drivers/media/pci/cx18/cx18-queue.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
Signed-off-by: Biancaa Ramesh <biancaa2210329@ssn.edu.in>
[PATCH] media: cx18: fix potential double free in cx18_stream_alloc
The function cx18_stream_alloc() may free buf->buf and buf multiple times
if dma_mapping_error() occurs. This patch:
- Adds checks before kfree() to avoid double free
- Sets pointers to NULL after free to make accidental double free less likely
- Improves overall memory safety and robustness in error paths
---
drivers/media/pci/cx18/cx18-queue.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/pci/cx18/cx18-queue.c b/drivers/media/pci/cx18/cx18-queue.c
index eeb5513b1d52..025ba4e6e4be 100644
--- a/drivers/media/pci/cx18/cx18-queue.c
+++ b/drivers/media/pci/cx18/cx18-queue.c
@@ -383,9 +383,16 @@ int cx18_stream_alloc(struct cx18_stream *s)
buf->buf, s->buf_size,
s->dma);
if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) {
- kfree(buf->buf);
+ if (buf) {
+ if (buf->buf){
+ kfree(buf->buf);
+ buf->buf =NULL;
+ }
+ kfree(buf);
+ buf=NULL;
+ }
kfree(mdl);
- kfree(buf);
+ //makes accidental double free less possible
break;
}
--
2.43.0
--
::DISCLAIMER::
---------------------------------------------------------------------
The
contents of this e-mail and any attachment(s) are confidential and
intended
for the named recipient(s) only. Views or opinions, if any,
presented in
this email are solely those of the author and may not
necessarily reflect
the views or opinions of SSN Institutions (SSN) or its
affiliates. Any form
of reproduction, dissemination, copying, disclosure,
modification,
distribution and / or publication of this message without the
prior written
consent of authorized representative of SSN is strictly
prohibited. If you
have received this email in error please delete it and
notify the sender
immediately.
---------------------------------------------------------------------
Header of this mail should have a valid DKIM signature for the domain
ssn.edu.in <http://www.ssn.edu.in/>Hi Biancaa,
kernel test robot noticed the following build warnings:
[auto build test WARNING on sailus-media-tree/master]
[also build test WARNING on linus/master v6.18-rc3 next-20251029]
[cannot apply to sailus-media-tree/streams]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Biancaa-Ramesh/kernel-memory-safety-check-in-a-block/20251022-041827
base: git://linuxtv.org/sailus/media_tree.git master
patch link: https://lore.kernel.org/r/20251021201704.178535-1-biancaa2210329%40ssn.edu.in
patch subject: [PATCH] kernel memory safety check in a block
config: um-randconfig-r073-20251025 (https://download.01.org/0day-ci/archive/20251030/202510301541.ExxRSMBP-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project e1ae12640102fd2b05bc567243580f90acb1135f)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202510301541.ExxRSMBP-lkp@intel.com/
New smatch warnings:
drivers/media/pci/cx18/cx18-queue.c:389 cx18_stream_alloc() warn: inconsistent indenting
Old smatch warnings:
drivers/media/pci/cx18/cx18-queue.c:392 cx18_stream_alloc() warn: inconsistent indenting
vim +389 drivers/media/pci/cx18/cx18-queue.c
331
332 int cx18_stream_alloc(struct cx18_stream *s)
333 {
334 struct cx18 *cx = s->cx;
335 int i;
336
337 if (s->buffers == 0)
338 return 0;
339
340 CX18_DEBUG_INFO("Allocate %s stream: %d x %d buffers (%d.%02d kB total)\n",
341 s->name, s->buffers, s->buf_size,
