Message ID | 20240122172556.3842580-1-alexious@zju.edu.cn (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | media: go7007: fix a memleak in go7007_load_encoder | expand |
On 22/01/2024 18:25, Zhipeng Lu wrote: > In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without > a deallocation thereafter. After the following call chain: > > saa7134_go7007_init > |-> go7007_boot_encoder > |-> go7007_load_encoder > |-> kfree(go) > > go is freed and thus bounce is leaked. It doesn't look like you compiled this! drivers/media/usb/go7007/go7007-driver.c: In function 'go7007_load_encoder': drivers/media/usb/go7007/go7007-driver.c:112:17: warning: 'bounce' may be used uninitialized [-Wmaybe-uninitialized] 112 | kfree(bounce); | ^~~~~~~~~~~~~ drivers/media/usb/go7007/go7007-driver.c:82:15: note: 'bounce' was declared here 82 | void *bounce; | ^~~~~~ > > Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > --- > drivers/media/usb/go7007/go7007-driver.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c > index 0c24e2984304..65d6a63068dc 100644 > --- a/drivers/media/usb/go7007/go7007-driver.c > +++ b/drivers/media/usb/go7007/go7007-driver.c > @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go) > const struct firmware *fw_entry; > char fw_name[] = "go7007/go7007fw.bin"; > void *bounce; > - int fw_len, rv = 0; > + int fw_len; > u16 intr_val, intr_data; > > if (go->boot_fw == NULL) { > @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go) > go7007_read_interrupt(go, &intr_val, &intr_data) < 0 || > (intr_val & ~0x1) != 0x5a5a) { > v4l2_err(go, "error transferring firmware\n"); > - rv = -1; > + kfree(bounce); Just do kfree(go->boot_fw). Regards, Hans > + return -1; > } > - return rv; > + return 0; > } > > MODULE_FIRMWARE("go7007/go7007fw.bin");
diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c index 0c24e2984304..65d6a63068dc 100644 --- a/drivers/media/usb/go7007/go7007-driver.c +++ b/drivers/media/usb/go7007/go7007-driver.c @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go) const struct firmware *fw_entry; char fw_name[] = "go7007/go7007fw.bin"; void *bounce; - int fw_len, rv = 0; + int fw_len; u16 intr_val, intr_data; if (go->boot_fw == NULL) { @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go) go7007_read_interrupt(go, &intr_val, &intr_data) < 0 || (intr_val & ~0x1) != 0x5a5a) { v4l2_err(go, "error transferring firmware\n"); - rv = -1; + kfree(bounce); + return -1; } - return rv; + return 0; } MODULE_FIRMWARE("go7007/go7007fw.bin");
In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go is freed and thus bounce is leaked. Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> --- drivers/media/usb/go7007/go7007-driver.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)