Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2233797ybz; Sat, 18 Apr 2020 19:18:04 -0700 (PDT) X-Google-Smtp-Source: APiQypLuj2VOA8fwGud5NTe6DlaG6to6Jz8IzXqRzlQBDLI2ziKw2uOLEQwOMyJ+qYWP5/BHqxxF X-Received: by 2002:a17:906:4048:: with SMTP id y8mr9952314ejj.258.1587262683923; Sat, 18 Apr 2020 19:18:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587262683; cv=none; d=google.com; s=arc-20160816; b=oJHJKiektQPNf3R/pBHtxikSnWU3sWikMHLPR39DWAE7FPjhdVYti92I9foHtRpOC3 qcS7mV+16z9aAAnRfKZMk94cEG2DaXBBRMiMiTGPCfZmlrGGfeK7Pt0BFiSqCt7UiO9u 89kk2G44lEgBesxXbLhq6W/zaycJZxgaNnmS/FKHCbr3pidkvRwf6AB73B1ahOgD+IgM Yg1XVi5e3QQRQQfeHsr8gwy9X5ig5V51N+Jdfbuj3spj4NY1HQq5/z8wqIYMfCFjCrbD ywpcTdPv6A1LtvGWpQFRRoG/JQp6286+dWiJZTd3RSHDz4P2kkR7YiGTZL9QBcOhx30r 275g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=qj//Z7akwPNswU0V7M2HfJ7vg4mHFxQhV+Hnlt6H/18=; b=oafwcQBCGKWExgzPv3o5Asept8VGSn23NXrvSCgYKoVkvmn9Q1zzMLTs7Bvyy6dbHl Kw6fibKKPCG+sHIf/hSh2sG5UGSSoSznsA+cuPofOu0QkgYU3hRChWIJJd4EyYRCUQ04 Wpu7QDXspUcAHYDnqd9akhHej+hcoE2+mMCPKoxOKT9lhIA5jk4M6hk45u/qKYTDfMvz /p3jvV0Wda4i+uuqBXva3akkFjpHo6fSHPXSHdtRHbqZrYTtmEImYAmD/i0dZ1KwR0fP igjHr9BqZit11r7mpCIa2jhA350g7sDK4ycUXzJhOOvcpA3kNz4FPrJ3fH+IHz4Lwcrm 9/gw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h10si103197edw.542.2020.04.18.19.17.39; Sat, 18 Apr 2020 19:18:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725879AbgDSCQe (ORCPT + 99 others); Sat, 18 Apr 2020 22:16:34 -0400 Received: from netrider.rowland.org ([192.131.102.5]:60519 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725914AbgDSCQd (ORCPT ); Sat, 18 Apr 2020 22:16:33 -0400 Received: (qmail 28257 invoked by uid 500); 18 Apr 2020 22:16:32 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Apr 2020 22:16:32 -0400 Date: Sat, 18 Apr 2020 22:16:32 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: Julian Squires , Hans de Goede , Jiri Kosina , Benjamin Tissoires , Dmitry Torokhov , syzbot cc: linux-input@vger.kernel.org, , , , Kernel development list , USB list , Subject: Re: KASAN: use-after-free Read in usbhid_close (3) In-Reply-To: <000000000000f610e805a39af1d0@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org linux-input people: syzbot has found a bug related to USB/HID/input, and I have narrowed it down to the wacom driver. As far as I can tell, the problem is caused the fact that drivers/hid/wacom_sys.c calls input_register_device() in several places, but it never calls input_unregister_device(). I know very little about the input subsystem, but this certainly seems like a bug. When the device is unplugged, the disconnect pathway doesn't call hid_hw_close(). That routine doesn't get called until the user closes the device file (which can be long after the device is gone and hid_hw_stop() has run). Then usbhid_close() gets a use-after-free error when it tries to access data structures that were deallocated by usbhid_stop(). No doubt there are other problems too, but this is the one that syzbot found. Can any of you help fix this? Thanks. Alan Stern