CVE-2025-38016 (GCVE-0-2025-38016)
Vulnerability from cvelistv5
Published
2025-06-18 09:28
Modified
2025-06-18 09:28
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets") [2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for hid_hw_output_report")
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/578e1b96fad7402ff7e9c7648c8f1ad0225147c8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e4b4fe25a4101d1ddb5884f40e149a3618983b66
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3
Impacted products
Vendor Product Version
Linux Linux Version: 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1
Version: 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1
Version: 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1
 Create a notification for this product.
   Linux Linux Version: 6.11
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/bpf/hid_bpf_dispatch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3",
              "status": "affected",
              "version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1",
              "versionType": "git"
            },
            {
              "lessThan": "e4b4fe25a4101d1ddb5884f40e149a3618983b66",
              "status": "affected",
              "version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1",
              "versionType": "git"
            },
            {
              "lessThan": "578e1b96fad7402ff7e9c7648c8f1ad0225147c8",
              "status": "affected",
              "version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/bpf/hid_bpf_dispatch.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.30",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.8",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: abort dispatch if device destroyed\n\nThe current HID bpf implementation assumes no output report/request will\ngo through it after hid_bpf_destroy_device() has been called. This leads\nto a bug that unplugging certain types of HID devices causes a cleaned-\nup SRCU to be accessed. The bug was previously a hidden failure until a\nrecent x86 percpu change [1] made it access not-present pages.\n\nThe bug will be triggered if the conditions below are met:\n\nA) a device under the driver has some LEDs on\nB) hid_ll_driver-\u003erequest() is uninplemented (e.g., logitech-djreceiver)\n\nIf condition A is met, hidinput_led_worker() is always scheduled *after*\nhid_bpf_destroy_device().\n\nhid_destroy_device\n` hid_bpf_destroy_device\n  ` cleanup_srcu_struct(\u0026hdev-\u003ebpf.srcu)\n` hid_remove_device\n  ` ...\n    ` led_classdev_unregister\n      ` led_trigger_set(led_cdev, NULL)\n        ` led_set_brightness(led_cdev, LED_OFF)\n          ` ...\n            ` input_inject_event\n              ` input_event_dispose\n                ` hidinput_input_event\n                  ` schedule_work(\u0026hid-\u003eled_work) [hidinput_led_worker]\n\nThis is fine when condition B is not met, where hidinput_led_worker()\ncalls hid_ll_driver-\u003erequest(). This is the case for most HID drivers,\nwhich implement it or use the generic one from usbhid. The driver itself\nor an underlying driver will then abort processing the request.\n\nOtherwise, hidinput_led_worker() tries hid_hw_output_report() and leads\nto the bug.\n\nhidinput_led_worker\n` hid_hw_output_report\n  ` dispatch_hid_bpf_output_report\n    ` srcu_read_lock(\u0026hdev-\u003ebpf.srcu)\n    ` srcu_read_unlock(\u0026hdev-\u003ebpf.srcu, idx)\n\nThe bug has existed since the introduction [2] of\ndispatch_hid_bpf_output_report(). However, the same bug also exists in\ndispatch_hid_bpf_raw_requests(), and I\u0027ve reproduced (no visible effect\nbecause of the lack of [1], but confirmed bpf.destroyed == 1) the bug\nagainst the commit (i.e., the Fixes:) introducing the function. This is\nbecause hidinput_led_worker() falls back to hid_hw_raw_request() when\nhid_ll_driver-\u003eoutput_report() is uninplemented (e.g., logitech-\ndjreceiver).\n\nhidinput_led_worker\n` hid_hw_output_report: -ENOSYS\n` hid_hw_raw_request\n  ` dispatch_hid_bpf_raw_requests\n    ` srcu_read_lock(\u0026hdev-\u003ebpf.srcu)\n    ` srcu_read_unlock(\u0026hdev-\u003ebpf.srcu, idx)\n\nFix the issue by returning early in the two mentioned functions if\nhid_bpf has been marked as destroyed. Though\ndispatch_hid_bpf_device_event() handles input events, and there is no\nevidence that it may be called after the destruction, the same check, as\na safety net, is also added to it to maintain the consistency among all\ndispatch functions.\n\nThe impact of the bug on other architectures is unclear. Even if it acts\nas a hidden failure, this is still dangerous because it corrupts\nwhatever is on the address calculated by SRCU. Thus, CC\u0027ing the stable\nlist.\n\n[1]: commit 9d7de2aa8b41 (\"x86/percpu/64: Use relative percpu offsets\")\n[2]: commit 9286675a2aed (\"HID: bpf: add HID-BPF hooks for\nhid_hw_output_report\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:28:24.883Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b4fe25a4101d1ddb5884f40e149a3618983b66"
