Re: [syzbot] [input?] [usb?] KASAN: slab-use-after-free Read in hidraw_report_event

[Hillf Danton]

> Date: Sun, 26 Apr 2026 20:28:32 -0700
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7080e32d3f09 Add linux-next specific files for 20260424
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d8b2d2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d941ac7f11ceb230
> dashboard link: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14d309ba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13a082ce580000

#syz test

--- x/drivers/hid/hid-core.c
+++ y/drivers/hid/hid-core.c
@@ -2404,8 +2404,8 @@ EXPORT_SYMBOL_GPL(hid_hw_start);
  */
 void hid_hw_stop(struct hid_device *hdev)
 {
-	hid_disconnect(hdev);
 	hdev->ll_driver->stop(hdev);
+	hid_disconnect(hdev);
 }
 EXPORT_SYMBOL_GPL(hid_hw_stop);
 
--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -279,6 +279,8 @@ static void hid_irq_in(struct urb *urb)
 	switch (urb->status) {
 	case 0:			/* success */
 		usbhid->retry_delay = 0;
+		if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+			return;
 		if (!test_bit(HID_OPENED, &usbhid->iofl))
 			break;
 		usbhid_mark_busy(usbhid);
@@ -1278,6 +1280,11 @@ static int usbhid_power(struct hid_devic
 	struct usbhid_device *usbhid = hid->driver_data;
 	int r = 0;
 
+	if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
+		return -ENODEV;
+	if (!test_bit(HID_STARTED, &usbhid->iofl))
+		return -ENODEV;
+
 	switch (lvl) {
 	case PM_HINT_FULLON:
 		r = usb_autopm_get_interface(usbhid->intf);
--