Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp412404rwe; Thu, 25 Aug 2022 02:42:12 -0700 (PDT) X-Google-Smtp-Source: AA6agR5hHwAacR2ckt8ZucXzIfTXAgebV+EPPT3OoWZmsCJg1sBYxVWI8OFDhT6veCj9R+MkOI9Y X-Received: by 2002:a17:906:9b15:b0:730:d10f:a932 with SMTP id eo21-20020a1709069b1500b00730d10fa932mr1885701ejc.304.1661420532467; Thu, 25 Aug 2022 02:42:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661420532; cv=none; d=google.com; s=arc-20160816; b=c4OEeNPFXTiUY3mYu3N4+hYq5TUiW99lhns7uXG1DMjRFqFyDT7xfqSHVGec+myErL JOEFEHiwIFq0tRRVEa4Z9IqIhOJHuSKkrO2z20QhcXCeLIVEggXeUZLllc6M3NjcA7SC x7GmyK48VaEPQUP/qkL5e5dlOs2OLQ4TyYHY2HVTs8sZ/VrK2dJ/nOtLDt4r8TNW+6lk I3ik3x51PMz4rtzECnT0M72SiB5M0nUuUji++CBiMaMQ0BTTxvA4zBb2f19RhL8z9TTx 51cymu29pwTkyU5qmhkRFZoP2Rp7ZZMkgbF1IFIp3CYoLPcDMlUJgpG6eOgv1piW9ZT2 D68w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=JQggmY105R+gg6qYyFSLdiJtJq7PEa3vbf1W2HMuh/k=; b=FZ+t8Kf8PkKnMbsQCNVTw5wLE7ny3p3WwZUpB0iVO9Vs06Sux8xP4noPPpXcWE5rdj PgvtK0GREwm7bGlGn2tJ0IE5MsaS7ukdS3C1g9kqh/ZDKRGTvVoxVg5/2Vrb31qMe7ce KWwQhxdVeWYq0HpXOJvoacsNMkLhtqO0kb99NMLONS/j43IFdNI4yRkcy02c5e4NHZVK mGiG4jk04TFp9PUyH0fh3t7Cz737kz/xC5NJFY+HK5qrE7zJxLZLscXyJYekfkmJiH7D Bhb3YdDs1gHSviXy+LTJBGcQ6ndC9dKrB8gH0z5xw3429i0a/UlXP3vQO8zUED+rahbn A+hA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gqHYU93y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hc35-20020a17090716a300b007309e3ce06csi4154656ejc.647.2022.08.25.02.41.29; Thu, 25 Aug 2022 02:42:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gqHYU93y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240301AbiHYJbP (ORCPT + 99 others); Thu, 25 Aug 2022 05:31:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238202AbiHYJbJ (ORCPT ); Thu, 25 Aug 2022 05:31:09 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0483874DEF; Thu, 25 Aug 2022 02:31:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B6070B827DC; Thu, 25 Aug 2022 09:31:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56736C433D6; Thu, 25 Aug 2022 09:31:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1661419865; bh=plUt9uMkO0KE9Ug185awFHVbd+XLpzhEW8EZU+WPwdI=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=gqHYU93y5S1V9afV+Fb301SVrj38bUxYiBnCmzv80PNF/rfxbw6VEKcGtNIm6lgzA FzV4RrxBUQ5WH5wzreUErNhfU2Toi01OiX0D7VMwZYSSN7PS6ObxqJs2JjSq1+LuuW zlIz+TanoZKGu+0tjaf6FsyJtYMiW9Fe5Z+viJOvYJ0PzKLqkxdC1rTp0muh/B5riu 1f7OpaFdgWDCWbUp9HbTJnQdAqRUD0YmZn2d+SLJA/YvZn/FaV5JtgU2Y8JCwJ24gh /RtJrd1XSnbssBUgFJ44+qocx71uf7a3F9UV6BJ9zN/vT5hJ8Ju1Qwo6LXclOwCaae pZGyaRtMKGF6Q== Date: Thu, 25 Aug 2022 11:31:01 +0200 (CEST) From: Jiri Kosina To: Karthik Alapati cc: Benjamin Tissoires , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] HID: hidraw: fix memory leak in hidraw_release() In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 28 Jul 2022, Karthik Alapati wrote: > Free the buffered reports before deleting the list entry. > > BUG: memory leak > unreferenced object 0xffff88810e72f180 (size 32): > comm "softirq", pid 0, jiffies 4294945143 (age 16.080s) > hex dump (first 32 bytes): > 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] kmemdup+0x23/0x50 mm/util.c:128 > [] kmemdup include/linux/fortify-string.h:440 [inline] > [] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521 > [] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992 > [] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065 > [] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284 > [] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670 > [] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747 > [] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988 > [] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474 > [] expire_timers kernel/time/timer.c:1519 [inline] > [] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790 > [] __run_timers kernel/time/timer.c:1768 [inline] > [] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803 > [] __do_softirq+0xe6/0x2ea kernel/softirq.c:571 > [] invoke_softirq kernel/softirq.c:445 [inline] > [] __irq_exit_rcu kernel/softirq.c:650 [inline] > [] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662 > [] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106 > [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649 > [] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] > [] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] > [] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] > [] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554 > > Link: https://syzkaller.appspot.com/bug?id=19a04b43c75ed1092021010419b5e560a8172c4f > Reported-by: syzbot+f59100a0428e6ded9443@syzkaller.appspotmail.com > Signed-off-by: Karthik Alapati > --- > drivers/hid/hidraw.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c > index 681614a8302a..197b1e7bf029 100644 > --- a/drivers/hid/hidraw.c > +++ b/drivers/hid/hidraw.c > @@ -350,6 +350,8 @@ static int hidraw_release(struct inode * inode, struct file * file) > down_write(&minors_rwsem); > > spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); > + for (int i = list->tail; i < list->head; i++) > + kfree(list->buffer[i].value); > list_del(&list->node); > spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); > kfree(list); Applied, thank you. -- Jiri Kosina SUSE Labs