This code is in a loop that currently is only executed once. Because of
this property, the first block of code is currently actually correct.
Nevertheless, the comments associated with the code suggest that the loop
is planned to take more than one iteration in the future, and thus this
patch is made with that case in mind.
In the first block of code, there is currently an immediate abort from the
function. It is changed to jump to the error handling code at fail, to be
able to unregister and free the resources allocated on previous iterations.
In the second block of code, the input_dev for the current iteration has
been allocated, but has not been registered. It has also not been stored
in ts->cp_input_info[i].input. Thus on jumping to fail, it will not be
freed. In this case, we want to free, but not unregister, so the free for
this most recently allocated resource is put before the jump.
A simplified version of the semantic match that finds this problem is:
(http://coccinelle.lip6.fr/)
// <smpl>
@r exists@
local idexpression struct input_dev * x;
expression ra,rr;
position p1,p2;
@@
x = input_allocate_device@p1(...)
... when != x = rr
when != input_free_device(x,...)
when != if (...) { ... input_free_device(x,...) ...}
if(...) { ... when != x = ra
when forall
when != input_free_device(x,...)
\(return <+...x...+>; \| return@p2...; \) }
@script:python@
p1 << r.p1;
p2 << r.p2;
@@
cocci.print_main("input_allocate_device",p1)
cocci.print_secs("input_free_device",p2)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
if (input_dev == NULL) {
dev_err(ts->dev,
"cp_tm1217:Input Device Struct alloc failed\n");
- kfree(ts);
- return -ENOMEM;
+ retval = -ENOMEM;
+ goto fail;
}
input_info = &ts->cp_input_info[i];
snprintf(input_info->name, sizeof(input_info->name),
dev_err(ts->dev,
"Input dev registration failed for %s\n",
input_dev->name);
+ input_free_device(input_dev);
goto fail;
}
input_info->input = input_dev;