LinuxLists.cc - [PATCH] media: go7007: fix a memleak in go7007_load

2024-01-22 18:14:35

Subject: [PATCH] media: go7007: fix a memleak in go7007_load_encoder

In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
a deallocation thereafter. After the following call chain:

saa7134_go7007_init
|-> go7007_boot_encoder
|-> go7007_load_encoder
|-> kfree(go)

go is freed and thus bounce is leaked.

Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
Signed-off-by: Zhipeng Lu <[email protected]>
---
drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
index 0c24e2984304..65d6a63068dc 100644
--- a/drivers/media/usb/go7007/go7007-driver.c
+++ b/drivers/media/usb/go7007/go7007-driver.c
@@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
const struct firmware *fw_entry;
char fw_name[] = "go7007/go7007fw.bin";
void *bounce;
- int fw_len, rv = 0;
+ int fw_len;
u16 intr_val, intr_data;

if (go->boot_fw == NULL) {
@@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go)
go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
(intr_val & ~0x1) != 0x5a5a) {
v4l2_err(go, "error transferring firmware\n");
- rv = -1;
+ kfree(bounce);
+ return -1;
}
- return rv;
+ return 0;
}

MODULE_FIRMWARE("go7007/go7007fw.bin");
--
2.34.1

2024-02-05 09:31:30

by Hans Verkuil

[permalink] [raw]

Subject: Re: [PATCH] media: go7007: fix a memleak in go7007_load_encoder

On 22/01/2024 18:25, Zhipeng Lu wrote:
> In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
> a deallocation thereafter. After the following call chain:
>
> saa7134_go7007_init
> |-> go7007_boot_encoder
> |-> go7007_load_encoder
> |-> kfree(go)
>
> go is freed and thus bounce is leaked.

It doesn't look like you compiled this!

drivers/media/usb/go7007/go7007-driver.c: In function 'go7007_load_encoder':
drivers/media/usb/go7007/go7007-driver.c:112:17: warning: 'bounce' may be used uninitialized [-Wmaybe-uninitialized]
112 | kfree(bounce);
| ^~~~~~~~~~~~~
drivers/media/usb/go7007/go7007-driver.c:82:15: note: 'bounce' was declared here
82 | void *bounce;
| ^~~~~~

>
> Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
> Signed-off-by: Zhipeng Lu <[email protected]>
> ---
> drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
> index 0c24e2984304..65d6a63068dc 100644
> --- a/drivers/media/usb/go7007/go7007-driver.c
> +++ b/drivers/media/usb/go7007/go7007-driver.c
> @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
> const struct firmware *fw_entry;
> char fw_name[] = "go7007/go7007fw.bin";
> void *bounce;
> - int fw_len, rv = 0;
> + int fw_len;
> u16 intr_val, intr_data;
>
> if (go->boot_fw == NULL) {
> @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go)
> go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
> (intr_val & ~0x1) != 0x5a5a) {
> v4l2_err(go, "error transferring firmware\n");
> - rv = -1;
> + kfree(bounce);

Just do kfree(go->boot_fw).

Regards,

Hans

> + return -1;
> }
> - return rv;
> + return 0;
> }
>
> MODULE_FIRMWARE("go7007/go7007fw.bin");