342 s->buffers * s->buf_size / 1024,
343 (s->buffers * s->buf_size * 100 / 1024) % 100);
344
345 if (((char __iomem *)&cx->scb->cpu_mdl[cx->free_mdl_idx + s->buffers] -
346 (char __iomem *)cx->scb) > SCB_RESERVED_SIZE) {
347 unsigned bufsz = (((char __iomem *)cx->scb) + SCB_RESERVED_SIZE -
348 ((char __iomem *)cx->scb->cpu_mdl));
349
350 CX18_ERR("Too many buffers, cannot fit in SCB area\n");
351 CX18_ERR("Max buffers = %zu\n",
352 bufsz / sizeof(struct cx18_mdl_ent));
353 return -ENOMEM;
354 }
355
356 s->mdl_base_idx = cx->free_mdl_idx;
357
358 /* allocate stream buffers and MDLs */
359 for (i = 0; i < s->buffers; i++) {
360 struct cx18_mdl *mdl;
361 struct cx18_buffer *buf;
362
363 /* 1 MDL per buffer to handle the worst & also default case */
364 mdl = kzalloc(sizeof(struct cx18_mdl), GFP_KERNEL|__GFP_NOWARN);
365 if (mdl == NULL)
366 break;
367
368 buf = kzalloc(sizeof(struct cx18_buffer),
369 GFP_KERNEL|__GFP_NOWARN);
370 if (buf == NULL) {
371 kfree(mdl);
372 break;
373 }
374
375 buf->buf = kmalloc(s->buf_size, GFP_KERNEL|__GFP_NOWARN);
376 if (buf->buf == NULL) {
377 kfree(mdl);
378 kfree(buf);
379 break;
380 }
381
382 buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev,
383 buf->buf, s->buf_size,
384 s->dma);
385 if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) {
386 if (buf) {
387 if (buf->buf){
388 kfree(buf->buf);
> 389 buf->buf =NULL;
390 }
391 kfree(buf);
392 buf=NULL;
393 }
394 kfree(mdl);
395 //makes accidental double free less possible
396 break;
397 }
398
399 INIT_LIST_HEAD(&mdl->list);
400 INIT_LIST_HEAD(&mdl->buf_list);
401 mdl->id = s->mdl_base_idx; /* a somewhat safe value */
402 cx18_enqueue(s, mdl, &s->q_idle);
403
404 INIT_LIST_HEAD(&buf->list);
405 cx18_buf_sync_for_cpu(s, buf);
406 list_add_tail(&buf->list, &s->buf_pool);
407 }
408 if (i == s->buffers) {
409 cx->free_mdl_idx += s->buffers;
410 return 0;
411 }
412 CX18_ERR("Couldn't allocate buffers for %s stream\n", s->name);
413 cx18_stream_free(s);
414 return -ENOMEM;
415 }
416
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Biancaa,
On Wed, Oct 22, 2025 at 01:47:04AM +0530, Biancaa Ramesh wrote:
> Signed-off-by: Biancaa Ramesh <biancaa2210329@ssn.edu.in>
> [PATCH] media: cx18: fix potential double free in cx18_stream_alloc
>
> The function cx18_stream_alloc() may free buf->buf and buf multiple times
> if dma_mapping_error() occurs. This patch:
>
> - Adds checks before kfree() to avoid double free
> - Sets pointers to NULL after free to make accidental double free less likely
> - Improves overall memory safety and robustness in error paths
> ---
> drivers/media/pci/cx18/cx18-queue.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/pci/cx18/cx18-queue.c b/drivers/media/pci/cx18/cx18-queue.c
> index eeb5513b1d52..025ba4e6e4be 100644
> --- a/drivers/media/pci/cx18/cx18-queue.c
> +++ b/drivers/media/pci/cx18/cx18-queue.c
> @@ -383,9 +383,16 @@ int cx18_stream_alloc(struct cx18_stream *s)
> buf->buf, s->buf_size,
> s->dma);
> if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) {
> - kfree(buf->buf);
> + if (buf) {
> + if (buf->buf){
> + kfree(buf->buf);
> + buf->buf =NULL;
> + }
> + kfree(buf);
> + buf=NULL;
> + }
> kfree(mdl);
> - kfree(buf);
> + //makes accidental double free less possible
> break;
> }
>
Please read Documentation/process/submitting-patches.rst before submitting
further patches.
--
Kind regards,
Sakari Ailus
© 2016 - 2026 Red Hat, Inc.