Re: [PATCH] HID: hid-sensor-custom: Fix sysfs group leak on failure

From: Jiri Kosina

Date: Mon Jun 29 2026 - 05:33:54 EST


On Tue, 23 Jun 2026, Haoxiang Li wrote:

> hid_sensor_custom_add_attributes() creates one sysfs group for each
> custom sensor field. If sysfs_create_group() fails after some groups
> have already been created, the function currently breaks out of the
> loop and returns the error directly.
>
> Fix this by adding a local unwind path when sysfs_create_group() fails.
> The unwind path removes all sysfs groups that were successfully created
> before the failure and frees sensor_inst->fields.
>
> Fixes: 4a7de0519df5 ("HID: sensor: Custom and Generic sensor support")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Haoxiang Li <haoxiang_li2024@xxxxxxx>
> ---
> drivers/hid/hid-sensor-custom.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
> index afffea894021..cd676516e6b0 100644
> --- a/drivers/hid/hid-sensor-custom.c
> +++ b/drivers/hid/hid-sensor-custom.c
> @@ -609,7 +609,7 @@ static int hid_sensor_custom_add_attributes(struct hid_sensor_custom
> &sensor_inst->fields[i].
> hid_custom_attribute_group);
> if (ret)
> - break;
> + goto err_remove_groups;
>
> /* For power or report field store indexes */
> if (sensor_inst->fields[i].attribute.attrib_id ==
> @@ -621,6 +621,13 @@ static int hid_sensor_custom_add_attributes(struct hid_sensor_custom
> }
>
> return ret;
> +
> +err_remove_groups:
> + while (--i >= 0)
> + sysfs_remove_group(&sensor_inst->pdev->dev.kobj,
> + &sensor_inst->fields[i].hid_custom_attribute_group);
> + kfree(sensor_inst->fields);

I believe Sashiko is right here abou the UAF. Could you please fix that
and resubmit?

Thanks,

--
Jiri Kosina
SUSE Labs