From: Julia Lawall Date: Sun, 21 Oct 2012 10:52:03 +0000 (+0200) Subject: ALSA: sound/isa/opti9xx/miro.c: eliminate possible double free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=edb66893860dbc0631afc2807efdb209a03d57a2;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git ALSA: sound/isa/opti9xx/miro.c: eliminate possible double free snd_miro_probe is a static function that is only called twice in the file that defines it. At each call site, its argument is freed using snd_card_free. Thus, there is no need for snd_miro_probe to call snd_card_free on its argument on any of its error exit paths. Because snd_card_free both reads the fields of its argument and kfrees its argments, the results of the second snd_card_free should be unpredictable. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r@ identifier f,free,a; parameter list[n] ps; type T; expression e; @@ f(ps,T a,...) { ... when any when != a = e if(...) { ... free(a); ... return ...; } ... when any } @@ identifier r.f,r.free; expression x,a; expression list[r.n] xs; @@ * x = f(xs,a,...); if (...) { ... free(a); ... return ...; } // Signed-off-by: Julia Lawall Signed-off-by: Takashi Iwai --- diff --git a/sound/isa/opti9xx/miro.c b/sound/isa/opti9xx/miro.c index 3d1afb612b35..4a7ff4e8985b 100644 --- a/sound/isa/opti9xx/miro.c +++ b/sound/isa/opti9xx/miro.c @@ -1286,7 +1286,6 @@ static int __devinit snd_miro_probe(struct snd_card *card) error = snd_card_miro_aci_detect(card, miro); if (error < 0) { - snd_card_free(card); snd_printk(KERN_ERR "unable to detect aci chip\n"); return -ENODEV; }