Re: [PATCH 3/3] HID: asus: avoid memory leak in asus_report_fixup()

Next message: Frank Li: "Re: [PATCH 6/8] dmaengine: tegra: Use iommu-map for stream ID"
Previous message: syzbot: "[syzbot] [nbd?] possible deadlock in nbd_disconnect_and_put"
In reply to: Benjamin Tissoires: "Re: [PATCH 3/3] HID: asus: avoid memory leak in asus_report_fixup()"
Next in thread: G&#xFC;nther Noack: "[PATCH 2/3] HID: magicmouse: avoid memory leak in magicmouse_report_fixup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Günther Noack

Date: Tue Feb 17 2026 - 14:51:20 EST

Hello!

On Tue, Feb 17, 2026 at 07:31:23PM +0100, Benjamin Tissoires wrote:
> On Feb 17 2026, Günther Noack wrote:
> > The asus_report_fixup() function was allocating a new buffer with kmemdup()
> > when growing the report descriptor but never freeing it. Switch to
> > devm_kzalloc() to ensure the memory is managed and freed automatically when
> > the device is removed.
>
> Actually this one is even worse: you can't use devm_kzalloc because
> hid-core.c will later call kfree(dev->rdesc) if dev->rdesc is different
> from the one provided by the low level driver. So we are going to have
> a double free.

The buffer returned by report_fixup() is duplicated first before
hid-core stores it in dev->rdesc. The pointer that report_fixup()
returns is not managed by the caller.

I elaborated in the response to the other patch in [1]. You can see
it in the source code in the position marked with (4).

[1] https://lore.kernel.org/all/aZTEnPEHcWEkoTJR@xxxxxxxxxx/

> I really wonder if this was ever tested.

I only convinced myself by staring at the code, because I do not
happen to have the matching USB devices here. What it your usual
approach to verifying such changes? raw-gadget?

—Günther