The function load_timings_from_dt() directly assigns the result of krealloc() to tegra->timings, which causes a memory leak when krealloc() fails. When krealloc() returns NULL, the original pointer is lost, making it impossible to free the previously allocated memory.

This fix uses a temporary variable to store the krealloc() result and only updates tegra->timings after successful allocation, preserving the original pointer in case of failure.

Fixes: 888ca40e2843 ("clk: tegra: emc: Support multiple RAM codes") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- drivers/clk/tegra/clk-tegra124-emc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c index 2a6db0434281..ed4972fa6dab 100644 --- a/drivers/clk/tegra/clk-tegra124-emc.c +++ b/drivers/clk/tegra/clk-tegra124-emc.c @@ -444,6 +444,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, u32 ram_code) { struct emc_timing *timings_ptr; + struct emc_timing *new_timings; struct device_node *child; int child_count = of_get_child_count(node); int i = 0, err; @@ -451,10 +452,15 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra,

size = (tegra->num_timings + child_count) * sizeof(struct emc_timing);

- tegra->timings = krealloc(tegra->timings, size, GFP_KERNEL); - if (!tegra->timings) + new_timings = krealloc(tegra->timings, size, GFP_KERNEL); + if (!new_timings) { + kfree(tegra->timings); + tegra->timings = NULL; + tegra->num_timings = 0; return -ENOMEM; + }

+ tegra->timings = new_timings; timings_ptr = tegra->timings + tegra->num_timings; tegra->num_timings += child_count;