1. Patchew
  2. linux
  3. View series

[PATCH] nouveau/firmware: fix memory leak on BL load failure

Dawei Feng posted 1 patch 3 days, 4 hours ago 
drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] nouveau/firmware: fix memory leak on BL load failure
Posted by Dawei Feng 3 days, 4 hours ago 
If loading the HS bootloader blob fails, nvkm_falcon_fw_ctor_hs() returns
immediately. This skips the common cleanup path and leaks the firmware
state allocated by nvkm_falcon_fw_ctor() and nvkm_falcon_fw_sign().

Fix this by routing the load failure to the 'done' label so
nvkm_falcon_fw_dtor() can properly clean up the partially initialized
state. Also clear the original 'blob' pointer after releasing it so the
final nvkm_firmware_put() remains balanced after a failed bootloader
reload.

The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc6.

An x86_64 allyesconfig build showed no new warnings. As we do not have a
supported NVIDIA GPU with the required firmware to test this path, no
runtime testing was able to be performed.

Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
 drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
index 4e8b3f1c7e25..71f55c5b0837 100644
--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
@@ -278,10 +278,11 @@ nvkm_falcon_fw_ctor_hs(const struct nvkm_falcon_fw_func *func, const char *name,
 
 	if (bl) {
 		nvkm_firmware_put(blob);
+		blob = NULL;
 
 		ret = nvkm_firmware_load_name(subdev, bl, "", ver, &blob);
 		if (ret)
-			return ret;
+			goto done;
 
 		hdr = nvfw_bin_hdr(subdev, blob->data);
 		desc = nvfw_bl_desc(subdev, blob->data + hdr->header_offset);
-- 
2.34.1
Re: [PATCH] nouveau/firmware: fix memory leak on BL load failure
Posted by Timur Tabi 2 days, 12 hours ago 
On Fri, 2026-06-05 at 10:07 +0800, Dawei Feng wrote:
>  	if (bl) {
>  		nvkm_firmware_put(blob);
> +		blob = NULL;
>  

I think it would be cleaner to instead delete this nvkm_firmware_put(blob) call here, and just rely
on the call to nvkm_firmware_put() at the end of nvkm_falcon_fw_ctor_hs().  Then you won't need
"blob = NULL".

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.