        },
        {
          "url": "https://git.kernel.org/stable/c/578e1b96fad7402ff7e9c7648c8f1ad0225147c8"
        }
      ],
      "title": "HID: bpf: abort dispatch if device destroyed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38016",
    "datePublished": "2025-06-18T09:28:24.883Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2025-06-18T09:28:24.883Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38016\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:33.187\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: bpf: abort dispatch if device destroyed\\n\\nThe current HID bpf implementation assumes no output report/request will\\ngo through it after hid_bpf_destroy_device() has been called. This leads\\nto a bug that unplugging certain types of HID devices causes a cleaned-\\nup SRCU to be accessed. The bug was previously a hidden failure until a\\nrecent x86 percpu change [1] made it access not-present pages.\\n\\nThe bug will be triggered if the conditions below are met:\\n\\nA) a device under the driver has some LEDs on\\nB) hid_ll_driver-\u003erequest() is uninplemented (e.g., logitech-djreceiver)\\n\\nIf condition A is met, hidinput_led_worker() is always scheduled *after*\\nhid_bpf_destroy_device().\\n\\nhid_destroy_device\\n` hid_bpf_destroy_device\\n  ` cleanup_srcu_struct(\u0026hdev-\u003ebpf.srcu)\\n` hid_remove_device\\n  ` ...\\n    ` led_classdev_unregister\\n      ` led_trigger_set(led_cdev, NULL)\\n        ` led_set_brightness(led_cdev, LED_OFF)\\n          ` ...\\n            ` input_inject_event\\n              ` input_event_dispose\\n                ` hidinput_input_event\\n                  ` schedule_work(\u0026hid-\u003eled_work) [hidinput_led_worker]\\n\\nThis is fine when condition B is not met, where hidinput_led_worker()\\ncalls hid_ll_driver-\u003erequest(). This is the case for most HID drivers,\\nwhich implement it or use the generic one from usbhid. The driver itself\\nor an underlying driver will then abort processing the request.\\n\\nOtherwise, hidinput_led_worker() tries hid_hw_output_report() and leads\\nto the bug.\\n\\nhidinput_led_worker\\n` hid_hw_output_report\\n  ` dispatch_hid_bpf_output_report\\n    ` srcu_read_lock(\u0026hdev-\u003ebpf.srcu)\\n    ` srcu_read_unlock(\u0026hdev-\u003ebpf.srcu, idx)\\n\\nThe bug has existed since the introduction [2] of\\ndispatch_hid_bpf_output_report(). However, the same bug also exists in\\ndispatch_hid_bpf_raw_requests(), and I\u0027ve reproduced (no visible effect\\nbecause of the lack of [1], but confirmed bpf.destroyed == 1) the bug\\nagainst the commit (i.e., the Fixes:) introducing the function. This is\\nbecause hidinput_led_worker() falls back to hid_hw_raw_request() when\\nhid_ll_driver-\u003eoutput_report() is uninplemented (e.g., logitech-\\ndjreceiver).\\n\\nhidinput_led_worker\\n` hid_hw_output_report: -ENOSYS\\n` hid_hw_raw_request\\n  ` dispatch_hid_bpf_raw_requests\\n    ` srcu_read_lock(\u0026hdev-\u003ebpf.srcu)\\n    ` srcu_read_unlock(\u0026hdev-\u003ebpf.srcu, idx)\\n\\nFix the issue by returning early in the two mentioned functions if\\nhid_bpf has been marked as destroyed. Though\\ndispatch_hid_bpf_device_event() handles input events, and there is no\\nevidence that it may be called after the destruction, the same check, as\\na safety net, is also added to it to maintain the consistency among all\\ndispatch functions.\\n\\nThe impact of the bug on other architectures is unclear. Even if it acts\\nas a hidden failure, this is still dangerous because it corrupts\\nwhatever is on the address calculated by SRCU. Thus, CC\u0027ing the stable\\nlist.\\n\\n[1]: commit 9d7de2aa8b41 (\\\"x86/percpu/64: Use relative percpu offsets\\\")\\n[2]: commit 9286675a2aed (\\\"HID: bpf: add HID-BPF hooks for\\nhid_hw_output_report\\\")\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/578e1b96fad7402ff7e9c7648c8f1ad0225147c8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e4b4fe25a4101d1ddb5884f40e149a3618983b66\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8544be7e8e55b0ef23e1ab90e23e8d4d4aad3d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.