From: Simon Glass <sjg@chromium.org> When bootflow_check() fails during scanning, bflow->name and other fields allocated by bootdev_find_in_blk() are not freed before the next iteration overwrites them. This causes a memory leak of about 1.2 MB across ~7,280 iterations in a typical sandbox test run. Add bootflow_free() calls in bootflow_scan_first() and bootflow_scan_next() to release the failed bootflow's resources before retrying. Place the free after the BOOTFLOWIF_ALL early return so that callers requesting all bootflows still receive the populated bflow. The subsequent bootflow_check() reinitialises the bflow via bootflow_init(), so there is no use-after-free risk. Signed-off-by: Simon Glass <sjg@chromium.org> --- boot/bootflow.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/bootflow.c b/boot/bootflow.c index 0511d7f6cb8..befe507af96 100644 --- a/boot/bootflow.c +++ b/boot/bootflow.c @@ -660,6 +660,7 @@ int bootflow_scan_first(struct udevice *dev, const char *label, return log_msg_ret("all", ret); } iter->err = ret; + bootflow_free(bflow); ret = bootflow_scan_next(iter, bflow); if (ret) return log_msg_ret("get", ret); @@ -693,6 +694,7 @@ int bootflow_scan_next(struct bootflow_iter *iter, struct bootflow *bflow) if (iter->flags & BOOTFLOWIF_ALL) return log_msg_ret("all", ret); } + bootflow_free(bflow); } else { log_debug("incr failed, err=%d\n", ret); iter->err = ret; -- 2.43.0