Commit 2bad24c1 authored Feb 19, 2026 by Günther Noack Committed by Benjamin Tissoires Feb 19, 2026

HID: asus: avoid memory leak in asus_report_fixup()



The asus_report_fixup() function was returning a newly allocated
kmemdup()-allocated buffer, but never freeing it.  Switch to
devm_kzalloc() to ensure the memory is managed and freed automatically
when the device is removed.

The caller of report_fixup() does not take ownership of the returned
pointer, but it is permitted to return a pointer whose lifetime is at
least that of the input buffer.

Also fix a harmless out-of-bounds read by copying only the original
descriptor size.

Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Günther Noack <gnoack@google.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

parent 91e8c6e6

drivers/hid/hid-asus.c

+11 −4

Original line number	Diff line number	Diff line
		@@ -1399,14 +1399,21 @@ static const __u8 asus_report_fixup(struct hid_device hdev, __u8 *rdesc,
		*/
		if (*rsize == rsize_orig &&
		rdesc[offs] == 0x09 && rdesc[offs + 1] == 0x76) {
		*rsize = rsize_orig + 1;
		rdesc = kmemdup(rdesc, *rsize, GFP_KERNEL);
		if (!rdesc)
		return NULL;
		__u8 *new_rdesc;

		new_rdesc = devm_kzalloc(&hdev->dev, rsize_orig + 1,
		GFP_KERNEL);
		if (!new_rdesc)
		return rdesc;

		hid_info(hdev, "Fixing up %s keyb report descriptor\n",
		drvdata->quirks & QUIRK_T100CHI ?
		"T100CHI" : "T90CHI");

		memcpy(new_rdesc, rdesc, rsize_orig);
		*rsize = rsize_orig + 1;
		rdesc = new_rdesc;

		memmove(rdesc + offs + 4, rdesc + offs + 2, 12);
		rdesc[offs] = 0x19;
		rdesc[offs + 1] = 0x00;