linux-input people: syzbot has found a bug related to USB/HID/input, and I have narrowed it down to the wacom driver. As far as I can tell, the problem is caused the fact that drivers/hid/wacom_sys.c calls input_register_device() in several places, but it never calls input_unregister_device(). I know very little about the input subsystem, but this certainly seems like a bug. When the device is unplugged, the disconnect pathway doesn't call hid_hw_close(). That routine doesn't get called until the user closes the device file (which can be long after the device is gone and hid_hw_stop() has run). Then usbhid_close() gets a use-after-free error when it tries to access data structures that were deallocated by usbhid_stop(). No doubt there are other problems too, but this is the one that syzbot found. Can any of you help fix this? Thanks. Alan Stern
