summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulia Lawall <julia@diku.dk>2009-09-11 18:22:27 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>2009-09-15 21:02:34 +0200
commit2bb6a12a88aeac9bab4ed0cf0da1edc03f5eb686 (patch)
tree7d81f9c9d2208af2df80c7fe2d5241c757d40a3f
parentStaging: comedi: addi-data: NULL dereference of amcc in v_pci_card_list_init() (diff)
downloadlinux-2bb6a12a88aeac9bab4ed0cf0da1edc03f5eb686.tar.xz
linux-2bb6a12a88aeac9bab4ed0cf0da1edc03f5eb686.zip
Staging: dream: introduce missing kfree
Error handling code following a kmalloc or kzalloc should free the allocated data. The semantic match that finds the problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; statement S; expression E; identifier f,f1,l; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } ( x->f1 = E | (x->f1 == NULL || ...) | f(...,x->f1,...) ) ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk>
-rw-r--r--drivers/staging/dream/camera/msm_v4l2.c8
-rw-r--r--drivers/staging/dream/camera/msm_vfe8x_proc.c16
2 files changed, 18 insertions, 6 deletions
diff --git a/drivers/staging/dream/camera/msm_v4l2.c b/drivers/staging/dream/camera/msm_v4l2.c
index 46a6eb1cf53f..6a7d46cf11eb 100644
--- a/drivers/staging/dream/camera/msm_v4l2.c
+++ b/drivers/staging/dream/camera/msm_v4l2.c
@@ -521,13 +521,17 @@ static int msm_v4l2_s_fmt_cap(struct file *f,
ctrlcmd->value = pfmt;
ctrlcmd->timeout_ms = 10000;
- if (pfmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE)
+ if (pfmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+ kfree(ctrlcmd);
return -1;
+ }
#if 0
/* FIXEME */
- if (pfmt->fmt.pix.pixelformat != V4L2_PIX_FMT_YVU420)
+ if (pfmt->fmt.pix.pixelformat != V4L2_PIX_FMT_YVU420) {
+ kfree(ctrlcmd);
return -EINVAL;
+ }
#endif
/* Ok, but check other params, too. */
diff --git a/drivers/staging/dream/camera/msm_vfe8x_proc.c b/drivers/staging/dream/camera/msm_vfe8x_proc.c
index 5436f7120018..10aef0e59bab 100644
--- a/drivers/staging/dream/camera/msm_vfe8x_proc.c
+++ b/drivers/staging/dream/camera/msm_vfe8x_proc.c
@@ -967,8 +967,10 @@ vfe_send_af_stats_msg(uint32_t afBufAddress)
/* fill message with right content. */
/* @todo This is causing issues, need further investigate */
/* spin_lock_irqsave(&ctrl->state_lock, flags); */
- if (ctrl->vstate != VFE_STATE_ACTIVE)
+ if (ctrl->vstate != VFE_STATE_ACTIVE) {
+ kfree(msg);
goto af_stats_done;
+ }
msg->_d = VFE_MSG_ID_STATS_AUTOFOCUS;
msg->_u.msgStatsAf.afBuffer = afBufAddress;
@@ -1053,8 +1055,10 @@ static void vfe_send_awb_stats_msg(uint32_t awbBufAddress)
/* fill message with right content. */
/* @todo This is causing issues, need further investigate */
/* spin_lock_irqsave(&ctrl->state_lock, flags); */
- if (ctrl->vstate != VFE_STATE_ACTIVE)
+ if (ctrl->vstate != VFE_STATE_ACTIVE) {
+ kfree(msg);
goto awb_stats_done;
+ }
msg->_d = VFE_MSG_ID_STATS_WB_EXP;
msg->_u.msgStatsWbExp.awbBuffer = awbBufAddress;
@@ -1483,8 +1487,10 @@ static void vfe_send_output2_msg(
/* fill message with right content. */
/* @todo This is causing issues, need further investigate */
/* spin_lock_irqsave(&ctrl->state_lock, flags); */
- if (ctrl->vstate != VFE_STATE_ACTIVE)
+ if (ctrl->vstate != VFE_STATE_ACTIVE) {
+ kfree(msg);
goto output2_msg_done;
+ }
msg->_d = VFE_MSG_ID_OUTPUT2;
@@ -1518,8 +1524,10 @@ static void vfe_send_output1_msg(
/* @todo This is causing issues, need further investigate */
/* spin_lock_irqsave(&ctrl->state_lock, flags); */
- if (ctrl->vstate != VFE_STATE_ACTIVE)
+ if (ctrl->vstate != VFE_STATE_ACTIVE) {
+ kfree(msg);
goto output1_msg_done;
+ }
msg->_d = VFE_MSG_ID_OUTPUT1;
memmove(&(msg->_u),