88pm860x_battery: Eliminate possible references to released resources
authorJulia Lawall <julia.lawall@lip6.fr>
Sun, 6 Jan 2013 20:46:23 +0000 (12:46 -0800)
committerAnton Vorontsov <anton@enomsg.org>
Sun, 6 Jan 2013 20:46:23 +0000 (12:46 -0800)
devm_kzalloc should not be followed by kfree, as this results in a double
free.  The problem was found using the following semantic match
(http://coccinelle.lip6.fr/):

// <smpl>
@@
expression x,e;
@@
x = devm_kzalloc(...)
... when != x = e
?-kfree(x,...);
// </smpl>

Furthermore, in the remove function, the calls to free_irq are moved up to
prevent a possible reference in the interrupt handler to resources freed by
power_supply_unregister.

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Anton Vorontsov <anton@enomsg.org>
drivers/power/88pm860x_battery.c

index 8bc80b05c63c86b17ebe5a9b2c9abbc9ca8e0f9d..d338c1c4e8c8522c88014861a5f93b213e0191d1 100644 (file)
@@ -915,15 +915,13 @@ static int pm860x_battery_probe(struct platform_device *pdev)
        info->irq_cc = platform_get_irq(pdev, 0);
        if (info->irq_cc <= 0) {
                dev_err(&pdev->dev, "No IRQ resource!\n");
-               ret = -EINVAL;
-               goto out;
+               return -EINVAL;
        }
 
        info->irq_batt = platform_get_irq(pdev, 1);
        if (info->irq_batt <= 0) {
                dev_err(&pdev->dev, "No IRQ resource!\n");
-               ret = -EINVAL;
-               goto out;
+               return -EINVAL;
        }
 
        info->chip = chip;
@@ -957,7 +955,7 @@ static int pm860x_battery_probe(struct platform_device *pdev)
 
        ret = power_supply_register(&pdev->dev, &info->battery);
        if (ret)
-               goto out;
+               return ret;
        info->battery.dev->parent = &pdev->dev;
 
        ret = request_threaded_irq(info->irq_cc, NULL,
@@ -984,8 +982,6 @@ out_coulomb:
        free_irq(info->irq_cc, info);
 out_reg:
        power_supply_unregister(&info->battery);
-out:
-       kfree(info);
        return ret;
 }
 
@@ -993,10 +989,9 @@ static int pm860x_battery_remove(struct platform_device *pdev)
 {
        struct pm860x_battery_info *info = platform_get_drvdata(pdev);
 
-       power_supply_unregister(&info->battery);
        free_irq(info->irq_batt, info);
        free_irq(info->irq_cc, info);
-       kfree(info);
+       power_supply_unregister(&info->battery);
        platform_set_drvdata(pdev, NULL);
        return 0;
 }