github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
797335659e
linux/drivers
History
Ping Cheng 797c128d3c HID: wacom: Fix memory leakage caused by kfifo_alloc 
commit 37309f47e2 upstream.

As reported by syzbot below, kfifo_alloc'd memory would not be freed
if a non-zero return value is triggered in wacom_probe. This patch
creates and uses devm_kfifo_alloc to allocate and free itself.

BUG: memory leak
unreferenced object 0xffff88810dc44a00 (size 512):
  comm "kworker/1:2", pid 3674, jiffies 4294943617 (age 14.100s)
  hex dump (first 32 bytes):
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
   [<0000000023e1afac>] kmalloc_array include/linux/slab.h:592 [inline]
   [<0000000023e1afac>] __kfifo_alloc+0xad/0x100 lib/kfifo.c:43
   [<00000000c477f737>] wacom_probe+0x1a1/0x3b0 drivers/hid/wacom_sys.c:2727
   [<00000000b3109aca>] hid_device_probe+0x16b/0x210 drivers/hid/hid-core.c:2281
   [<00000000aff7c640>] really_probe+0x159/0x480 drivers/base/dd.c:554
   [<00000000778d0bc3>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738
   [<000000005108dbb5>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844
   [<00000000efb7c59e>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431
   [<0000000024ab1590>] __device_attach+0x122/0x250 drivers/base/dd.c:912
   [<000000004c7ac048>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491
   [<00000000b93050a3>] device_add+0x5ac/0xc30 drivers/base/core.c:2936
   [<00000000e5b46ea5>] hid_add_device+0x151/0x390 drivers/hid/hid-core.c:2437
   [<00000000c6add147>] usbhid_probe+0x412/0x560 drivers/hid/usbhid/hid-core.c:1407
   [<00000000c33acdb4>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
   [<00000000aff7c640>] really_probe+0x159/0x480 drivers/base/dd.c:554
   [<00000000778d0bc3>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738
   [<000000005108dbb5>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844

https://syzkaller.appspot.com/bug?extid=5b49c9695968d7250a26

Reported-by: syzbot+5b49c9695968d7250a26@syzkaller.appspotmail.com
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-17 14:16:59 +01:00
..
accessibility speakup: fix uninitialized flush_lock 2020-12-30 11:53:44 +01:00
acpi ACPI: PNP: compare the string length in the matching_id() 2020-12-30 11:54:06 +01:00
amba
android binder: add flag to clear buffer on txn complete 2020-12-30 11:54:09 +01:00
ata libata-5.10-2020-10-30 2020-10-30 14:51:01 -07:00
atm atm: idt77252: call pci_disable_device() on error path 2021-01-12 20:18:09 +01:00
auxdisplay
base Revert "device property: Keep secondary firmware node secondary by type" 2021-01-12 20:18:24 +01:00
bcma
block null_blk: Fail zone append to conventional zones 2020-12-30 11:54:29 +01:00
bluetooth Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close 2021-01-12 20:18:16 +01:00
bus bus: fsl-mc: fix error return code in fsl_mc_object_allocate() 2020-12-30 11:53:46 +01:00
cdrom
char um: random: Register random as hwrng-core device 2021-01-06 14:56:55 +01:00
clk clk: tegra: Do not return 0 on failure 2020-12-30 11:54:26 +01:00
clocksource clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI 2020-12-30 11:53:37 +01:00
connector
counter counter: microchip-tcb-capture: Fix CMR value check 2020-12-30 11:54:26 +01:00
cpufreq cpufreq: intel_pstate: Use most recent guaranteed performance values 2020-12-30 11:54:10 +01:00
cpuidle cpuidle: tegra: Annotate tegra_pm_set_cpu_in_lp2() with RCU_NONIDLE 2020-11-16 13:24:32 +01:00
crypto crypto: atmel-i2c - select CONFIG_BITREVERSE 2020-12-30 11:53:50 +01:00
dax device-dax: Fix range release 2021-01-06 14:56:56 +01:00
dca
devfreq
dio
dma dmaengine: idxd: off by one in cleanup code 2021-01-12 20:18:26 +01:00
