On 06/02/2024 07:50, Zhipeng Lu wrote:
> In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
> a deallocation thereafter. After the following call chain:
>
> saa7134_go7007_init
> |-> go7007_boot_encoder
> |-> go7007_load_encoder
> |-> kfree(go)
>
> go is freed and thus bounce is leaked.
>
> Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware")
> Signed-off-by: Zhipeng Lu <alexious@xxxxxxxxxx>
> ---
> Changelog:
>
> v2: free go->boot_fw instead of bounce
>
> P.S. I'm sincerely apologize for sending a wrong v2 patch with no
> change applied. I forgot to add the changes to commit and missing
> it when checking. Please use this patch as the version 2.
> ---
> drivers/media/usb/go7007/go7007-driver.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
> index 0c24e2984304..c0a47e596339 100644
> --- a/drivers/media/usb/go7007/go7007-driver.c
> +++ b/drivers/media/usb/go7007/go7007-driver.c
> @@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
> const struct firmware *fw_entry;
> char fw_name[] = "go7007/go7007fw.bin";
> void *bounce;
> - int fw_len, rv = 0;
> + int fw_len;
> u16 intr_val, intr_data;
>
> if (go->boot_fw == NULL) {
> @@ -109,9 +109,10 @@ static int go7007_load_encoder(struct go7007 *go)
> go7007_read_interrupt(go, &intr_val, &intr_data) < 0 ||
> (intr_val & ~0x1) != 0x5a5a) {
> v4l2_err(go, "error transferring firmware\n");
> - rv = -1;
> + kfree(go->boot_fw);
I think it is best if you add this line here:
go->boot_fw = NULL;
It makes the code more robust in case go7007_load_encoder() is called again.
Regards,
Hans
> + return -1;
> }
> - return rv;
> + return 0;
> }
>
> MODULE_FIRMWARE("go7007/go7007fw.bin");
