From patchwork Wed Apr 1 00:01:04 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Klimov X-Patchwork-Id: 648 Return-path: Envelope-to: mchehab@infradead.org Delivery-date: Wed, 01 Apr 2009 00:01:19 +0000 Received: from vger.kernel.org ([209.132.176.167]) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1LontP-00050i-Iv; Wed, 01 Apr 2009 00:01:19 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758239AbZDAABT (ORCPT + 1 other); Tue, 31 Mar 2009 20:01:19 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1758305AbZDAABT (ORCPT ); Tue, 31 Mar 2009 20:01:19 -0400 Received: from mu-out-0910.google.com ([209.85.134.189]:51583 "EHLO mu-out-0910.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757634AbZDAABO (ORCPT ); Tue, 31 Mar 2009 20:01:14 -0400 Received: by mu-out-0910.google.com with SMTP id g7so1201210muf.1 for ; Tue, 31 Mar 2009 17:01:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=tCF8qsStjIJJ5SaT/6geP1LgtGnZNPk/JVacVqfvMLk=; b=h3WSWJ3FuKdsh5dHVh1pXucrEc7sSPHEYG0BpZsMPPI+t3YbyGKlPVVG0+nFEIC5oV QzbKm8d6Ujv7ZuOQhvZVn7WAQjvgLEaohRV5oDkAHjEQ3yDKtT8gxrt1XaEY6p0t4ZYE NOpt4BW4mI4Ys6ccZcQrh8NqY4Ii4VdFlGyuw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; b=uBLNv1QjqgCzvwBExfOJBzO1H12OfQESjUK6c6KUTYHZ9IiitXl8TzfXtO5dUZlfZB 8L2U3oSI/rElWt1RyM6WQch11g8WJ4q45lrcSUGsgTz9OCtLJmahs8bZkptZC+Xtwg77 TmeKsU2xy4C2NUTzRVMIjiZ10IhszITur/8is= Received: by 10.103.243.9 with SMTP id v9mr2542127mur.5.1238544070882; Tue, 31 Mar 2009 17:01:10 -0700 (PDT) Received: from ?192.168.1.42? (gw.zunet.ru [217.67.117.64]) by mx.google.com with ESMTPS id s10sm12801768muh.22.2009.03.31.17.01.10 (version=SSLv3 cipher=RC4-MD5); Tue, 31 Mar 2009 17:01:10 -0700 (PDT) Subject: [patch review] radio-si470x: fix possible bug with freeing memory order From: Alexey Klimov To: Tobias Lorenz , Douglas Schilling Landgraf Cc: Linux Media Date: Wed, 01 Apr 2009 04:01:04 +0400 Message-Id: <1238544064.6154.38.camel@tux.localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Hello, all There is probably bug when cleanup occurs in si470x_usb_driver_probe. We do kmalloc for radio->buffer and when it's fail we kfree(radio->buffer). The same with si470x_get_all_registers() and si470x_get_scratch_page_versions(). When this functions failed we go to err_all and try to free radio->buffer before allocation memory for this. --- Patch fixes cleanup procedure in si470x_usb_driver_probe. Add new label err_video and change order of freeing memory. Signed-off-by: Alexey Klimov -- diff -r 5567e82c34a0 linux/drivers/media/radio/radio-si470x.c --- a/linux/drivers/media/radio/radio-si470x.c Tue Mar 31 07:24:14 2009 -0300 +++ b/linux/drivers/media/radio/radio-si470x.c Wed Apr 01 03:48:31 2009 +0400 @@ -1687,7 +1687,7 @@ /* show some infos about the specific si470x device */ if (si470x_get_all_registers(radio) < 0) { retval = -EIO; - goto err_all; + goto err_video; } printk(KERN_INFO DRIVER_NAME ": DeviceID=0x%4.4hx ChipID=0x%4.4hx\n", radio->registers[DEVICEID], radio->registers[CHIPID]); @@ -1695,7 +1695,7 @@ /* get software and hardware versions */ if (si470x_get_scratch_page_versions(radio) < 0) { retval = -EIO; - goto err_all; + goto err_video; } printk(KERN_INFO DRIVER_NAME ": software version %d, hardware version %d\n", @@ -1728,7 +1728,7 @@ radio->buffer = kmalloc(radio->buf_size, GFP_KERNEL); if (!radio->buffer) { retval = -EIO; - goto err_all; + goto err_video; } /* rds buffer configuration */ @@ -1750,8 +1750,9 @@ return 0; err_all: + kfree(radio->buffer); +err_video: video_device_release(radio->videodev); - kfree(radio->buffer); err_radio: kfree(radio); err_initial: