The function mtd_parser_tplink_safeloader_parse() allocates buf via
mtd_parser_tplink_safeloader_read_table(). If the allocation for
parts[idx].name fails inside the loop, the code jumps to the err_free
label without freeing buf, leading to a memory leak.

Fix this by freeing the temporary buffer buf in the err_free label.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Fixes: 00a3588084be ("mtd: parsers: add TP-Link SafeLoader partitions table parser")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
 drivers/mtd/parsers/tplink_safeloader.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70..4fcaf92d22e4 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
2.34.1

On Thu, 22 Jan 2026 13:09:50 +0000, Zilin Guan wrote:
> The function mtd_parser_tplink_safeloader_parse() allocates buf via
> mtd_parser_tplink_safeloader_read_table(). If the allocation for
> parts[idx].name fails inside the loop, the code jumps to the err_free
> label without freeing buf, leading to a memory leak.
> 
> Fix this by freeing the temporary buffer buf in the err_free label.
> 
> [...]

Applied to mtd/next, thanks!

[1/1] mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()
      commit: 980ce2b02dd06a4fdf5fee38b2e14becf9cf7b8b

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl