Commits

Anonymous committed fa22709

msm: camera: nullify pointers after kfree and fix the memory leaks

nullify pointers after kfree and remove unnecessary kmallocs

Also fix the memory leaks. should free the memory after v4l2_event_dequeue()
even if there are some errors in copy_to/from_user(). Because entry was
already removed from its own list after v4l2_event_dequeue().

Change-Id: I733538c2fd76a6b77cfd8d6b780caebcb3fd70a8

Comments (0)

Files changed (6)

drivers/media/video/msm/actuators/msm_actuator.c

 		a_ctrl->reg_tbl_size *
 		sizeof(struct msm_actuator_reg_params_t))) {
 		kfree(a_ctrl->i2c_reg_tbl);
+		a_ctrl->i2c_reg_tbl = NULL;
 		return -EFAULT;
 	}
 
 				GFP_KERNEL);
 			if (init_settings == NULL) {
 				kfree(a_ctrl->i2c_reg_tbl);
+				a_ctrl->i2c_reg_tbl = NULL;
 				pr_err("%s Error allocating memory for init_settings\n",
 					__func__);
 				return -EFAULT;
 				sizeof(struct reg_settings_t))) {
 				kfree(init_settings);
 				kfree(a_ctrl->i2c_reg_tbl);
+				a_ctrl->i2c_reg_tbl = NULL;
 				pr_err("%s Error copying init_settings\n",
 					__func__);
 				return -EFAULT;
 			kfree(init_settings);
 			if (rc < 0) {
 				kfree(a_ctrl->i2c_reg_tbl);
+				a_ctrl->i2c_reg_tbl = NULL;
 				pr_err("%s Error actuator_init_focus\n",
 					__func__);
 				return -EFAULT;

drivers/media/video/msm/msm_vpe.c

 		return;
 	}
 	event_qcmd = kzalloc(sizeof(struct msm_queue_cmd), GFP_ATOMIC);
+	if (!event_qcmd) {
+		pr_err("%s: out of memory\n", __func__);
+		spin_unlock_irqrestore(&vpe_ctrl->lock, flags);
+		return;
+	}
 	atomic_set(&event_qcmd->on_heap, 1);
 	event_qcmd->command = (void *)vpe_ctrl->pp_frame_info;
 	vpe_ctrl->pp_frame_info = NULL;
 			pr_err("%s EVENTPAYLOAD Copy to user failed ",
 				__func__);
 		kfree(pp_frame_info);
-		kfree(event_qcmd);
+		event_qcmd->command = NULL;
+		free_qcmd(event_qcmd);
 		break;
 		}
 

drivers/media/video/msm/sensors/msm_sensor.c

 	int32_t rc = 0;
 	struct msm_camera_sensor_info *data = s_ctrl->sensordata;
 	CDBG("%s: %d\n", __func__, __LINE__);
-	s_ctrl->reg_ptr = kzalloc(sizeof(struct regulator *)
-			* data->sensor_platform_info->num_vreg, GFP_KERNEL);
 	if (!s_ctrl->reg_ptr) {
-		pr_err("%s: could not allocate mem for regulators\n",
-			__func__);
-		return -ENOMEM;
+		s_ctrl->reg_ptr = kzalloc(sizeof(struct regulator *)
+				* data->sensor_platform_info->num_vreg, GFP_KERNEL);
+		if (!s_ctrl->reg_ptr) {
+			pr_err("%s: could not allocate mem for regulators\n",
+				__func__);
+			return -ENOMEM;
+		}
 	}
 
 	rc = msm_camera_request_gpio_table(data, 1);
 		s_ctrl->reg_ptr, 0);
 	msm_camera_request_gpio_table(data, 0);
 	kfree(s_ctrl->reg_ptr);
+	s_ctrl->reg_ptr = NULL;
 	return 0;
 }
 

drivers/media/video/msm/server/msm_cam_server.c

 		isp_event =
 			(struct msm_isp_event_ctrl *)
 			qcmd->command;
-		if (isp_event->isp_data.ctrl.value != NULL)
+		if (isp_event->isp_data.ctrl.value != NULL) {
 			kfree(isp_event->isp_data.ctrl.value);
+			isp_event->isp_data.ctrl.value = NULL;
+		}
 		kfree(qcmd->command);
+		qcmd->command = NULL;
 		free_qcmd(qcmd);
 	}
 	spin_unlock_irqrestore(&queue->lock, flags);
 	out->value = value;
 
 	kfree(ctrlcmd);
+	rcmd->command = NULL;
 	free_qcmd(rcmd);
 	D("%s: rc %d\n", __func__, rc);
 	/* rc is the time elapsed. */
 		}
 		k_isp_event = (struct msm_isp_event_ctrl *)
 				event_cmd->command;
-		free_qcmd(event_cmd);
 
