diff options
author | Julia Lawall <julia@diku.dk> | 2008-05-12 14:02:16 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-13 08:02:24 -0700 |
commit | 7a6278e5e4bce72ace681ae3cf48209fb63a5420 (patch) | |
tree | ba1aba392096d9cffdb53a13d69cef225c2ec044 | |
parent | 5aecd559871d23a3cc297e544c9d63f0b8441cf4 (diff) | |
download | op-kernel-dev-7a6278e5e4bce72ace681ae3cf48209fb63a5420.zip op-kernel-dev-7a6278e5e4bce72ace681ae3cf48209fb63a5420.tar.gz |
drivers/video/pnx4008: eliminate double free
The function framebuffer_release just calls kfree, so calling kfree
subsequently on the same argument represents a double free. The comments with
the definition of framebuffer_release in drivers/video/fbsysfs.c suggest that
a more elaborate definition of this function is planned, such that the
splitting up of framebuffer_release and kfree as done in the second instance
might someday make sense, but it does not make sense now.
This was found using the following semantic match.
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
expression E;
@@
* kfree(E);
...
* framebuffer_release(E);
@@
expression E;
@@
* framebuffer_release(E);
...
* kfree(E);
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: Vitaly Wool <vitalywool@gmail.com>
Cc: Krzysztof Helt <krzysztof.h1@wp.pl>
Cc: Grigory Tolstolytkin <gtolstolytkin@ru.mvista.com>
Cc: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | drivers/video/pnx4008/pnxrgbfb.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/drivers/video/pnx4008/pnxrgbfb.c b/drivers/video/pnx4008/pnxrgbfb.c index 685761a..4db6b48 100644 --- a/drivers/video/pnx4008/pnxrgbfb.c +++ b/drivers/video/pnx4008/pnxrgbfb.c @@ -100,7 +100,6 @@ static int rgbfb_remove(struct platform_device *pdev) fb_dealloc_cmap(&info->cmap); framebuffer_release(info); platform_set_drvdata(pdev, NULL); - kfree(info); } pnx4008_free_dum_channel(channel_owned, pdev->id); @@ -168,23 +167,21 @@ static int __devinit rgbfb_probe(struct platform_device *pdev) ret = fb_alloc_cmap(&info->cmap, 256, 0); if (ret < 0) - goto err2; + goto err1; ret = register_framebuffer(info); if (ret < 0) - goto err3; + goto err2; platform_set_drvdata(pdev, info); return 0; -err3: - fb_dealloc_cmap(&info->cmap); err2: - framebuffer_release(info); + fb_dealloc_cmap(&info->cmap); err1: pnx4008_free_dum_channel(channel_owned, pdev->id); err0: - kfree(info); + framebuffer_release(info); err: return ret; } |