Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event

Next message: Jakub Kicinski: "Re: [PATCH net-next v3 0/2] Decouple flow operations from RTNL"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v3 1/2] keys, dns: drop unused upayload-&gt;data NUL terminator"
In reply to: syzbot: "Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event"
Next in thread: syzbot: "Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Mon Apr 27 2026 - 19:22:23 EST

> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7080e32d3f09 Add linux-next specific files for 20260424
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000

#syz test

--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -280,7 +280,7 @@ static void hid_irq_in(struct urb *urb)
case 0: /* success */
usbhid->retry_delay = 0;
if (!test_bit(HID_OPENED, &usbhid->iofl))
- break;
+ return;
usbhid_mark_busy(usbhid);
if (!test_bit(HID_RESUME_RUNNING, &usbhid->iofl)) {
hid_input_report(urb->context, HID_INPUT_REPORT,
--