[PATCH 1/6] HID: input: delete hid_battery on disconnect

Next message: James Ye: "[PATCH 2/6] HID: asus: check feature reports when determining is_vendor"
Previous message: James Ye: "[PATCH 0/6] HID: asus: add support for T3304 keyboard"
In reply to: James Ye: "[PATCH 0/6] HID: asus: add support for T3304 keyboard"
Next in thread: James Ye: "[PATCH 2/6] HID: asus: check feature reports when determining is_vendor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Ye

Date: Sun May 03 2026 - 03:27:07 EST

This fixes a use-after-free when an HID device containing a battery is
disconnected then reconnected, such as due to binding to a different
driver.

BUG: KASAN: slab-use-after-free in hidinput_setup_battery.isra.0+0x15a/0x9db [hid]

Signed-off-by: James Ye <jye836@xxxxxxxxx>
---
drivers/hid/hid-input.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index d73cfa2e73d3..ae0e11c61eb8 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -2408,6 +2408,7 @@ EXPORT_SYMBOL_GPL(hidinput_connect);
void hidinput_disconnect(struct hid_device *hid)
{
struct hid_input *hidinput, *next;
+ struct hid_battery *bat, *bat_next;

list_for_each_entry_safe(hidinput, next, &hid->inputs, list) {
list_del(&hidinput->list);
@@ -2419,6 +2420,10 @@ void hidinput_disconnect(struct hid_device *hid)
kfree(hidinput);
}

+ list_for_each_entry_safe(bat, bat_next, &hid->batteries, list) {
+ list_del(&bat->list);
+ }
+
/* led_work is spawned by input_dev callbacks, but doesn't access the
* parent input_dev at all. Once all input devices are removed, we
* know that led_work will never get restarted, so we can cancel it
--
2.54.0