If loading the HS bootloader blob fails, nvkm_falcon_fw_ctor_hs() returns
immediately. This skips the common cleanup path and leaks the firmware
state allocated by nvkm_falcon_fw_ctor() and nvkm_falcon_fw_sign().
Fix this by routing the load failure to the 'done' label so
nvkm_falcon_fw_dtor() can properly clean up the partially initialized
state. Also clear the original 'blob' pointer after releasing it so the
final nvkm_firmware_put() remains balanced after a failed bootloader
reload.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc6.
An x86_64 allyesconfig build showed no new warnings. As we do not have a
supported NVIDIA GPU with the required firmware to test this path, no
runtime testing was able to be performed.
Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR
FWs")
Cc: [email protected]
Signed-off-by: Zilin Guan <[email protected]>
Signed-off-by: Dawei Feng <[email protected]>
---
drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
index 4e8b3f1c7e25..71f55c5b0837 100644
--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
@@ -278,10 +278,11 @@ nvkm_falcon_fw_ctor_hs(const struct nvkm_falcon_fw_func
*func, const char *name,
if (bl) {
nvkm_firmware_put(blob);
+ blob = NULL;
ret = nvkm_firmware_load_name(subdev, bl, "", ver, &blob);
if (ret)
- return ret;
+ goto done;
hdr = nvfw_bin_hdr(subdev, blob->data);
desc = nvfw_bl_desc(subdev, blob->data + hdr->header_offset);
--
2.34.1
