Re: [PATCH] staging: media: atomisp: fix map and vmap leaks in stat buffer allocation

Next message: Tomi Valkeinen: "Re: [PATCH 1/6] drm/connector: report IRQ_HPD events to drm_connector_oob_hotplug_event()"
Previous message: Barry Song: "Re: [RFC PATCH] zram: support asynchronous GC for lazy slot freeing"
In reply to: Huihui Huang: "[PATCH] staging: media: atomisp: fix map and vmap leaks in stat buffer allocation"
Next in thread: Huihui Huang: "[PATCH v2] staging: media: atomisp: fix map and vmap leaks in stat buffer allocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Thu Apr 16 2026 - 04:14:33 EST

On Thu, Apr 16, 2026 at 03:27:31PM +0800, Huihui Huang wrote:
> Our code analyzer reported memory leaks in
> drivers/staging/media/atomisp/pci/atomisp_compat_css20.c.
>
> In atomisp_css_allocate_stat_buffers(), s3a_map is allocated by
> ia_css_isp_3a_statistics_map_allocate() and its backing memory is
> mapped via hmm_vmap(). When dis_buf allocation fails, the error path
> frees s3a_data but does not unmap or free s3a_map. Similarly, when
> md_buf allocation fails, neither s3a_map nor dvs_map (and their hmm
> vmaps) are freed.

> My patch adds the missing hmm_vunmap() and map free calls on both
> error paths, matching the cleanup order used in
> atomisp_css_free_3a_buffer() and atomisp_css_free_dis_buffer().

Imperative mood.

...

> dev_err(isp->dev, "dvs buf allocation failed.\n");
> - if (s3a_buf)
> + if (s3a_buf) {
> + hmm_vunmap(s3a_buf->s3a_data->data_ptr);
> + ia_css_isp_3a_statistics_map_free(s3a_buf->s3a_map);
> + s3a_buf->s3a_map = NULL;

Are these NULLifications needed? It sounds like it tries to paper over some
potential UAF cases. Is there any possibility to access s3a_map at this point?

> ia_css_isp_3a_statistics_free(s3a_buf->s3a_data);
> + }

--
With Best Regards,
Andy Shevchenko