 		/* Save the pointer of the user allocated command buffer*/
 		u_ctrl_value = u_isp_event.isp_data.ctrl.value;
 				pr_err("%s Copy to user failed for cmd %d",
 					__func__, cmd);
 				kfree(k_isp_event->isp_data.ctrl.value);
+				k_isp_event->isp_data.ctrl.value = NULL;
 				kfree(k_isp_event);
+				event_cmd->command = NULL;
+				free_qcmd(event_cmd);
 				rc = -EINVAL;
 				mutex_unlock(&g_server_dev.server_queue_lock);
 				break;
 			}
 			kfree(k_isp_event->isp_data.ctrl.value);
+			k_isp_event->isp_data.ctrl.value = NULL;
 		}
 		if (copy_to_user((void __user *)ioctl_ptr->ioctl_ptr,
 			&u_isp_event, sizeof(struct msm_isp_event_ctrl))) {
 			pr_err("%s Copy to user failed for cmd %d",
 				__func__, cmd);
 			kfree(k_isp_event);
+			event_cmd->command = NULL;
+			free_qcmd(event_cmd);
 			mutex_unlock(&g_server_dev.server_queue_lock);
 			rc = -EINVAL;
 			return rc;
 		}
 		kfree(k_isp_event);
+		event_cmd->command = NULL;
+		free_qcmd(event_cmd);
 		mutex_unlock(&g_server_dev.server_queue_lock);
 		rc = 0;
 		break;
 	out->value = value;
 
 	kfree(ctrlcmd);
+	rcmd->command = NULL;
 	free_qcmd(rcmd);
 	D("%s: rc %d\n", __func__, rc);
 	/* rc is the time elapsed. */
 							k_msg_value,
 					 k_isp_event->isp_data.isp_msg.len)) {
 						rc = -EINVAL;
-						break;
+						ERR_COPY_TO_USER();
 					}
 					kfree(k_msg_value);
-					k_msg_value = NULL;
+					k_isp_event->isp_data.isp_msg.len = 0;
+					k_isp_event->isp_data.isp_msg.data = NULL;
 				}
 			}
 		}
 				(void *)&u_isp_event, sizeof(
 				struct msm_isp_event_ctrl))) {
 			rc = -EINVAL;
-			break;
+			ERR_COPY_TO_USER();
 		}
 		kfree(k_isp_event);
-		k_isp_event = NULL;
+		*((uint32_t *)ev.u.data) = 0;
+
+		if (rc < 0)
+			break;
 
 		/* Copy the v4l2_event structure back to the user*/
 		if (copy_to_user((void __user *)arg, &ev,
 				sizeof(struct v4l2_event))) {
 			rc = -EINVAL;
+			ERR_COPY_TO_USER();
 			break;
 		}
 		}
 			(*((uint32_t *)ev.u.data));
 		if (isp_event) {
 			if (isp_event->isp_data.isp_msg.len != 0 &&
-				isp_event->isp_data.isp_msg.data != NULL)
+				isp_event->isp_data.isp_msg.data != NULL) {
 				kfree(isp_event->isp_data.isp_msg.data);
+				isp_event->isp_data.isp_msg.len = 0;
+				isp_event->isp_data.isp_msg.data = NULL;
+			}
 			kfree(isp_event);
+			*((uint32_t *)ev.u.data) = 0;
 		}
 	}
 	return 0;

drivers/media/video/msm/vfe/msm_vfe32.c

 	void *data;
 
 	long rc = 0;
-	struct vfe_cmd_stats_buf *scfg = NULL;
-	struct vfe_cmd_stats_ack *sack = NULL;
 
 	if (!vfe32_ctrl->share_ctrl->vfebase) {
 		pr_err("%s: base address unmapped\n", __func__);
 						__func__, cmd->cmd_type);
 					return -EFAULT;
 				}
-				sack = kmalloc(sizeof(struct vfe_cmd_stats_ack),
-							GFP_ATOMIC);
-				if (!sack) {
-					pr_err("%s: no mem for cmd->cmd_type = %d",
-					 __func__, cmd->cmd_type);
-					return -ENOMEM;
-				}
-				sack->nextStatsBuf = *(uint32_t *)data;
 			}
 		}
 	}
 			(cmd->cmd_type == CMD_STATS_RS_ENABLE)    ||
 			(cmd->cmd_type == CMD_STATS_CS_ENABLE)    ||
 			(cmd->cmd_type == CMD_STATS_AEC_ENABLE)) {
-				scfg = NULL;
 				/* individual */
 				goto vfe32_config_done;
 		}
 	break;
 	}
 vfe32_config_done:
-	kfree(scfg);
-	kfree(sack);
 	CDBG("%s done: rc = %d\n", __func__, (int) rc);
 	return rc;
 }

drivers/media/video/msm/vfe/msm_vfe_stats_buf.c

 		} else {
 			/* good case. need to de-reqbuf */
 			kfree(stats_ctrl->bufq[idx]->bufs);
+			stats_ctrl->bufq[idx]->bufs = NULL;
 			kfree(stats_ctrl->bufq[idx]);
 			stats_ctrl->bufq[idx] = NULL;
 			goto end;
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.