From nobody Wed Apr 1 20:46:05 2026 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC2F52C11EF for ; Wed, 1 Apr 2026 17:02:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775062967; cv=none; b=UutPeQmKqmYrC4JYCtxjui5Io7YbjJFT7Q5B+Fz8uRaWWxrYLElQFOEMDg41P+WZIDnkhu0nGT980r2KLCs+g7VL3fx/zL0TqkPShOKQ4Oe45nlEm7yoLk40CDN2DuDehvaaiPw4Gdd3zOWP3uIZTD7Y9vNcqdcAFcUFWSWQIBk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775062967; c=relaxed/simple; bh=HBzz5tCb4AUIUFviOE8eRLefp4KWy0BmJ2F/IOn50kM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=mgZ53F8Q/8KnKWyNKQetFXz14CoKlyhsGP2mhEO5ER77IGJOsI0urR83L/rvKoy3hr5lhvHap8+AP+rCEVauzqAJiPhIaaIrjQ/oHUzpptXeYoqn8B51h0U9biYDUth6pbfHiWcGgh+UAdE5pTSzXqcHE7LE4BcR0Tq0Xmpc19I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oPrYlPJA; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oPrYlPJA" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2b2469e5117so7193215ad.1 for ; Wed, 01 Apr 2026 10:02:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775062965; x=1775667765; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OBxoBABnFgARb0xnCBOsok+3wHCtlybCDJIvzC32HEk=; b=oPrYlPJAyXcRvqg61Mlp6m+AQO+FatgjeAvCHFHzVB+DAtdfZeMehdsc0+Xz1ZO48A GVOtecAwt5nLHtj9FesNiwWoWfwxGycWcdnLZt/rOVAMfauWB738OnUVFLnjGZSvSDxP QmzACh27M/LJlOyl5L7ZaTtX7VQoIz1awPMfd3zaoSr2wLLZBpGe44SNLxhSBoP50rai OU9YxhxEnItmy0yI6CzF2Gt1ys6N3zbS5io+3pjl+VoxraFVs+LaRpRLLTc+SpV2Kj7i DN0LNnjrP8IYe+wEqvdUIfUhBIvOSZQuqmSX9Bg+0QfM+Ij3lOwW3yVL+y1iA3dn3SD3 AEVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775062965; x=1775667765; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OBxoBABnFgARb0xnCBOsok+3wHCtlybCDJIvzC32HEk=; b=ae8opWlYLC96Elw9bdzdSp4J7uNe+qd8NajBe0Y7CCXYGacADyxN7JW8CDC5SoBVFk rd/YY9yGKC/KJhidT7k6yYjfqmEWDq5y2O3Vwsa0yq/eOPPhTpKkhMAJpZCkx5hFmA4b JRBIkSg2skWVER77b8bvfSFvcSgbwLRHA1iam2Iq5ZHQ+i1XfT5WuoyTBgfaQx0u/g6Q ++lWCnfN9eP9qzlpxhvwXGGK25CwxutIxJ8FYeMTMc1FmQQ83mBMteeRGolX4BqlzUr4 yj99ZoCiFYgZaSyMGvcW53MYpa8Wb3F41TNBg13Xv93jovevLdAgBf508UjVA7iqdiF0 5VEw== X-Forwarded-Encrypted: i=1; AJvYcCWN/Lh7cJZlYbXXC0zrI8GAVfMA3azFpOBvwEAugivW6TIbPNvfVaoVNojtxRwFRJ9LSQpDJ/4DqDswxxM=@vger.kernel.org X-Gm-Message-State: AOJu0YwU/msjsgpM2a5OacYt2sOApub8i2I3SW2Dr0uaqFNouGuZ0ywe wcl6+pFh0UoHJGIoWUsFDvLqMzx8EH/EXJrmriQhYSuM4YBVfiy3m+l9 X-Gm-Gg: ATEYQzxn53YxLQR2U1MwnvIBsFvuzjBNgFCvFEWRIxyGxB/Cn+1RgE6x8m6ovypKyVK TdggXm5MV0IRVZU3do+mszsIHUDHLsE466X+nDJzRWq+dvHXVlhCMGBlD842oPih4LY1GXlJDI6 wg3VZ8Z5H4oIWbGKSyaV5gXsKe4TI2sLLiBfZ9S33VXSL+84dKGOO+a+g1eQSjqW4b4AVQr+7qY uYfIKuk4u2zPuuzHwn2JNt3H81arP9lUIEUVqPGSb0dfeyPTrJD2qFsg/vNQhXa5+QH4fjsr8f0 7rwdvjZRAqz7v0qAWJ7ASn964WCvW/uSPTBTH/i+7jK1GE3pNV99GyFLAbPsXzQ5HTpSomFYnBf l6xTPA6F3D7CsIvmweWu9Rk+boJQ/Rcwmokx0NsArEmfAOg9r57ObDJ4AWqiSWPlWAWrp9dKrbP pCwDh2yO02VAESVFCzhyuPIaxuEaRLyuMuDfW5dIZW3C4= X-Received: by 2002:a17:903:32c2:b0:2aa:e47d:e3b with SMTP id d9443c01a7336-2b25ed654ecmr85278575ad.0.1775062965153; Wed, 01 Apr 2026 10:02:45 -0700 (PDT) Received: from hosnbs8526786.. ([27.7.150.48]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b27478d329sm2965875ad.34.2026.04.01.10.