提交 7a6278e5 编写于 作者: J Julia Lawall 提交者: Linus Torvalds

drivers/video/pnx4008: eliminate double free

The function framebuffer_release just calls kfree, so calling kfree
subsequently on the same argument represents a double free.  The comments with
the definition of framebuffer_release in drivers/video/fbsysfs.c suggest that
a more elaborate definition of this function is planned, such that the
splitting up of framebuffer_release and kfree as done in the second instance
might someday make sense, but it does not make sense now.

This was found using the following semantic match.
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
expression E;
@@

* kfree(E);
...
* framebuffer_release(E);

@@
expression E;
@@

* framebuffer_release(E);
...
* kfree(E);
// </smpl>
Signed-off-by: NJulia Lawall <julia@diku.dk>
Cc: Vitaly Wool <vitalywool@gmail.com>
Cc: Krzysztof Helt <krzysztof.h1@wp.pl>
Cc: Grigory Tolstolytkin <gtolstolytkin@ru.mvista.com>
Cc: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 5aecd559
......@@ -100,7 +100,6 @@ static int rgbfb_remove(struct platform_device *pdev)
fb_dealloc_cmap(&info->cmap);
framebuffer_release(info);
platform_set_drvdata(pdev, NULL);
kfree(info);
}
pnx4008_free_dum_channel(channel_owned, pdev->id);
......@@ -168,23 +167,21 @@ static int __devinit rgbfb_probe(struct platform_device *pdev)
ret = fb_alloc_cmap(&info->cmap, 256, 0);
if (ret < 0)
goto err2;
goto err1;
ret = register_framebuffer(info);
if (ret < 0)
goto err3;
goto err2;
platform_set_drvdata(pdev, info);
return 0;
err3:
fb_dealloc_cmap(&info->cmap);
err2:
framebuffer_release(info);
fb_dealloc_cmap(&info->cmap);
err1:
pnx4008_free_dum_channel(channel_owned, pdev->id);
err0:
kfree(info);
framebuffer_release(info);
err:
return ret;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册