From: Denis Benato <denis.benato@linux.dev>
To: Antheas Kapenekakis <lkml@antheas.dev>
Cc: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org,
Benjamin Tissoires <bentiss@kernel.org>,
Jiri Kosina <jikos@kernel.org>,
"Luke D . Jones" <luke@ljones.dev>,
Mateusz Schyboll <dragonn@op.pl>,
Denis Benato <benato.denis96@gmail.com>,
Connor Belli <connorbelli2003@gmail.com>,
sahiko-bot@kernel.org
Subject: Re: [PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free
Date: Sun, 14 Jun 2026 14:55:10 +0200 [thread overview]
Message-ID: <f3b1f501-39c7-406b-9d07-a9b89052aa79@linux.dev> (raw)
In-Reply-To: <CAGwozwGsDUh_pGjf-NcX6JiYfg8GhbADUcFTFs_E5BsuktdKaA@mail.gmail.com>
On 6/13/26 17:57, Antheas Kapenekakis wrote:
> On Sat, 13 Jun 2026 at 17:30, Denis Benato <denis.benato@linux.dev> wrote:
>> asus_kbd_register_leds(), I noticed it registers a listener to a global list
>> and uses devm_kzalloc(). If a subsequent initialization step in asus_probe()
>> fails the driver returns without unregistering the listener, and the devres
>> subsystem will automatically free the memory, leaving a dangling pointer
>> in the global list.
>>
>> Fixes: b34b5945a769 ("HID: asus: listen to the asus-wmi brightness device instead of creating one")
>> Reported-by: sahiko-bot@kernel.org
>> Signed-off-by: Denis Benato <denis.benato@linux.dev>
>> ---
>> drivers/hid/hid-asus.c | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
>> index 0a6c97155549..f38b18ad65c6 100644
>> --- a/drivers/hid/hid-asus.c
>> +++ b/drivers/hid/hid-asus.c
>> @@ -1426,11 +1426,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
>> if (drvdata->tp) {
>> ret = asus_start_multitouch(hdev);
>> if (ret)
>> - goto err_stop_hw;
>> + goto err_unregister_backlight;
>> }
> This block currently does two things, rename and init the touchpad.
> Instead, you may pull the touchpad init to be below the hid_hw_start
> block and keep the same bail.
I'm not particularly keen on changing the sequence of packets in these
kinds of patches: I was trying to solve the reported issue in a way that
only solves the issue: nothing less and nothing more.
>> }
>>
>> return 0;
>> +err_unregister_backlight:
>> + if (drvdata->kbd_backlight) {
>> + asus_hid_unregister_listener(&drvdata->kbd_backlight->listener);
>> + devm_kfree(&hdev->dev, drvdata->kbd_backlight);
>> + drvdata->kbd_backlight = NULL;
>> + }
>> err_stop_hw:
> OR add asus_hid_unregister_listener(&drvdata->kbd_backlight->listener) here.
>
> Here, you'd also drop err_unregister_backlight, devm_kfree, and
> nulling. The driver is closing. It is not necessary.
>
> err_stop_hw is only used once, you do not need a secondary tag.
I will do this instead, thanks.
>> hid_hw_stop(hdev);
>> return ret;
>> --
>> 2.47.3
>>
>>
next prev parent reply other threads:[~2026-06-14 12:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-13 15:30 [PATCH v3 0/8] HID: asus: security fixes and more hardware support Denis Benato
2026-06-13 15:30 ` [PATCH v3 1/8] HID: asus: mitigate possible use-after-free Denis Benato
2026-06-13 15:47 ` sashiko-bot
2026-06-13 15:59 ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 2/8] HID: asus: prevent wrong pointer cast Denis Benato
2026-06-13 15:30 ` [PATCH v3 3/8] HID: asus: add support for xgm led Denis Benato
2026-06-13 15:42 ` sashiko-bot
2026-06-13 15:30 ` [PATCH v3 4/8] HID: asus: cleanup keyboard listener on failure: avoid use-after-free Denis Benato
2026-06-13 15:42 ` sashiko-bot
2026-06-13 15:57 ` Antheas Kapenekakis
2026-06-14 12:55 ` Denis Benato [this message]
2026-06-13 15:30 ` [PATCH v3 5/8] HID: asus: avoid sleeping calls in atomic context Denis Benato
2026-06-13 15:43 ` sashiko-bot
2026-06-13 16:15 ` Antheas Kapenekakis
2026-06-14 13:33 ` Denis Benato
2026-06-13 15:30 ` [PATCH v3 6/8] HID: asus: prevent a late KEY_FN_ESC to trigger a use-after-free Denis Benato
2026-06-13 15:53 ` sashiko-bot
2026-06-13 16:04 ` Antheas Kapenekakis
2026-06-13 15:30 ` [PATCH v3 7/8] HID: asus: add i2c entry for FA808UM and other TUFs Denis Benato
2026-06-13 15:45 ` sashiko-bot
2026-06-13 15:30 ` [PATCH v3 8/8] HID: asus: remove unnecessary OOM message Denis Benato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f3b1f501-39c7-406b-9d07-a9b89052aa79@linux.dev \
--to=denis.benato@linux.dev \
--cc=benato.denis96@gmail.com \
--cc=bentiss@kernel.org \
--cc=connorbelli2003@gmail.com \
--cc=dragonn@op.pl \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkml@antheas.dev \
--cc=luke@ljones.dev \
--cc=sahiko-bot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.