[alsa-devel] [PATCH 1/5] sound/isa/opti9xx/miro.c: eliminate possible double free
From: Julia Lawall Julia.Lawall@lip6.fr
snd_miro_probe is a static function that is only called twice in the file that defines it. At each call site, its argument is freed using snd_card_free. Thus, there is no need for snd_miro_probe to call snd_card_free on its argument on any of its error exit paths.
Because snd_card_free both reads the fields of its argument and kfrees its argments, the results of the second snd_card_free should be unpredictable.
A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/)
// <smpl> @r@ identifier f,free,a; parameter list[n] ps; type T; expression e; @@
f(ps,T a,...) { ... when any when != a = e if(...) { ... free(a); ... return ...; } ... when any }
@@ identifier r.f,r.free; expression x,a; expression list[r.n] xs; @@
* x = f(xs,a,...); if (...) { ... free(a); ... return ...; } // </smpl>
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr
--- Not tested.
sound/isa/opti9xx/miro.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/sound/isa/opti9xx/miro.c b/sound/isa/opti9xx/miro.c index 3d1afb6..4a7ff4e 100644 --- a/sound/isa/opti9xx/miro.c +++ b/sound/isa/opti9xx/miro.c @@ -1286,7 +1286,6 @@ static int __devinit snd_miro_probe(struct snd_card *card)
error = snd_card_miro_aci_detect(card, miro); if (error < 0) { - snd_card_free(card); snd_printk(KERN_ERR "unable to detect aci chip\n"); return -ENODEV; }
At Sun, 21 Oct 2012 12:52:03 +0200, Julia Lawall wrote:
From: Julia Lawall Julia.Lawall@lip6.fr
snd_miro_probe is a static function that is only called twice in the file that defines it. At each call site, its argument is freed using snd_card_free. Thus, there is no need for snd_miro_probe to call snd_card_free on its argument on any of its error exit paths.
Because snd_card_free both reads the fields of its argument and kfrees its argments, the results of the second snd_card_free should be unpredictable.
A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/)
// <smpl> @r@ identifier f,free,a; parameter list[n] ps; type T; expression e; @@
f(ps,T a,...) { ... when any when != a = e if(...) { ... free(a); ... return ...; } ... when any }
@@ identifier r.f,r.free; expression x,a; expression list[r.n] xs; @@
- x = f(xs,a,...); if (...) { ... free(a); ... return ...; }
// </smpl>
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr
Thanks, applied.
Takashi
Not tested.
sound/isa/opti9xx/miro.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/sound/isa/opti9xx/miro.c b/sound/isa/opti9xx/miro.c index 3d1afb6..4a7ff4e 100644 --- a/sound/isa/opti9xx/miro.c +++ b/sound/isa/opti9xx/miro.c @@ -1286,7 +1286,6 @@ static int __devinit snd_miro_probe(struct snd_card *card)
error = snd_card_miro_aci_detect(card, miro); if (error < 0) {
snd_card_free(card);
participants (2)
-
Julia Lawall -
Takashi Iwai