2020-12-10 12:02:38

by Peilin Ye

[permalink] [raw]
Subject: [PATCH] HID: wacom: Fix memory leak in wacom_probe()

wacom_probe() is leaking memory. Free `&wacom_wac->pen_fifo` when
hid_parse() or wacom_parse_and_register() fails.

Cc: [email protected]
Cc: Phong Tran <[email protected]>
Fixes: 83417206427b ("HID: wacom: Queue events with missing type/serial data for later processing")
Reported-by: [email protected]
Link: https://syzkaller.appspot.com/bug?id=3ce164d1f22d112c0bb0ef379a2656b5ca401583
Signed-off-by: Peilin Ye <[email protected]>
---
Hi all,

syzbot complained about another memory leak issue [1] in
rxrpc_lookup_local() while testing this patch, which I think is
irrelevant.

Thanks,
Peilin Ye

[1] https://syzkaller.appspot.com/bug?id=80b2343d6c19226dfa59e33b151c168d96253420

BUG: memory leak
unreferenced object 0xffff888117db0500 (size 256):
comm "syz-executor.4", pid 8886, jiffies 4294944028 (age 432.930s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 c0 79 17 81 88 ff ff ..........y.....
backtrace:
[<000000001169b470>] kmalloc include/linux/slab.h:552 [inline]
[<000000001169b470>] kzalloc include/linux/slab.h:664 [inline]
[<000000001169b470>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000001169b470>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<00000000e579837f>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000200580c7>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<00000000be70b129>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<00000000449cb763>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<00000000efe39ea0>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<0000000080bf9a14>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<00000000fd18ae2f>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<000000008a230dcc>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<00000000e5c837ae>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<000000006188dafa>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<000000006188dafa>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<000000006188dafa>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<000000008705de4b>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<0000000058e35946>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

drivers/hid/wacom_sys.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index cd71e7133944..fc14fe6d677b 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2744,12 +2744,12 @@ static int wacom_probe(struct hid_device *hdev,
error = hid_parse(hdev);
if (error) {
hid_err(hdev, "parse failed\n");
- return error;
+ goto fail;
}

error = wacom_parse_and_register(wacom, false);
if (error)
- return error;
+ goto fail;

if (hdev->bus == BUS_BLUETOOTH) {
error = device_create_file(&hdev->dev, &dev_attr_speed);
@@ -2760,6 +2760,10 @@ static int wacom_probe(struct hid_device *hdev,
}

return 0;
+
+fail:
+ kfifo_free(&wacom_wac->pen_fifo);
+ return error;
}

static void wacom_remove(struct hid_device *hdev)
--
2.25.1


2021-01-14 12:23:21

by Jiri Kosina

[permalink] [raw]
Subject: Re: [PATCH] HID: wacom: Fix memory leak in wacom_probe()

On Thu, 10 Dec 2020, Peilin Ye wrote:

> wacom_probe() is leaking memory. Free `&wacom_wac->pen_fifo` when
> hid_parse() or wacom_parse_and_register() fails.

Thanks for the patch. It's however already been fixed in
hid.git#for-5.11/upstream-fixes (37309f47e2f5) branch that will be going
to Linus shortly.

--
Jiri Kosina
SUSE Labs

2021-01-14 13:00:12

by Peilin Ye

[permalink] [raw]
Subject: Re: [PATCH] HID: wacom: Fix memory leak in wacom_probe()

Hi Jiri,

On Thu, Jan 14, 2021 at 01:21:13PM +0100, Jiri Kosina wrote:
> > wacom_probe() is leaking memory. Free `&wacom_wac->pen_fifo` when
> > hid_parse() or wacom_parse_and_register() fails.
>
> Thanks for the patch. It's however already been fixed in
> hid.git#for-5.11/upstream-fixes (37309f47e2f5) branch that will be going
> to Linus shortly.

Ah... I checked linux-input@ before I started working on the bug, but
it seems that Ping sent out a patch just a few hours before I did.

Sorry for the race condition,
Peilin Ye