@@ -1728,6 +1728,11 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
}
data = kzalloc(fw->size, GFP_KERNEL);
+ if (!data) {
+ release_firmware(fw);
+ sma1307->set.status = false;
+ return;
+ }
size = fw->size >> 2;
memcpy(data, fw->data, fw->size);
@@ -1741,6 +1746,12 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
sma1307->set.header = devm_kzalloc(sma1307->dev,
sma1307->set.header_size,
GFP_KERNEL);
+ if (!sma1307->set.header) {
+ kfree(data);
+ sma1307->set.status = false;
+ return;
+ }
+
memcpy(sma1307->set.header, data,
sma1307->set.header_size * sizeof(int));
@@ -1756,6 +1767,13 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
sma1307->set.def
= devm_kzalloc(sma1307->dev,
sma1307->set.def_size * sizeof(int), GFP_KERNEL);
+ if (!sma1307->set.def) {
+ kfree(data);
+ kfree(sma1307->set.header);
+ sma1307->set.status = false;
+ return;
+ }
+
memcpy(sma1307->set.def,
&data[sma1307->set.header_size],
sma1307->set.def_size * sizeof(int));
@@ -1768,6 +1786,16 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
= devm_kzalloc(sma1307->dev,
sma1307->set.mode_size * 2 * sizeof(int),
GFP_KERNEL);
+ if (!sma1307->set.mode_set[i]) {
+ kfree(data);
+ kfree(sma1307->set.header);
+ kfree(sma1307->set.def);
+ for (int j = 0; j < i; j++)
+ kfree(sma1307->set.mode_set[j]);
+ sma1307->set.status = false;
+ return;
+ }
+
for (int j = 0; j < sma1307->set.mode_size; j++) {
sma1307->set.mode_set[i][2 * j]
= data[offset + ((num_mode + 1) * j)];
All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com> --- sound/soc/codecs/sma1307.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)