When copy_from_user() fails, -EFAULT is returned without
releasing the memory previously allocated by kmalloc().

Signed-off-by: Yang Ruibin <11162571@vivo.com>
---
 drivers/thermal/testing/command.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/thermal/testing/command.c b/drivers/thermal/testing/command.c
index 7868caee3..b95bcb94e 100644
--- a/drivers/thermal/testing/command.c
+++ b/drivers/thermal/testing/command.c
@@ -150,9 +150,10 @@ static ssize_t tt_command_process(struct dentry *dentry, const char __user *user
 	if (!buf)
 		return -ENOMEM;
 
-	if (copy_from_user(buf, user_buf, count))
+	if (copy_from_user(buf, user_buf, count)) {
+		kfree(buf);
 		return -EFAULT;
+	}
 
 	buf[count] = '\0';
 	strim(buf);
-- 
2.34.1

On Thu, Aug 22, 2024 at 5:39 AM Yang Ruibin <11162571@vivo.com> wrote:
>
> When copy_from_user() fails, -EFAULT is returned without
> releasing the memory previously allocated by kmalloc().
>
> Signed-off-by: Yang Ruibin <11162571@vivo.com>
> ---
>  drivers/thermal/testing/command.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/thermal/testing/command.c b/drivers/thermal/testing/command.c
> index 7868caee3..b95bcb94e 100644
> --- a/drivers/thermal/testing/command.c
> +++ b/drivers/thermal/testing/command.c
> @@ -150,9 +150,10 @@ static ssize_t tt_command_process(struct dentry *dentry, const char __user *user
>         if (!buf)
>                 return -ENOMEM;
>
> -       if (copy_from_user(buf, user_buf, count))
> +       if (copy_from_user(buf, user_buf, count)) {
> +               kfree(buf);
>                 return -EFAULT;
> +       }
>
>         buf[count] = '\0';
>         strim(buf);
> --

Have you missed the __free() annotation on "buf"?