V4L/DVB (13948): radio: Correct use after free

It is not clear how to share the unlock in the case where the structure containing the lock has to be freed. So the unlock is now duplicated, with one copy moved before the free. The unlock label furthermore is no longer useful and is thus deleted. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
git-mirror · Feb 26, 2010 · ed0ee8e · ed0ee8e
1 parent e057232
commit ed0ee8e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -590,8 +590,9 @@ int si470x_fops_release(struct file *file)
 			video_unregister_device(radio->videodev);
 			kfree(radio->int_in_buffer);
 			kfree(radio->buffer);
+			mutex_unlock(&radio->disconnect_lock);
 			kfree(radio);
-			goto unlock;
+			goto done;
 		}
 
 		/* cancel read processes */
@@ -601,7 +602,6 @@ int si470x_fops_release(struct file *file)
 		retval = si470x_stop(radio);
 		usb_autopm_put_interface(radio->intf);
 	}
-unlock:
 	mutex_unlock(&radio->disconnect_lock);
 done:
 	return retval;