From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 095FF3F5BC7 for ; Mon, 29 Jun 2026 08:30:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782721848; cv=none; b=V3kmWLaPZoUpjwWJ0/ZpazumCMjIGrM+M0CSgKFid/L5tFAef7hgbP3IRkNoHittjSUr56Sa3mvbTcYhg686lyW7Xh7kkKUIYd1rbWXCWux4wVzRFPMzPCMv6RVIKBl3fa5jplRkWYRdMOMjd6AA6grF8/DX/bzRcceWTV9q8ZY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782721848; c=relaxed/simple; bh=abts/1MRf4sGQNrs+Qra6uETICHxnjs03xjp5k5HK2Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=q9WOLtdP/aq69YEZAadpE9rRr/skCrLc3VN9QEg05Gpvr2xzGViUPggX/yWy6bs/Zs+rU8nzfPvqF7L3+YaWcnEjFiq82PkcUyLWcz6Ho6W+hXbBYfB8sWdzRMDz+oLNPWKn8QK7ESAKBXCaTg4bG+6pseUwxu6sZzv3ui2zAxM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Us8L6piT; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Us8L6piT" Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-c1269e4721aso91546466b.0 for ; Mon, 29 Jun 2026 01:30:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782721845; x=1783326645; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=fq4MrGKf+YRbreREYMtKaIO+6uUYvLSEbh1uxDtYk3E=; b=Us8L6piTaw2CTj5R3lkxiqm27FcURXbi4dsVB3z1Re4Vk/TYMcuoCfHRadZ0noKd9K AV8lxqJFNfUrWAZcQmGKMQN5YCYCx9yEbVpTJfe5JWRH/uk+/elTXIj5asKcKBDrsqHq Uk7lT7RtPHeNSZNnze3Tg9h/QjkfVKDWYvTSbBiS/9AVJtOhPb93gObZl1z+t7Qj7kma pmB/0l9lMphn7DTApJgUajrpMiOD7Dg/e2Mhja43o1EQrFSPmFUzcNxNktj1OzddirxS 73HHYfVS5ld19kxJzXdV2ELyG6iR6h7LmcVihtEX+tdOFl1wd4fqHupOcJOx1oM+YHjg v3Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782721845; x=1783326645; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fq4MrGKf+YRbreREYMtKaIO+6uUYvLSEbh1uxDtYk3E=; b=ajQeWkehvr6Vp8zu4lGAaDqOujWep1RXkkcml7k0/n7jIpGJiz8wpqrBnVkIxIsI0j 3v1dy8uT01aRk8DsysYEgxiNCW+S8hzJe7ZYkElrtsDBu3Xnv4t1g9TJCs/j6UBKpGwI 9T6didnE+Z7StUYj2r5e3/ESDlBz0jedIqrruaH/IrptYFkz3+2ETX+QGUIf/4I/HiFb BZVAGFlu6REprX4a5tH0pfd6wm+8sGo6HrIjqMY6S1BELdf5Gs4KdTFaKKC1F94+kFRb zC38QvGaeIWcW8M/1JEAjIVoTjs1pCEyLE6XC2Wu8osDQ5jU93KB7GbY0jKQQHY40GzV QAhA== X-Forwarded-Encrypted: i=1; AHgh+RrtONaBKVP6j0iKGTLrQiVwVAokngwOxRFLk2x4LS7B+S9qVW+W9sVEFyNviMbojyjtfgQUsnPd98SQfbQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzHuixg7VRF0o7dKN1HmxCl4O3OPFouUgv50SycpQHq3bfVJ4Gq vw3u+kaR9VYxcU/NWbZF6iOiHbzI0F8R4n42O9F9weZV3uSTzjcu7Ylk X-Gm-Gg: AfdE7cnJd+GhLNLNwzkZHahYAQev201YJrpYjygqyXNPg+63zOxDWIODzmC6JSOh4QI xyCNtQNn5uOQW7U6qqG7GRNshXLQ55EdG+rbRE+zMN4idWUR8XPkXQQH96gOYofY9zWT6l/WCnv pjat29KKhm7vbZV+RmKNdsSIeToWzr9d6xsRopfF0vOWFcZR6bCmYi28q3zLZcPBX9TNBWPb/if rIt1sD+qoTp2Gzl3f8accYu1XHvb+rV5VKtUWi5b7c4z6MljTAAfTnwjI0MuMRNUe0/QLgst09w La3QmlaT4UfG4OX4wyscg05O4OQARMK0lB1gMej58cEfN3/DNuIAPKkTGirjIAPAmUqflEm46nn 5t2rYknWXB3nLCCccoj9rvx0zrWIBD0iDQnr8ruClQJESgcTYlDLkxQlPhSTsRt8XWTXidNviAJ bepnuorl0rQQ== X-Received: by 2002:a17:906:6206:b0:bed:87c:b24e with SMTP id a640c23a62f3a-c1205eef62emr702909766b.29.1782721845095; Mon, 29 Jun 2026 01:30:45 -0700 (PDT) Received: from localhost ([2c0f:3d00:6be:8900:9cf4:43df:e612:817b]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c1276ec6c96sm39712166b.43.2026.06.29.01.30.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 01:30:44 -0700 (PDT) Date: Mon, 29 Jun 2026 11:30:40 +0300 From: Dan Carpenter To: Dawei Feng Cc: hansg@kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com, andy@kernel.org, gregkh@linuxfoundation.org, azpijr@gmail.com, kees@kernel.org, arnd@arndb.de, pontescpedro@gmail.