dma-buf dmabuf: fix use-after-free of dmabuf's file->f_inode 2021-01-12 20:18:24 +01:00
edac EDAC/amd64: Fix PCI component registration 2020-12-30 11:54:11 +01:00
eisa
extcon extcon: max77693: Fix modalias string 2020-12-30 11:53:49 +01:00
firewire
firmware mm/gup: prevent gup_fast from racing with COW during fork 2020-12-30 11:53:54 +01:00
fpga fpga: Specify HAS_IOMEM dependency for FPGA_DFL 2020-12-01 18:46:24 +01:00
fsi fsi: Aspeed: Add mutex to protect HW access 2020-12-30 11:53:46 +01:00
gnss
gpio gpiolib: irq hooks: fix recursion in gpiochip_irq_unmask 2020-12-30 11:53:51 +01:00
gpu drm/panfrost: Don't corrupt the queue mutex on open/close 2021-01-17 14:16:53 +01:00
greybus
hid HID: wacom: Fix memory leakage caused by kfifo_alloc 2021-01-17 14:16:59 +01:00
hsi HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() 2020-12-30 11:53:24 +01:00
hv hyperv-fixes for 5.10-rc5 2020-11-16 15:02:33 -08:00
hwmon hwmon: (amd_energy) fix allocation of hwmon_channel_info config 2021-01-12 20:18:22 +01:00
hwspinlock
hwtracing coresight: remove broken __exit annotations 2020-12-30 11:53:44 +01:00
i2c Revert "i2c: i2c-qcom-geni: Fix DMA transfer race" 2020-12-30 11:52:57 +01:00
i3c i3c master: fix missing destroy_workqueue() on error in i3c_master_register 2021-01-06 14:56:53 +01:00
ide scsi: ide: Mark power management requests with RQF_PM instead of RQF_PREEMPT 2021-01-12 20:18:15 +01:00
idle intel_idle: Build fix 2020-12-03 10:00:23 +01:00
iio iio:adc:ti-ads124s08: Fix alignment and data leak issues. 2020-12-30 11:54:25 +01:00
infiniband RDMA/hns: Avoid filling sl in high 3 bits of vlan_id 2021-01-17 14:16:53 +01:00
input Input: cyapa_gen6 - fix out-of-bounds stack access 2020-12-30 11:54:05 +01:00
interconnect interconnect: fix memory trashing in of_count_icc_providers() 2020-11-20 16:01:35 +02:00
iommu iommu/arm-smmu-qcom: Initialize SCTLR of the bypass context 2021-01-17 14:16:53 +01:00
ipack
irqchip irqchip/qcom-pdc: Fix phantom irq when changing between rising/falling 2020-12-30 11:53:51 +01:00
isdn
leds leds: turris-omnia: check for LED_COLOR_ID_RGB instead LED_COLOR_ID_MULTI 2020-12-30 11:53:22 +01:00
lightnvm lightnvm: fix out-of-bounds write to array devices->info[] 2020-10-16 09:28:45 -06:00
macintosh macintosh/adb-iop: Send correct poll command 2020-12-30 11:53:39 +01:00
mailbox mailbox: arm_mhu_db: Fix mhu_db_shutdown by replacing kfree with devm_kfree 2020-12-30 11:53:28 +01:00
mcb
md bcache: introduce BCH_FEATURE_INCOMPAT_LOG_LARGE_BUCKET_SIZE for large bucket 2021-01-12 20:18:25 +01:00
media media: gp8psk: initialize stats at power control logic 2021-01-06 14:56:52 +01:00
memory memory: renesas-rpc-if: Fix unbalanced pm_runtime_enable in rpcif_{enable,disable}_rpm 2020-12-30 11:54:27 +01:00
memstick memstick: r592: Fix error return in r592_probe() 2020-12-30 11:53:34 +01:00
message scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() 2020-10-26 16:57:18 -04:00
mfd mfd: cpcap: Fix interrupt regression with regmap clear_ack 2020-12-30 11:53:16 +01:00
misc misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() 2021-01-06 14:56:52 +01:00
mmc mmc: pxamci: Fix error return code in pxamci_probe 2020-12-30 11:53:20 +01:00
most
mtd Revert "mtd: spinand: Fix OOB read" 2021-01-09 13:46:22 +01:00
mux
net ionic: start queues before announcing link up 2021-01-17 14:16:59 +01:00
nfc nfc: s3fwrn5: Release the nfc firmware 2020-12-30 11:53:53 +01:00
ntb Bug fixes for v5.10 2020-10-25 11:12:31 -07:00
nubus
nvdimm libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels 2020-12-30 11:54:27 +01:00
nvme RDMA/core: remove use of dma_virt_ops 2021-01-09 13:46:24 +01:00
nvmem
of of/address: Fix of_node memory leak in of_dma_is_coherent 2020-11-11 17:10:16 -06:00
