From ef72484b785ec7462a0415afea679d08b864c7fb Mon Sep 17 00:00:00 2001 From: Antonio Borneo Date: Wed, 26 May 2010 10:04:03 +0800 Subject: NOR/CFI: fix memory leak; check malloc return value Every time command "flash probe #" is executed, memory structures are re-allocated without preventive free() of former areas, causing memory leak. Also, memory allocation does not check return value, determining segmentation fault in case of out of memory. Signed-off-by: Antonio Borneo Signed-off-by: Spencer Oliver --- src/flash/nor/cfi.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/flash/nor/cfi.c b/src/flash/nor/cfi.c index b19b9458..8c1aacad 100644 --- a/src/flash/nor/cfi.c +++ b/src/flash/nor/cfi.c @@ -355,8 +355,17 @@ static int cfi_read_intel_pri_ext(struct flash_bank *bank) { int retval; struct cfi_flash_bank *cfi_info = bank->driver_priv; - struct cfi_intel_pri_ext *pri_ext = malloc(sizeof(struct cfi_intel_pri_ext)); + struct cfi_intel_pri_ext *pri_ext; + if (cfi_info->pri_ext) + free(cfi_info->pri_ext); + + pri_ext = malloc(sizeof(struct cfi_intel_pri_ext)); + if (pri_ext == NULL) + { + LOG_ERROR("Out of memory"); + return ERROR_FAIL; + } cfi_info->pri_ext = pri_ext; pri_ext->pri[0] = cfi_query_u8(bank, 0, cfi_info->pri_addr + 0); @@ -413,8 +422,17 @@ static int cfi_read_spansion_pri_ext(struct flash_bank *bank) { int retval; struct cfi_flash_bank *cfi_info = bank->driver_priv; - struct cfi_spansion_pri_ext *pri_ext = malloc(sizeof(struct cfi_spansion_pri_ext)); + struct cfi_spansion_pri_ext *pri_ext; + if (cfi_info->pri_ext) + free(cfi_info->pri_ext); + + pri_ext = malloc(sizeof(struct cfi_spansion_pri_ext)); + if (pri_ext == NULL) + { + LOG_ERROR("Out of memory"); + return ERROR_FAIL; + } cfi_info->pri_ext = pri_ext; pri_ext->pri[0] = cfi_query_u8(bank, 0, cfi_info->pri_addr + 0); @@ -476,7 +494,17 @@ static int cfi_read_atmel_pri_ext(struct flash_bank *bank) int retval; struct cfi_atmel_pri_ext atmel_pri_ext; struct cfi_flash_bank *cfi_info = bank->driver_priv; - struct cfi_spansion_pri_ext *pri_ext = malloc(sizeof(struct cfi_spansion_pri_ext)); + struct cfi_spansion_pri_ext *pri_ext; + + if (cfi_info->pri_ext) + free(cfi_info->pri_ext); + + pri_ext = malloc(sizeof(struct cfi_spansion_pri_ext)); + if (pri_ext == NULL) + { + LOG_ERROR("Out of memory"); + return ERROR_FAIL; + } /* ATMEL devices use the same CFI primary command set (0x2) as AMD/Spansion, * but a different primary extended query table. @@ -644,6 +672,8 @@ FLASH_BANK_COMMAND_HANDLER(cfi_flash_bank_command) cfi_info = malloc(sizeof(struct cfi_flash_bank)); cfi_info->probed = 0; + cfi_info->erase_region_info = 0; + cfi_info->pri_ext = NULL; bank->driver_priv = cfi_info; cfi_info->write_algorithm = NULL; @@ -1426,6 +1456,11 @@ static int cfi_spansion_write_block(struct flash_bank *bank, uint8_t *buffer, ui /* convert bus-width dependent algorithm code to correct endiannes */ target_code = malloc(target_code_size); + if (target_code == NULL) + { + LOG_ERROR("Out of memory"); + return ERROR_FAIL; + } cfi_fix_code_endian(target, target_code, target_code_src, target_code_size / 4); /* allocate working area */ @@ -2099,6 +2134,16 @@ static int cfi_probe(struct flash_bank *bank) } cfi_info->probed = 0; + if (bank->sectors) + { + free(bank->sectors); + bank->sectors = NULL; + } + if(cfi_info->erase_region_info) + { + free(cfi_info->erase_region_info); + cfi_info->erase_region_info = NULL; + } /* JEDEC standard JESD21C uses 0x5555 and 0x2aaa as unlock addresses, * while CFI compatible AMD/Spansion flashes use 0x555 and 0x2aa -- cgit v1.2.3