Re: [PATCH] platform/x86/intel/tpmi: Fix memory leak in mem_write() error path
From: Ilpo Järvinen
Date: Tue May 19 2026 - 10:46:46 EST
On Tue, 19 May 2026, ZhaoJinming wrote:
> In mem_write(), when the IS_ALIGNED() check fails, the function returns
> -EINVAL directly without freeing the 'array' allocated by
> parse_int_array_user(). This causes a memory leak.
>
> Other error paths in the same function correctly use 'goto exit_write'
> to free the array before returning. Fix this inconsistency by using
> the same pattern for the alignment check.
>
> Fixes: 8e0a2fc68ec3 ("platform/x86/intel/tpmi: Use 32 bit aligned address for debugfs mem write")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: ZhaoJinming <zhaojinming@xxxxxxxxxxxxx>
> ---
> drivers/platform/x86/intel/vsec_tpmi.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/platform/x86/intel/vsec_tpmi.c b/drivers/platform/x86/intel/vsec_tpmi.c
> index 16fd7aa41f20..2a428bfcb209 100644
> --- a/drivers/platform/x86/intel/vsec_tpmi.c
> +++ b/drivers/platform/x86/intel/vsec_tpmi.c
> @@ -495,8 +495,10 @@ static ssize_t mem_write(struct file *file, const char __user *userbuf, size_t l
> addr = array[2];
> value = array[3];
>
> - if (!IS_ALIGNED(addr, sizeof(u32)))
> - return -EINVAL;
> + if (!IS_ALIGNED(addr, sizeof(u32))) {
> + ret = -EINVAL;
> + goto exit_write;
> + }
>
> if (punit >= pfs->pfs_header.num_entries) {
> ret = -EINVAL;
Hi,
Thanks for finding this problem. This function looks a prime candidate for
cleanup.h conversion.
Please do this with a 2 patch series. The first patch converts kfree() to
__free() and moves array declaration next to parse_int_array_user() (as
instructed by the long comment in cleanup.h) and has fixes tag. The second
patch should converyt the mutex lock/unlock to guard and doesn't need
fixes tag. This way, we get rid of all gotos here.
--
i.