From: Julia Lawall Date: Mon, 12 May 2008 21:02:16 +0000 (-0700) Subject: drivers/video/pnx4008: eliminate double free X-Git-Tag: v2.6.26-rc3~94 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a6278e5e4bce72ace681ae3cf48209fb63a5420;p=linux-2.6 drivers/video/pnx4008: eliminate double free The function framebuffer_release just calls kfree, so calling kfree subsequently on the same argument represents a double free. The comments with the definition of framebuffer_release in drivers/video/fbsysfs.c suggest that a more elaborate definition of this function is planned, such that the splitting up of framebuffer_release and kfree as done in the second instance might someday make sense, but it does not make sense now. This was found using the following semantic match. (http://www.emn.fr/x-info/coccinelle/) // @@ expression E; @@ * kfree(E); ... * framebuffer_release(E); @@ expression E; @@ * framebuffer_release(E); ... * kfree(E); // Signed-off-by: Julia Lawall Cc: Vitaly Wool Cc: Krzysztof Helt Cc: Grigory Tolstolytkin Cc: Antonino Daplas Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/video/pnx4008/pnxrgbfb.c b/drivers/video/pnx4008/pnxrgbfb.c index 685761a073..4db6b48a87 100644 --- a/drivers/video/pnx4008/pnxrgbfb.c +++ b/drivers/video/pnx4008/pnxrgbfb.c @@ -100,7 +100,6 @@ static int rgbfb_remove(struct platform_device *pdev) fb_dealloc_cmap(&info->cmap); framebuffer_release(info); platform_set_drvdata(pdev, NULL); - kfree(info); } pnx4008_free_dum_channel(channel_owned, pdev->id); @@ -168,23 +167,21 @@ static int __devinit rgbfb_probe(struct platform_device *pdev) ret = fb_alloc_cmap(&info->cmap, 256, 0); if (ret < 0) - goto err2; + goto err1; ret = register_framebuffer(info); if (ret < 0) - goto err3; + goto err2; platform_set_drvdata(pdev, info); return 0; -err3: - fb_dealloc_cmap(&info->cmap); err2: - framebuffer_release(info); + fb_dealloc_cmap(&info->cmap); err1: pnx4008_free_dum_channel(channel_owned, pdev->id); err0: - kfree(info); + framebuffer_release(info); err: return ret; }