LinuxLists.cc - [PATCH] Double-free in cx23885

2007-10-13 15:00:39

Subject: [PATCH] Double-free in cx23885_initdev

Both cx23885_initdev and cx23885_dev_setup free the device in their
error path so a failure in the latter causes a double-free. Since
cx23885_dev_setup is only called from cx23885_initdev, it should be safe
to remove its deallocation and leave the cleanup up to the allocating
function.

Coverity CID 1922.

Signed-off-by: Florin Malita <[email protected]>
---

drivers/media/video/cx23885/cx23885-core.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/media/video/cx23885/cx23885-core.c b/drivers/media/video/cx23885/cx23885-core.c
index af16505..3cdd136 100644
--- a/drivers/media/video/cx23885/cx23885-core.c
+++ b/drivers/media/video/cx23885/cx23885-core.c
@@ -793,7 +793,7 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
dev->pci->subsystem_device);

cx23885_devcount--;
- goto fail_free;
+ return -ENODEV;
}

/* PCIe stuff */
@@ -835,10 +835,6 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
}

return 0;
-
-fail_free:
- kfree(dev);
- return -ENODEV;
}

void cx23885_dev_unregister(struct cx23885_dev *dev)

2007-10-13 15:46:49

by Steven Toth

[permalink] [raw]

Subject: Re: [PATCH] Double-free in cx23885_initdev [sls][spam-bayes]

Thanks for the patch, much appreciated.

- Steve

Florin Malita wrote:
> Both cx23885_initdev and cx23885_dev_setup free the device in their
> error path so a failure in the latter causes a double-free. Since
> cx23885_dev_setup is only called from cx23885_initdev, it should be safe
> to remove its deallocation and leave the cleanup up to the allocating
> function.
>
> Coverity CID 1922.
>
> Signed-off-by: Florin Malita <[email protected]>
> ---
>
> drivers/media/video/cx23885/cx23885-core.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/drivers/media/video/cx23885/cx23885-core.c b/drivers/media/video/cx23885/cx23885-core.c
> index af16505..3cdd136 100644
> --- a/drivers/media/video/cx23885/cx23885-core.c
> +++ b/drivers/media/video/cx23885/cx23885-core.c
> @@ -793,7 +793,7 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
> dev->pci->subsystem_device);
>
> cx23885_devcount--;
> - goto fail_free;
> + return -ENODEV;
> }
>
> /* PCIe stuff */
> @@ -835,10 +835,6 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
> }
>
> return 0;
> -
> -fail_free:
> - kfree(dev);
> - return -ENODEV;
> }
>
> void cx23885_dev_unregister(struct cx23885_dev *dev)
>
>