From: Qasim Ijaz <qasdev00@gmail.com>
Date: Mon, 14 Apr 2025 18:33:09 +0000 (+0100)
Subject: HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()
X-Git-Url: http://git.monstr.eu/?a=commitdiff_plain;h=fd34bf79a617f6298b13b274dc255f192a987e2a;p=linux-2.6-microblaze.git

HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush()

In wacom_wac_queue_flush() the code allocates zero initialised
buffer which it uses as a storage buffer for copying data from
a fifo via kfifo_out(). The kfifo_out() function returns the
number of elements it has copied. The code checks if the number
of copied elements does not equal the size of the fifo record,
if it does not it simply skips the entry and continues to the
next iteration. However it does not release the storage buffer
leading to a memory leak.

Fix the memory leak by freeing the buffer on size mismatch.

Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit")
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
---

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 43d892810c9e..95a796b3e9f2 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -87,6 +87,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
 			// to flush seems reasonable enough, however.
 			hid_warn(hdev, "%s: removed fifo entry with unexpected size\n",
 				 __func__);
+			kfree(buf);
 			continue;
 		}
 		err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);