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Apr 2026 10:02:44 -0700 (PDT) From: Sairam Bandikanti To: Hans de Goede , Mauro Carvalho Chehab , Greg Kroah-Hartman Cc: Sakari Ailus , Andy Shevchenko , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Sairam Bandikanti , Claude Subject: [PATCH] staging: atomisp: fix memory leak in sh_css_load_firmware on error path Date: Wed, 1 Apr 2026 22:32:18 +0530 Message-Id: <20260401170218.40504-1-sairambandikanti@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sh_css_load_firmware() allocates sh_css_blob_info and fw_minibuffer but all error paths inside the firmware parsing loop use bare 'return' statements, leaking both allocations. Additionally, when the fw_minibuffer allocation itself fails, sh_css_blob_info is leaked. Replace all bare returns with goto to a common err_alloc cleanup label that frees both allocations before returning. Signed-off-by: Sairam Bandikanti Assisted-by: Claude --- .../media/atomisp/pci/sh_css_firmware.c | 62 +++++++++++++------ 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/sh_css_firmware.c b/drivers/= staging/media/atomisp/pci/sh_css_firmware.c index 57ecf55..dec79d0 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_firmware.c +++ b/drivers/staging/media/atomisp/pci/sh_css_firmware.c @@ -263,8 +263,10 @@ sh_css_load_firmware(struct device *dev, const char *f= w_data, } =20 fw_minibuffer =3D kzalloc_objs(struct fw_param, sh_css_num_binaries); - if (!fw_minibuffer) - return -ENOMEM; + if (!fw_minibuffer) { + ret =3D -ENOMEM; + goto err_alloc; + } =20 for (i =3D 0; i < sh_css_num_binaries; i++) { struct ia_css_fw_info *bi =3D &binaries[i]; @@ -278,18 +280,23 @@ sh_css_load_firmware(struct device *dev, const char *= fw_data, =20 err =3D sh_css_load_blob_info(fw_data, bi, &bd, i); =20 - if (err) - return -EINVAL; + if (err) { + ret =3D -EINVAL; + goto err_alloc; + } =20 - if (bi->blob.offset + bi->blob.size > fw_size) - return -EINVAL; + if (bi->blob.offset + bi->blob.size > fw_size) { + ret =3D -EINVAL; + goto err_alloc; + } =20 switch (bd.header.type) { case ia_css_isp_firmware: if (bd.header.info.isp.type > IA_CSS_ACC_STANDALONE) { dev_err(dev, "binary #%2d: invalid SP type\n", i); - return -EINVAL; + ret =3D -EINVAL; + goto err_alloc; } =20 dev_dbg(dev, @@ -313,17 +320,22 @@ sh_css_load_firmware(struct device *dev, const char *= fw_data, dev_err(dev, "binary #%2d: invalid firmware type\n", i); - return -EINVAL; + ret =3D -EINVAL; + goto err_alloc; } break; } =20 if (bi->type =3D=3D ia_css_sp_firmware) { - if (i !=3D SP_FIRMWARE) - return -EINVAL; + if (i !=3D SP_FIRMWARE) { + ret =3D -EINVAL; + goto err_alloc; + } err =3D setup_binary(bi, fw_data, &sh_css_sp_fw, i); - if (err) - return err; + if (err) { + ret =3D err; + goto err_alloc; + } =20 } else { /* @@ -331,18 +343,32 @@ sh_css_load_firmware(struct device *dev, const char *= fw_data, * (including bootloaders) (i>NUM_OF_SPS) * are ISP firmware */ - if (i < NUM_OF_SPS) - return -EINVAL; + if (i < NUM_OF_SPS) { + ret =3D -EINVAL; + goto err_alloc; + } =20 - if (bi->type !=3D ia_css_isp_firmware) - return -EINVAL; - if (!sh_css_blob_info) /* cannot happen but KW does not see this */ - return -EINVAL; + if (bi->type !=3D ia_css_isp_firmware) { + ret =3D -EINVAL; + goto err_alloc; + } + if (!sh_css_blob_info) { + /* cannot happen but KW does not see this */ + ret =3D -EINVAL; + goto err_alloc; + } sh_css_blob_info[i - NUM_OF_SPS] =3D bd; } } =20 return 0; + +err_alloc: + kfree(fw_minibuffer); + fw_minibuffer =3D NULL; + kfree(sh_css_blob_info); + sh_css_blob_info =3D NULL; + return ret; } =20 void sh_css_unload_firmware(void) --=20 2.34.1