diff options
author | Julia Lawall <julia@diku.dk> | 2010-03-10 15:20:42 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-03-12 15:52:28 -0800 |
commit | 9b3a6549b2602ca30f58715a0071e29f9898cae9 (patch) | |
tree | 8709822f0018f55a7e542ca9c0755d99f5226b4f /drivers/scsi/ses.c | |
parent | 2d30a1f6315b8940537e8e98882c6038fbac9ba5 (diff) | |
download | kernel_samsung_aries-9b3a6549b2602ca30f58715a0071e29f9898cae9.zip kernel_samsung_aries-9b3a6549b2602ca30f58715a0071e29f9898cae9.tar.gz kernel_samsung_aries-9b3a6549b2602ca30f58715a0071e29f9898cae9.tar.bz2 |
drivers/scsi/ses.c: eliminate double free
The few lines below the kfree of hdr_buf may go to the label err_free
which will also free hdr_buf. The most straightforward solution seems to
be to just move the kfree of hdr_buf after these gotos.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@r@
identifier E;
expression E1;
iterator I;
statement S;
@@
*kfree(E);
... when != E = E1
when != I(E,...) S
when != &E
*kfree(E);
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/scsi/ses.c')
-rw-r--r-- | drivers/scsi/ses.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c index 1d7a878..0d9d6f7 100644 --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -595,8 +595,6 @@ static int ses_intf_add(struct device *cdev, ses_dev->page10_len = len; buf = NULL; } - kfree(hdr_buf); - scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); if (!scomp) goto err_free; @@ -608,6 +606,8 @@ static int ses_intf_add(struct device *cdev, goto err_free; } + kfree(hdr_buf); + edev->scratch = ses_dev; for (i = 0; i < components; i++) edev->component[i].scratch = scomp + i; |