From: Jesper Juhl Date: Tue, 25 Nov 2008 13:57:30 +0000 (-0300) Subject: [media] rc: Fix double free in gpio_ir_recv_probe() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e5d85b9ac3133f67460ea5b2d4e33e0473d6eb4b;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] rc: Fix double free in gpio_ir_recv_probe() At the 'err_request_irq' label, rc_unregister_device(rcdev) frees its argument. So when we fall through to the 'err_gpio_request' label further down and call rc_free_device(rcdev) then that's a double free. Fix that by moving 'rcdev = NULL' from after the call to rc_free_device() to after rc_unregister_device(). That fixes the problem since rc_free_device() just does nothing if passed NULL and there's no further use of 'rcdev' after the call to rc_free_device() so it's not needed there. Signed-off-by: Jesper Juhl Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/rc/gpio-ir-recv.c b/drivers/media/rc/gpio-ir-recv.c index ba1a1eb356cf..32db5f59fbc3 100644 --- a/drivers/media/rc/gpio-ir-recv.c +++ b/drivers/media/rc/gpio-ir-recv.c @@ -129,12 +129,12 @@ static int __devinit gpio_ir_recv_probe(struct platform_device *pdev) err_request_irq: platform_set_drvdata(pdev, NULL); rc_unregister_device(rcdev); + rcdev = NULL; err_register_rc_device: err_gpio_direction_input: gpio_free(pdata->gpio_nr); err_gpio_request: rc_free_device(rcdev); - rcdev = NULL; err_allocate_device: kfree(gpio_dev); return rc;