[PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Denis Benato <denis.benato@linux.dev>
To: linux-kernel@vger.kernel.org
Cc: linux-input@vger.kernel.org,
	"Benjamin Tissoires" <bentiss@kernel.org>,
	"Jiri Kosina" <jikos@kernel.org>,
	"Luke D . Jones" <luke@ljones.dev>,
	"Mateusz Schyboll" <dragonn@op.pl>,
	"Denis Benato" <benato.denis96@gmail.com>,
	"Denis Benato" <denis.benato@linux.dev>,
	"Antheas Kapenekakis" <lkml@antheas.dev>,
	"Connor Belli" <connorbelli2003@gmail.com>,
	sahiko-bot@kernel.org
Subject: [PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free
Date: Sat, 13 Jun 2026 15:30:25 +0000	[thread overview]
Message-ID: <20260613153029.2559774-5-denis.benato@linux.dev> (raw)
In-Reply-To: <20260613153029.2559774-1-denis.benato@linux.dev>

asus_kbd_register_leds(), I noticed it registers a listener to a global list
and uses devm_kzalloc(). If a subsequent initialization step in asus_probe()
fails the driver returns without unregistering the listener, and the devres
subsystem will automatically free the memory, leaving a dangling pointer
in the global list.

Fixes: b34b5945a769 ("HID: asus: listen to the asus-wmi brightness device instead of creating one")
Reported-by: sahiko-bot@kernel.org
Signed-off-by: Denis Benato <denis.benato@linux.dev>
---
 drivers/hid/hid-asus.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 0a6c97155549..f38b18ad65c6 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1426,11 +1426,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
 		if (drvdata->tp) {
 			ret = asus_start_multitouch(hdev);
 			if (ret)
-				goto err_stop_hw;
+				goto err_unregister_backlight;
 		}
 	}
 
 	return 0;
+err_unregister_backlight:
+	if (drvdata->kbd_backlight) {
+		asus_hid_unregister_listener(&drvdata->kbd_backlight->listener);
+		devm_kfree(&hdev->dev, drvdata->kbd_backlight);
+		drvdata->kbd_backlight = NULL;
+	}
 err_stop_hw:
 	hid_hw_stop(hdev);
 	return ret;
-- 
2.47.3

next prev parent reply	other threads:[~2026-06-13 15:30 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-13 15:30 [PATCH v3 0/8] HID: asus: security fixes and more hardware support Denis Benato
2026-06-13 15:30 ` [PATCH v3 1/8] HID: asus: mitigate possible use-after-free Denis Benato
2026-06-13 15:47   ` sashiko-bot
2026-06-13 15:59   ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 2/8] HID: asus: prevent wrong pointer cast Denis Benato
2026-06-13 15:30 ` [PATCH v3 3/8] HID: asus: add support for xgm led Denis Benato
2026-06-13 15:42   ` sashiko-bot
2026-06-13 15:30 ` Denis Benato [this message]
2026-06-13 15:42   ` [PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free sashiko-bot
2026-06-13 15:57   ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 5/8] HID: asus: avoid sleeping calls in atomic context Denis Benato
2026-06-13 15:43   ` sashiko-bot
2026-06-13 16:15   ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 6/8] HID: asus: prevent a late KEY_FN_ESC to trigger a use-after-free Denis Benato
2026-06-13 15:53   ` sashiko-bot
2026-06-13 16:04   ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 7/8] HID: asus: add i2c entry for FA808UM and other TUFs Denis Benato
2026-06-13 15:45   ` sashiko-bot
2026-06-13 15:30 ` [PATCH v3 8/8] HID: asus: remove unnecessary OOM message Denis Benato

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0a6c9715554 dfblob:f38b18ad65c )
 OR (
bs:"[PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260613153029.2559774-5-denis.benato@linux.dev \
    --to=denis.benato@linux.dev \
    --cc=benato.denis96@gmail.com \
    --cc=bentiss@kernel.org \
    --cc=connorbelli2003@gmail.com \
    --cc=dragonn@op.pl \
    --cc=jikos@kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkml@antheas.dev \
    --cc=luke@ljones.dev \
    --cc=sahiko-bot@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.