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, jianhao.xu@seu.edu.cn, zilin@seu.edu.cn Subject: Re: [PATCH] media: atomisp: fix CAS scaler descriptor leaks Message-ID: References: <20260627060151.2543613-1-dawei.feng@seu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260627060151.2543613-1-dawei.feng@seu.edu.cn> On Sat, Jun 27, 2026 at 02:01:51PM +0800, Dawei Feng wrote: > load_video_binaries() and load_primary_binaries() create a CAS scaler > descriptor before allocating and looking up the YUV scaler binaries. > Several failure paths after descriptor creation return without destroying > the descriptor, leaking the frame-info arrays owned by it. > > Route those exits through a descriptor cleanup label while keeping the > existing pipe_settings ownership model. Also clear num_yuv_scaler when > capture scaler binary allocation fails, so the existing failure unwind does > not iterate a NULL scaler array. > > The bug was first flagged by an experimental analysis tool we are > developing for kernel memory-management bugs while analyzing > v6.13-rc1. The tool is still under development and is not yet publicly > available. Manual inspection confirms that the bug is still > present in v7.1.1. > > An x86_64 allyesconfig build showed no new warnings. As we do not have > an Intel Atom ISP camera platform with matching sensor firmware and ACPI > camera graph to test with, no runtime testing was able to be performed. > > Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") > Signed-off-by: Dawei Feng > --- > drivers/staging/media/atomisp/pci/sh_css.c | 35 ++++++++++++---------- > 1 file changed, 19 insertions(+), 16 deletions(-) > > diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c > index 00082276f1db..d0ff16ba890f 100644 > --- a/drivers/staging/media/atomisp/pci/sh_css.c > +++ b/drivers/staging/media/atomisp/pci/sh_css.c > @@ -4528,20 +4528,20 @@ static int load_video_binaries(struct ia_css_pipe *pipe) > NULL, > &cas_scaler_descr); > if (err) > - return err; > + goto destroy_cas_scaler_desc; > mycs->num_yuv_scaler = cas_scaler_descr.num_stage; > mycs->yuv_scaler_binary = kzalloc_objs(struct ia_css_binary, > cas_scaler_descr.num_stage); > if (!mycs->yuv_scaler_binary) { > mycs->num_yuv_scaler = 0; > err = -ENOMEM; > - return err; > + goto destroy_cas_scaler_desc; > } > mycs->is_output_stage = kzalloc_objs(bool, > cas_scaler_descr.num_stage); > if (!mycs->is_output_stage) { > err = -ENOMEM; > - return err; > + goto destroy_cas_scaler_desc; > } > for (i = 0; i < cas_scaler_descr.num_stage; i++) { > struct ia_css_binary_descr yuv_scaler_descr; > @@ -4557,10 +4557,13 @@ static int load_video_binaries(struct ia_css_pipe *pipe) > if (err) { > kfree(mycs->is_output_stage); > mycs->is_output_stage = NULL; > - return err; > + goto destroy_cas_scaler_desc; What about freeing mycs->yuv_scaler_binary? There are a bunch of other leaks... I would prefer a more complete fix. https://staticthinking.wordpress.com/2022/04/28/free-the-last-thing-style/ I would probably just do the free before the goto since this is not part of the cleanup function. if (err) { ia_css_pipe_destroy_cas_scaler_desc(&cas_scaler_descr); goto free_output_stage; } ... return 0; free_output_stage: if (need_scalar) { kfree(mycs->is_output_stage); mycs->is_output_stage = NULL; } free_scalar_binary: if (need_scalar) { kfree(mycs->yuv_scaler_binary); mycs->yuv_scaler_binary = NULL; } etc. regards, dan carpenter