d80a 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2144,12 +2144,18 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
}

if (hdrv && hdrv->raw_event && hid_match_report(hid, report)) {
+ printk("before psu raw event, hid: %p claimed: %u, size: %u, "
+ "data: %p, %s\n", hid, hid->claimed, size, data,
+ __func__);
ret = hdrv->raw_event(hid, report, data, size);
+ printk("after psu raw event, hid: %p claimed: %u, %s\n",
+ hid, hid->claimed, __func__);
if (ret < 0)
goto unlock;
}

ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ printk("after report raw event, hid: %p, %s\n", hid, __func__);

unlock:
if (!lock_already_taken)
@@ -2818,8 +2824,11 @@ static int hid_device_probe(struct device *dev)
hdev->io_started = false;
clear_bit(ffs(HID_STAT_REPROBED), &hdev->status);

- if (!hdev->driver)
+ if (!hdev->driver) {
+ printk("before hid dev probe, hid: %p, %s\n", hdev, __func__);
ret = __hid_device_probe(hdev, hdrv);
+ printk("after hid dev probe, hid: %p, %s\n", hdev, __func__);
+ }

if (!hdev->io_started)
up(&hdev->driver_input_lock);