]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-client.git/commitdiff
projects / ceph-client.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 91e8c6e)
HID: asus: avoid memory leak in asus_report_fixup()
authorGünther Noack <gnoack@google.com>
Thu, 19 Feb 2026 15:43:38 +0000 (16:43 +0100)
committerBenjamin Tissoires <bentiss@kernel.org>
Thu, 19 Feb 2026 17:57:38 +0000 (18:57 +0100)
The asus_report_fixup() function was returning a newly allocated
kmemdup()-allocated buffer, but never freeing it.  Switch to
devm_kzalloc() to ensure the memory is managed and freed automatically
when the device is removed.

The caller of report_fixup() does not take ownership of the returned
pointer, but it is permitted to return a pointer whose lifetime is at
least that of the input buffer.

Also fix a harmless out-of-bounds read by copying only the original
descriptor size.

Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Günther Noack <gnoack@google.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
drivers/hid/hid-asus.c patch | blob | history

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 8ffcd12038e8a649ad78503e0a359b77f393d1fe..7a08e964b9cc863400a663f8699913ca44085d7b 100644 (file)
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1399,14 +1399,21 @@ static const __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
                 */
                if (*rsize == rsize_orig &&
                        rdesc[offs] == 0x09 && rdesc[offs + 1] == 0x76) {
-                       *rsize = rsize_orig + 1;
-                       rdesc = kmemdup(rdesc, *rsize, GFP_KERNEL);
-                       if (!rdesc)
-                               return NULL;
+                       __u8 *new_rdesc;
+
+                       new_rdesc = devm_kzalloc(&hdev->dev, rsize_orig + 1,
+                                                GFP_KERNEL);
+                       if (!new_rdesc)
+                               return rdesc;
 
                        hid_info(hdev, "Fixing up %s keyb report descriptor\n",
                                drvdata->quirks & QUIRK_T100CHI ?
                                "T100CHI" : "T90CHI");
+
+                       memcpy(new_rdesc, rdesc, rsize_orig);
+                       *rsize = rsize_orig + 1;
+                       rdesc = new_rdesc;
+
                        memmove(rdesc + offs + 4, rdesc + offs + 2, 12);
                        rdesc[offs] = 0x19;
                        rdesc[offs + 1] = 0x00;
Unnamed repository; edit this file 'description' to name the repository.