Re: [RFC PATCH] HID: core: quiesce input in hid_hw_stop() to prevent use-after-free

From: Jiri Kosina

Date: Mon Jun 29 2026 - 04:48:55 EST


On Tue, 19 May 2026, Philipp Weber wrote:

> A driver's probe calls hid_device_io_start() to enable input delivery,
> then fails at a later initialization step and unwinds via hid_hw_stop().
> The unwind frees struct hidraw via hidraw_disconnect() while in-flight
> HID reports may still be running on another CPU, dereferencing the
> freed object through hidraw_report_event(). syzbot reports the
> resulting use-after-free for the corsair-psu HID driver.
>
> Edward Adam Davis posted a per-driver fix for corsair-psu that adds
> an explicit hid_device_io_stop() before hid_hw_stop() in the probe
> error path ("hwmon: prevent packets from going to driver for probe",
> 2026-04-28). Auditing the tree shows 15 drivers call
> hid_device_io_start(); 7 also call hid_device_io_stop() and 8 do not:
>
> drivers calling hid_device_io_start() without a matching
> hid_device_io_stop() before hid_hw_stop():
> drivers/hwmon/corsair-psu.c (fix posted by Edward)
> drivers/hwmon/corsair-cpro.c
> drivers/hwmon/nzxt-kraken3.c
> drivers/hwmon/nzxt-smart2.c
> drivers/hwmon/gigabyte_waterforce.c
> drivers/hid/hid-logitech-dj.c
> drivers/hid/hid-nintendo.c
> drivers/hid/hid-mcp2221.c
>
> Roughly half of all callers of the API are exposed. Centralize the
> quiesce in hid_hw_stop() so callers do not have to remember the
> matching stop: if a driver has left hdev->io_started true on entry,
> call hid_device_io_stop() before hid_disconnect().
>
> For the 7 drivers that already call hid_device_io_stop() correctly,
> hdev->io_started is false on entry, the guard short-circuits, and
> behavior is unchanged.
>
> No Fixes: tag because the affected drivers gained their
> hid_device_io_start() calls independently over years; the bug is a
> class-wide API misuse rather than a regression from one commit.
>
> Reported-by: syzbot+9eebf5f6544c5e873858@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=9eebf5f6544c5e873858
> Signed-off-by: Philipp Weber <kernel@xxxxxxx>

Applied, thanks.

--
Jiri Kosina
SUSE Labs