drivers/video/pnx4008: eliminate double free
Author: Julia Lawall <julia@diku.dk>
The function framebuffer_release just calls kfree, so calling kfree
subsequently on the same argument represents a double free. The comments with
the definition of framebuffer_release in drivers/video/fbsysfs.c suggest that
a more elaborate definition of this function is planned, such that the
splitting up of framebuffer_release and kfree as done in the second instance
might someday make sense, but it does not make sense now.
This was found using the following semantic match.
(http://www.emn.fr/x-info/coccinelle/)
//
@@
expression E;
@@
* kfree(E);
...
* framebuffer_release(E);
@@
expression E;
@@
* framebuffer_release(E);
...
* kfree(E);
//
Signed-off-by: Julia Lawall
Cc: Vitaly Wool
Cc: Krzysztof Helt
Cc: Grigory Tolstolytkin
Cc: Antonino Daplas
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
---
drivers/video/pnx4008/pnxrgbfb.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/video/pnx4008/pnxrgbfb.c b/drivers/video/pnx4008/pnxrgbfb.c
index 685761a..4db6b48 100644
--- a/drivers/video/pnx4008/pnxrgbfb.c
+++ b/drivers/video/pnx4008/pnxrgbfb.c
@@ -100,7 +100,6 @@ static int rgbfb_remove(struct platform_device *pdev)
fb_dealloc_cmap(&info->cmap);
framebuffer_release(info);
platform_set_drvdata(pdev, NULL);
- kfree(info);
}
pnx4008_free_dum_channel(channel_owned, pdev->id);
@@ -168,23 +167,21 @@ static int __devinit rgbfb_probe(struct platform_device *pdev)
ret = fb_alloc_cmap(&info->cmap, 256, 0);
if (ret < 0)
- goto err2;
+ goto err1;
ret = register_framebuffer(info);
if (ret < 0)
- goto err3;
+ goto err2;
platform_set_drvdata(pdev, info);
return 0;
-err3:
- fb_dealloc_cmap(&info->cmap);
err2:
- framebuffer_release(info);
+ fb_dealloc_cmap(&info->cmap);
err1:
pnx4008_free_dum_channel(channel_owned, pdev->id);
err0:
- kfree(info);
+ framebuffer_release(info);
err:
return ret;
} |
---
drivers/video/pnx4008/pnxrgbfb.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/video/pnx4008/pnxrgbfb.c b/drivers/video/pnx4008/pnxrgbfb.c
index 685761a..4db6b48 100644
--- a/drivers/video/pnx4008/pnxrgbfb.c
+++ b/drivers/video/pnx4008/pnxrgbfb.c
@@ -100,7 +100,6 @@ static int rgbfb_remove(struct platform_device *pdev)
fb_dealloc_cmap(&info->cmap);
framebuffer_release(info);
platform_set_drvdata(pdev, NULL);
- kfree(info);
}
pnx4008_free_dum_channel(channel_owned, pdev->id);
@@ -168,23 +167,21 @@ static int __devinit rgbfb_probe(struct platform_device *pdev)
ret = fb_alloc_cmap(&info->cmap, 256, 0);
if (ret < 0)
- goto err2;
+ goto err1;
ret = register_framebuffer(info);
if (ret < 0)
- goto err3;
+ goto err2;
platform_set_drvdata(pdev, info);
return 0;
-err3:
- fb_dealloc_cmap(&info->cmap);
err2:
- framebuffer_release(info);
+ fb_dealloc_cmap(&info->cmap);
err1:
pnx4008_free_dum_channel(channel_owned, pdev->id);
err0:
- kfree(info);
+ framebuffer_release(info);
err:
return ret;
}