[PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()
@ 2025-04-14 18:33 Qasim Ijaz
  2025-04-15 14:04 ` Markus Elfring
  2025-04-24  9:54 ` Jiri Kosina
  0 siblings, 2 replies; 3+ messages in thread
From: Qasim Ijaz @ 2025-04-14 18:33 UTC (permalink / raw)
  To: ping.cheng, jason.gerecke, jikos, bentiss; +Cc: linux-input, linux-kernel

In wacom_wac_queue_flush() the code allocates zero initialised
buffer which it uses as a storage buffer for copying data from
a fifo via kfifo_out(). The kfifo_out() function returns the
number of elements it has copied. The code checks if the number
of copied elements does not equal the size of the fifo record,
if it does not it simply skips the entry and continues to the
next iteration. However it does not release the storage buffer
leading to a memory leak.

Fix the memory leak by freeing the buffer on size mismatch.

Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
 drivers/hid/wacom_sys.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 666b7eb0fdfe..3e4f823f8ee8 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -87,6 +87,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
 			// to flush seems reasonable enough, however.
 			hid_warn(hdev, "%s: removed fifo entry with unexpected size\n",
 				 __func__);
+			kfree(buf);
 			continue;
 		}
 		err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
-- 
2.39.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()
  2025-04-14 18:33 [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush() Qasim Ijaz
@ 2025-04-15 14:04 ` Markus Elfring
  2025-04-24  9:54 ` Jiri Kosina
  1 sibling, 0 replies; 3+ messages in thread
From: Markus Elfring @ 2025-04-15 14:04 UTC (permalink / raw)
  To: Qasim Ijaz, linux-input
  Cc: LKML, Benjamin Tissoires, Jason Gerecke, Jiri Kosina, Ping Cheng

…
> number of elements it has copied. The code checks if the number 
> of copied elements does not equal the size of the fifo record, 
…
                     is?

Under which circumstances would you dare to use text lines
which would be longer than 63 characters?


Can a patch series be more appropriate for the affected software module?

Regards,
Markus

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()
  2025-04-14 18:33 [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush() Qasim Ijaz
  2025-04-15 14:04 ` Markus Elfring
@ 2025-04-24  9:54 ` Jiri Kosina
  1 sibling, 0 replies; 3+ messages in thread
From: Jiri Kosina @ 2025-04-24  9:54 UTC (permalink / raw)
  To: Qasim Ijaz; +Cc: ping.cheng, jason.gerecke, bentiss, linux-input, linux-kernel

On Mon, 14 Apr 2025, Qasim Ijaz wrote:

> In wacom_wac_queue_flush() the code allocates zero initialised
> buffer which it uses as a storage buffer for copying data from
> a fifo via kfifo_out(). The kfifo_out() function returns the
> number of elements it has copied. The code checks if the number
> of copied elements does not equal the size of the fifo record,
> if it does not it simply skips the entry and continues to the
> next iteration. However it does not release the storage buffer
> leading to a memory leak.
> 
> Fix the memory leak by freeing the buffer on size mismatch.
> 
> Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
> Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> ---
>  drivers/hid/wacom_sys.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
> index 666b7eb0fdfe..3e4f823f8ee8 100644
> --- a/drivers/hid/wacom_sys.c
> +++ b/drivers/hid/wacom_sys.c
> @@ -87,6 +87,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
>  			// to flush seems reasonable enough, however.
>  			hid_warn(hdev, "%s: removed fifo entry with unexpected size\n",
>  				 __func__);
> +			kfree(buf);
>  			continue;
>  		}
>  		err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);

Applied, thanks.

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-04-24  9:54 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-14 18:33 [PATCH RESEND] HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush() Qasim Ijaz
2025-04-15 14:04 ` Markus Elfring
2025-04-24  9:54 ` Jiri Kosina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).