Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event

[Edward Adam Davis]

#syz test

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 0b588e002834..a688f5edf9fb 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2144,12 +2144,18 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
 	}
 
 	if (hdrv && hdrv->raw_event && hid_match_report(hid, report)) {
+		printk("before psu raw event, hid: %p claimed: %u, size: %u, "
+			"data: %p, lk (%p) cnt: %u, %s\n", hid, hid->claimed, size, data,
+			&hid->driver_input_lock,
+			hid->driver_input_lock.count,
+			__func__);
 		ret = hdrv->raw_event(hid, report, data, size);
 		if (ret < 0)
 			goto unlock;
 	}
 
 	ret = hid_report_raw_event(hid, type, data, size, interrupt);
+	printk("after report raw event, hid: %p, ret: %d, %s\n", hid, ret, __func__);
 
 unlock:
 	if (!lock_already_taken)
@@ -2818,8 +2824,15 @@ static int hid_device_probe(struct device *dev)
 	hdev->io_started = false;
 	clear_bit(ffs(HID_STAT_REPROBED), &hdev->status);
 
-	if (!hdev->driver)
+	if (!hdev->driver) {
+		printk("before hid dev probe, hid: %p claimed: %u, lk (%p) cnt: %u, %s\n",
+			hdev, hdev->claimed, 
+			&hdev->driver_input_lock,
+			hdev->driver_input_lock.count,
+			__func__);
 		ret = __hid_device_probe(hdev, hdrv);
+		printk("after hid dev probe, hid: %p claimed: %u, ret: %d, %s\n", hdev, hdev->claimed, ret, __func__);
+	}
 
 	if (!hdev->io_started)
 		up(&hdev->driver_input_lock);
@@ -3002,6 +3015,11 @@ struct hid_device *hid_allocate_device(void)
 	INIT_LIST_HEAD(&hdev->debug_list);
 	spin_lock_init(&hdev->debug_list_lock);
 	sema_init(&hdev->driver_input_lock, 1);
+	printk("before psu raw event, hid: %p claimed: %u, "
+			"lk (%p) cnt: %u, %s\n", hdev, hdev->claimed,
+			&hdev->driver_input_lock,
+			hdev->driver_input_lock.count,
+			__func__);
 	mutex_init(&hdev->ll_open_lock);
 	kref_init(&hdev->ref);