sound/isa/opti9xx/miro.c · 22e978f1f27dc0c9c20f42f0483d374b7a6d781e · Kirill Smelkov / linux

ALSA: sound/isa/opti9xx/miro.c: eliminate possible double free · edb66893

Julia Lawall authored Oct 21, 2012

snd_miro_probe is a static function that is only called twice in the file
that defines it.  At each call site, its argument is freed using
snd_card_free.  Thus, there is no need for snd_miro_probe to call
snd_card_free on its argument on any of its error exit paths.

Because snd_card_free both reads the fields of its argument and kfrees its
argments, the results of the second snd_card_free should be unpredictable.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r@
identifier f,free,a;
parameter list[n] ps;
type T;
expression e;
@@

f(ps,T a,...) {
  ... when any
      when != a = e
  if(...) { ... free(a); ... return ...; }
  ... when any
}

@@
identifier r.f,r.free;
expression x,a;
expression list[r.n] xs;
@@

* x = f(xs,a,...);
  if (...) { ... free(a); ... return ...; }
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

edb66893

miro.c 39.7 KB

Replace miro.c