On Sun, 10 Aug 2025 19:10:41 +0100, Qasim Ijaz wrote:
After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device.
[...]
Applied to hid/hid.git (for-6.17/upstream-fixes), thanks!
[1/1] HID: asus: fix UAF via HID_CLAIMED_INPUT validation https://git.kernel.org/hid/hid/c/d3af6ca9a8c3
Cheers,