From: Benjamin Tissoires <bentiss@kernel.org>
To: "Günther Noack" <gnoack@google.com>
Cc: Jiri Kosina <jikos@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] HID: asus: avoid memory leak in asus_report_fixup()
Date: Tue, 17 Feb 2026 19:31:23 +0100 [thread overview]
Message-ID: <aZSzASB_TC2RyQsR@plouf> (raw)
In-Reply-To: <20260217160125.1097578-4-gnoack@google.com>
On Feb 17 2026, Günther Noack wrote:
> The asus_report_fixup() function was allocating a new buffer with kmemdup()
> when growing the report descriptor but never freeing it. Switch to
> devm_kzalloc() to ensure the memory is managed and freed automatically when
> the device is removed.
Actually this one is even worse: you can't use devm_kzalloc because
hid-core.c will later call kfree(dev->rdesc) if dev->rdesc is different
from the one provided by the low level driver. So we are going to have
a double free.
I really wonder if this was ever tested.
Cheers,
Benjamin
>
> Also fix a harmless out-of-bounds read by copying only the original
> descriptor size.
>
> Assisted-by: Gemini-CLI:Google Gemini 3
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
> drivers/hid/hid-asus.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 8ffcd12038e8..7a08e964b9cc 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -1399,14 +1399,21 @@ static const __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
> */
> if (*rsize == rsize_orig &&
> rdesc[offs] == 0x09 && rdesc[offs + 1] == 0x76) {
> - *rsize = rsize_orig + 1;
> - rdesc = kmemdup(rdesc, *rsize, GFP_KERNEL);
> - if (!rdesc)
> - return NULL;
> + __u8 *new_rdesc;
> +
> + new_rdesc = devm_kzalloc(&hdev->dev, rsize_orig + 1,
> + GFP_KERNEL);
> + if (!new_rdesc)
> + return rdesc;
>
> hid_info(hdev, "Fixing up %s keyb report descriptor\n",
> drvdata->quirks & QUIRK_T100CHI ?
> "T100CHI" : "T90CHI");
> +
> + memcpy(new_rdesc, rdesc, rsize_orig);
> + *rsize = rsize_orig + 1;
> + rdesc = new_rdesc;
> +
> memmove(rdesc + offs + 4, rdesc + offs + 2, 12);
> rdesc[offs] = 0x19;
> rdesc[offs + 1] = 0x00;
> --
> 2.53.0.335.g19a08e0c02-goog
>
next prev parent reply other threads:[~2026-02-17 18:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 16:01 [PATCH 0/3] HID: Fix some memory leaks in drivers/hid Günther Noack
2026-02-17 16:01 ` [PATCH 1/3] HID: apple: avoid memory leak in apple_report_fixup() Günther Noack
2026-02-17 18:22 ` Benjamin Tissoires
2026-02-17 19:42 ` Günther Noack
2026-02-18 19:04 ` Benjamin Tissoires
2026-02-19 15:47 ` Günther Noack
2026-02-17 16:01 ` [PATCH 2/3] HID: magicmouse: avoid memory leak in magicmouse_report_fixup() Günther Noack
2026-02-17 16:01 ` [PATCH 3/3] HID: asus: avoid memory leak in asus_report_fixup() Günther Noack
2026-02-17 18:31 ` Benjamin Tissoires [this message]
2026-02-17 19:51 ` Günther Noack
2026-02-17 18:36 ` [PATCH 0/3] HID: Fix some memory leaks in drivers/hid Benjamin Tissoires
2026-02-17 20:08 ` Günther Noack
-- strict thread matches above, loose matches on Subject: below --
2026-02-18 4:05 [PATCH 3/3] HID: asus: avoid memory leak in asus_report_fixup() kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZSzASB_TC2RyQsR@plouf \
--to=bentiss@kernel.org \
--cc=gnoack@google.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.