CVE-2025-38016

In the Linux kernel, the following vulnerability has been resolved:

HID: bpf: abort dispatch if device destroyed

The current HID bpf implementation assumes no output report/request will go through it after hidbpfdestroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages.

The bug will be triggered if the conditions below are met:

A) a device under the driver has some LEDs on B) hidlldriver->request() is uninplemented (e.g., logitech-djreceiver)

If condition A is met, hidinputledworker() is always scheduled after hidbpfdestroy_device().

hiddestroydevice hid_bpf_destroy_device cleanupsrcustruct(&hdev->bpf.srcu) hid_remove_device ... led_classdev_unregister ledtriggerset(ledcdev, NULL) led_set_brightness(led_cdev, LED_OFF) ... input_inject_event inputeventdispose hidinput_input_event schedulework(&hid->ledwork) [hidinputled_worker]

This is fine when condition B is not met, where hidinputledworker() calls hidlldriver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request.

Otherwise, hidinputledworker() tries hidhwoutput_report() and leads to the bug.

hidinputledworker hid_hw_output_report dispatchhidbpfoutputreport srcu_read_lock(&hdev->bpf.srcu) srcureadunlock(&hdev->bpf.srcu, idx)

The bug has existed since the introduction [2] of dispatchhidbpfoutputreport(). However, the same bug also exists in dispatchhidbpfrawrequests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinputledworker() falls back to hidhwrawrequest() when hidlldriver->outputreport() is uninplemented (e.g., logitech- djreceiver).

hidinputledworker hid_hw_output_report: -ENOSYS hidhwrawrequest dispatch_hid_bpf_raw_requests srcureadlock(&hdev->bpf.srcu) ` srcuread_unlock(&hdev->bpf.srcu, idx)

Fix the issue by returning early in the two mentioned functions if hidbpf has been marked as destroyed. Though dispatchhidbpfdevice_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions.

The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list.

hidhwoutput_report")