Re: [PATCH 1/3] HID: apple: avoid memory leak in apple_report_fixup()

Next message: Lukas Wunner: "Re: [PATCH v2] PCI: pciehp: Fix hotplug on Catlow Lake with unreliable PME status"
Previous message: Mark Brown: "Re: [PATCH] sound: soc: Add SPDX ids to many soc files"
In reply to: G&#xFC;nther Noack: "[PATCH 1/3] HID: apple: avoid memory leak in apple_report_fixup()"
Next in thread: G&#xFC;nther Noack: "Re: [PATCH 1/3] HID: apple: avoid memory leak in apple_report_fixup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Benjamin Tissoires

Date: Tue Feb 17 2026 - 13:22:31 EST

On Feb 17 2026, Günther Noack wrote:
> The apple_report_fixup() function was allocating a new buffer with
> kmemdup() but never freeing it. Since the caller of report_fixup() already
> provides a writable buffer and allows returning a pointer within that
> buffer, we can just modify the descriptor in-place and return the adjusted
> pointer.
>
> Assisted-by: Gemini-CLI:Google Gemini 3
> Signed-off-by: Günther Noack <gnoack@xxxxxxxxxx>
> ---
> drivers/hid/hid-apple.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
> index 233e367cce1d..894adc23367b 100644
> --- a/drivers/hid/hid-apple.c
> +++ b/drivers/hid/hid-apple.c
> @@ -686,9 +686,7 @@ static const __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
> hid_info(hdev,
> "fixing up Magic Keyboard battery report descriptor\n");
> *rsize = *rsize - 1;
> - rdesc = kmemdup(rdesc + 1, *rsize, GFP_KERNEL);
> - if (!rdesc)
> - return NULL;
> + rdesc = rdesc + 1;

I might be wrong, but later we call free(dev->rdesc) on device removal.
AFAICT, incrementing the pointer is undefined behavior.

What we should do instead is probably a krealloc instead of a kmemdup.

Same for all 3 patches.

Cheers,
Benjamin

>
> rdesc[0] = 0x05;
> rdesc[1] = 0x01;
> --
> 2.53.0.335.g19a08e0c02-goog
>