opp opp: Call the missing clk_put() on error 2021-01-06 14:56:49 +01:00
oprofile
parisc dma-mapping: split <linux/dma-mapping.h> 2020-10-06 07:07:03 +02:00
parport
pci PCI: Fix pci_slot_release() NULL pointer dereference 2020-12-30 11:54:28 +01:00
pcmcia
perf
phy drm/mediatek: avoid dereferencing a null hdmi_phy on an error message 2020-12-30 11:53:43 +01:00
pinctrl pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler 2020-12-30 11:54:25 +01:00
platform platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12 2020-12-30 11:54:28 +01:00
pnp PNP: fix kernel-doc markups 2020-10-27 19:23:04 +01:00
power power: supply: bq24190_charger: fix reference leak 2020-12-30 11:53:25 +01:00
powercap Merge branch 'turbostat' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux 2020-11-10 10:02:31 -08:00
pps
ps3 powerpc/ps3: use dma_mapping_error() 2020-12-30 11:53:53 +01:00
ptp ptp: ptp_ines: prevent build when HAS_IOMEM is not set 2021-01-17 14:16:55 +01:00
pwm pwm: sun4i: Remove erroneous else branch 2020-12-30 11:53:59 +01:00
rapidio rapidio: fix the missed put_device() for rio_mport_add_riodev 2020-10-16 11:11:22 -07:00
ras
regulator regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x 2020-12-30 11:54:28 +01:00
remoteproc remoteproc: sysmon: Ensure remote notification ordering 2020-12-30 11:54:28 +01:00
reset ARM: SoC-related driver updates 2020-10-24 10:39:22 -07:00
rpmsg rpmsg updates for 5.10 2020-10-22 12:58:21 -07:00
rtc rtc: pcf2127: only use watchdog when explicitly available 2021-01-09 13:46:22 +01:00
s390 s390/qeth: fix L2 header access in qeth_l3_osa_features_check() 2021-01-17 14:16:58 +01:00
sbus
scsi scsi: lpfc: Fix variable 'vport' set but not used in lpfc_sli4_abts_err_handler() 2021-01-17 14:16:59 +01:00
sfi
sh
siox
slimbus slimbus: qcom: fix potential NULL dereference in qcom_slim_prg_slew() 2020-12-30 11:53:47 +01:00
soc soc: qcom: smp2p: Safely acquire spinlock without IRQs 2020-12-30 11:54:22 +01:00
soundwire soundwire: master: use pm_runtime_set_active() on add 2020-12-30 11:53:28 +01:00
spi spi: dw-bt1: Fix undefined devm_mux_control_get symbol 2021-01-06 14:56:49 +01:00
spmi
ssb
staging staging: mt7621-dma: Fix a resource leak in an error handling path 2021-01-12 20:18:17 +01:00
target scsi: target: Fix XCOPY NAA identifier lookup 2021-01-12 20:18:27 +01:00
tc
tee ARM: SoC fixes for v5.10, part 3 2020-11-27 14:48:03 -08:00
thermal thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed 2020-12-30 11:54:29 +01:00
thunderbolt thunderbolt: Fix use-after-free in remove_unplugged_switch() 2020-11-19 17:44:10 +03:00
tty m68k: Fix WARNING splat in pmac_zilog driver 2020-12-30 11:54:11 +01:00
uio uio: Fix use-after-free in uio_unregister_device() 2020-11-09 18:54:30 +01:00
usb USB: serial: keyspan_pda: remove unused variable 2021-01-12 20:18:22 +01:00
vdpa vdpa/mlx5: Use write memory barrier after updating CQ index 2020-12-30 11:54:00 +01:00
vfio vfio/pci/nvlink2: Do not attempt NPU2 setup on POWER8NVL NPU 2020-12-30 11:54:03 +01:00
vhost vhost_net: fix ubuf refcount incorrectly when sendmsg fails 2021-01-12 20:18:13 +01:00
video fbcon: Disable accelerated scrolling 2021-01-06 14:56:51 +01:00
virt nitro_enclaves: Fixup type and simplify logic of the poll mask setup 2020-11-09 18:20:36 +01:00
virtio virtio_ring: Fix two use after free bugs 2020-12-30 11:54:00 +01:00
visorbus
vlynq
vme
w1 w1: w1_therm: make w1_poll_completion static 2020-10-05 14:49:24 +02:00
watchdog watchdog: rti-wdt: fix reference leak in rti_wdt_probe 2021-01-06 14:56:54 +01:00
xen xenbus/xenbus_backend: Disallow pending watch messages 2020-12-30 11:54:27 +01:00
zorro
Kconfig
Makefile vdpa: mlx5: fix vdpa/vhost dependencies 2020-12-02 04:09:56 -05:00