diff mbox series

media: go7007: fix a memleak in go7007_load_encoder

Message ID 20240122172556.3842580-1-alexious@zju.edu.cn (mailing list archive)
State New
Headers show
Series media: go7007: fix a memleak in go7007_load_encoder | expand

Commit Message

Zhipeng Lu Jan. 22, 2024, 5:25 p.m. UTC 
In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
a deallocation thereafter. After the following call chain:

saa7134_go7007_init
  |-> go7007_boot_encoder
        |-> go7007_load_encoder
  |-> kfree(go)

go is freed and thus bounce is leaked.

Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
 drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Hans Verkuil Feb. 5, 2024, 9:26 a.m. UTC | #1 
On 22/01/2024 18:25, Zhipeng Lu wrote:
> In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
> a deallocation thereafter. After the following call chain:
> 
> saa7134_go7007_init
>   |-> go7007_boot_encoder
>         |-> go7007_load_encoder
>   |-> kfree(go)
> 
> go is freed and thus bounce is leaked.

It doesn't look like you compiled this!

drivers/media/usb/go7007/go7007-driver.c: In function 'go7007_load_encoder':
drivers/media/usb/go7007/go7007-driver.c:112:17: warning: 'bounce' may be used uninitialized [-Wmaybe-uninitialized]
  112 |                 kfree(bounce);
      |                 ^~~~~~~~~~~~~
drivers/media/usb/go7007/go7007-driver.c:82:15: note: 'bounce' was declared here
   82 |         void *bounce;
      |               ^~~~~~

> 
> Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
> Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> ---
>  drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
> index 0c24e2984304..65d6a63068dc 100644
> --- a/drivers/media/usb/go7007/go7007-driver.c
> +++ b/drivers/media/usb/go7007/go7007-driver.c
> @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
>  	const struct firmware *fw_entry;
>  	char fw_name[] = "go7007/go7007fw.bin";
>  	void *bounce;
> -	int fw_len, rv = 0;
> +	int fw_len;
>  	u16 intr_val, intr_data;
>  
>  	if (go->boot_fw == NULL) {
> @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go)
>  	    go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
>  			(intr_val & ~0x1) != 0x5a5a) {
>  		v4l2_err(go, "error transferring firmware\n");
> -		rv = -1;
> +		kfree(bounce);

Just do kfree(go->boot_fw).

Regards,

	Hans

> +		return -1;
>  	}
> -	return rv;
> +	return 0;
>  }
>  
>  MODULE_FIRMWARE("go7007/go7007fw.bin");
diff mbox series

Patch

diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
index 0c24e2984304..65d6a63068dc 100644
--- a/drivers/media/usb/go7007/go7007-driver.c
+++ b/drivers/media/usb/go7007/go7007-driver.c
@@ -80,7 +80,7 @@  static int go7007_load_encoder(struct go7007 *go)
 	const struct firmware *fw_entry;
 	char fw_name[] = "go7007/go7007fw.bin";
 	void *bounce;
-	int fw_len, rv = 0;
+	int fw_len;
 	u16 intr_val, intr_data;
 
 	if (go->boot_fw == NULL) {
@@ -109,9 +109,10 @@  static int go7007_load_encoder(struct go7007 *go)
 	    go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
 			(intr_val & ~0x1) != 0x5a5a) {
 		v4l2_err(go, "error transferring firmware\n");
-		rv = -1;
+		kfree(bounce);
+		return -1;
 	}
-	return rv;
+	return 0;
 }
 
 MODULE_FIRMWARE("go7007/go7007fw.bin");