{"id":"CVE-2025-38016","summary":"HID: bpf: abort dispatch if device destroyed","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: abort dispatch if device destroyed\n\nThe current HID bpf implementation assumes no output report/request will\ngo through it after hid_bpf_destroy_device() has been called. This leads\nto a bug that unplugging certain types of HID devices causes a cleaned-\nup SRCU to be accessed. The bug was previously a hidden failure until a\nrecent x86 percpu change [1] made it access not-present pages.\n\nThe bug will be triggered if the conditions below are met:\n\nA) a device under the driver has some LEDs on\nB) hid_ll_driver-\u003erequest() is uninplemented (e.g., logitech-djreceiver)\n\nIf condition A is met, hidinput_led_worker() is always scheduled *after*\nhid_bpf_destroy_device().\n\nhid_destroy_device\n` hid_bpf_destroy_device\n  ` cleanup_srcu_struct(&hdev-\u003ebpf.srcu)\n` hid_remove_device\n  ` ...\n    ` led_classdev_unregister\n      ` led_trigger_set(led_cdev, NULL)\n        ` led_set_brightness(led_cdev, LED_OFF)\n          ` ...\n            ` input_inject_event\n              ` input_event_dispose\n                ` hidinput_input_event\n                  ` schedule_work(&hid-\u003eled_work) [hidinput_led_worker]\n\nThis is fine when condition B is not met, where hidinput_led_worker()\ncalls hid_ll_driver-\u003erequest(). This is the case for most HID drivers,\nwhich implement it or use the generic one from usbhid. The driver itself\nor an underlying driver will then abort processing the request.\n\nOtherwise, hidinput_led_worker() tries hid_hw_output_report() and leads\nto the bug.\n\nhidinput_led_worker\n` hid_hw_output_report\n  ` dispatch_hid_bpf_output_report\n    ` srcu_read_lock(&hdev-\u003ebpf.srcu)\n    ` srcu_read_unlock(&hdev-\u003ebpf.srcu, idx)\n\nThe bug has existed since the introduction [2] of\ndispatch_hid_bpf_output_report(). However, the same bug also exists in\ndispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect\nbecause of the lack of [1], but confirmed bpf.destroyed == 1) the bug\nagainst the commit (i.e., the Fixes:) introducing the function. This is\nbecause hidinput_led_worker() falls back to hid_hw_raw_request() when\nhid_ll_driver-\u003eoutput_report() is uninplemented (e.g., logitech-\ndjreceiver).\n\nhidinput_led_worker\n` hid_hw_output_report: -ENOSYS\n` hid_hw_raw_request\n  ` dispatch_hid_bpf_raw_requests\n    ` srcu_read_lock(&hdev-\u003ebpf.srcu)\n    ` srcu_read_unlock(&hdev-\u003ebpf.srcu, idx)\n\nFix the issue by returning early in the two mentioned functions if\nhid_bpf has been marked as destroyed. Though\ndispatch_hid_bpf_device_event() handles input events, and there is no\nevidence that it may be called after the destruction, the same check, as\na safety net, is also added to it to maintain the consistency among all\ndispatch functions.\n\nThe impact of the bug on other architectures is unclear. Even if it acts\nas a hidden failure, this is still dangerous because it corrupts\nwhatever is on the address calculated by SRCU. Thus, CC'ing the stable\nlist.\n\n[1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\")\n[2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for\nhid_hw_output_report\")","modified":"2026-04-02T12:47:44.843225Z","published":"2025-06-18T09:28:24.883Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38016.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/578e1b96fad7402ff7e9c7648c8f1ad0225147c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e4b4fe25a4101d1ddb5884f40e149a3618983b66"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38016.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38016"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8bd0488b5ea58655ad6fdcbe0408ef49b16882b1"},{"fixed":"f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3"},{"fixed":"e4b4fe25a4101d1ddb5884f40e149a3618983b66"},{"fixed":"578e1b96fad7402ff7e9c7648c8f1ad0225147c8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38016.json"}}],"schema_version":"1.7.5"}