* [PATCH 2/2] drivers/mtd/maps/lantiq-flash.c: drop iounmap for devm_ allocated data
@ 2011-12-26 17:38 Julia Lawall
2011-12-27 8:23 ` Artem Bityutskiy
0 siblings, 1 reply; 3+ messages in thread
From: Julia Lawall @ 2011-12-26 17:38 UTC (permalink / raw)
To: David Woodhouse; +Cc: linux-mtd, kernel-janitors, linux-kernel
From: Julia Lawall <julia@diku.dk>
Data allocated with devm_ioremap or devm_ioremap_nocache should not be
freed using iounmap, because doing so causes a dangling pointer, and a
subsequent double free.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r@
expression x;
@@
(
x = devm_ioremap(...)
|
x = devm_ioremap_nocache(...)
)
@@
expression r.x;
@@
* iounmap(x)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
---
drivers/mtd/maps/lantiq-flash.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/mtd/maps/lantiq-flash.c b/drivers/mtd/maps/lantiq-flash.c
index 4f10e27..7b889de 100644
--- a/drivers/mtd/maps/lantiq-flash.c
+++ b/drivers/mtd/maps/lantiq-flash.c
@@ -159,7 +159,7 @@ ltq_mtd_probe(struct platform_device *pdev)
if (!ltq_mtd->mtd) {
dev_err(&pdev->dev, "probing failed\n");
err = -ENXIO;
- goto err_unmap;
+ goto err_free;
}
ltq_mtd->mtd->owner = THIS_MODULE;
@@ -179,8 +179,6 @@ ltq_mtd_probe(struct platform_device *pdev)
err_destroy:
map_destroy(ltq_mtd->mtd);
-err_unmap:
- iounmap(ltq_mtd->map->virt);
err_free:
kfree(ltq_mtd->map);
err_out:
@@ -198,8 +196,6 @@ ltq_mtd_remove(struct platform_device *pdev)
mtd_device_unregister(ltq_mtd->mtd);
map_destroy(ltq_mtd->mtd);
}
- if (ltq_mtd->map->virt)
- iounmap(ltq_mtd->map->virt);
kfree(ltq_mtd->map);
kfree(ltq_mtd);
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] drivers/mtd/maps/lantiq-flash.c: drop iounmap for devm_ allocated data
2011-12-26 17:38 [PATCH 2/2] drivers/mtd/maps/lantiq-flash.c: drop iounmap for devm_ allocated data Julia Lawall
@ 2011-12-27 8:23 ` Artem Bityutskiy
2011-12-27 8:36 ` Julia Lawall
0 siblings, 1 reply; 3+ messages in thread
From: Artem Bityutskiy @ 2011-12-27 8:23 UTC (permalink / raw)
To: Julia Lawall; +Cc: kernel-janitors, David Woodhouse, linux-kernel, linux-mtd
[-- Attachment #1: Type: text/plain, Size: 1340 bytes --]
On Mon, 2011-12-26 at 18:38 +0100, Julia Lawall wrote:
> From: Julia Lawall <julia@diku.dk>
>
> Data allocated with devm_ioremap or devm_ioremap_nocache should not be
> freed using iounmap, because doing so causes a dangling pointer, and a
> subsequent double free.
>
> The semantic match that finds this problem is as follows:
> (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @r@
> expression x;
> @@
> (
> x = devm_ioremap(...)
> |
> x = devm_ioremap_nocache(...)
> )
>
> @@
> expression r.x;
> @@
> * iounmap(x)
> // </smpl>
Thanks Julia,
surely this semantic patch script is worth adding to scripts/coccinelle?
Are you going to take care of this?
>
> Signed-off-by: Julia Lawall <julia@diku.dk>
>
> ---
> drivers/mtd/maps/lantiq-flash.c | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/drivers/mtd/maps/lantiq-flash.c b/drivers/mtd/maps/lantiq-flash.c
> index 4f10e27..7b889de 100644
> --- a/drivers/mtd/maps/lantiq-flash.c
> +++ b/drivers/mtd/maps/lantiq-flash.c
> @@ -159,7 +159,7 @@ ltq_mtd_probe(struct platform_device *pdev)
> if (!ltq_mtd->mtd) {
> dev_err(&pdev->dev, "probing failed\n");
> err = -ENXIO;
> - goto err_unmap;
> + goto err_free;
> }
Pushed to l2-mtd-2.6.git, thanks!
--
Best Regards,
Artem Bityutskiy
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] drivers/mtd/maps/lantiq-flash.c: drop iounmap for devm_ allocated data
2011-12-27 8:23 ` Artem Bityutskiy
@ 2011-12-27 8:36 ` Julia Lawall
0 siblings, 0 replies; 3+ messages in thread
From: Julia Lawall @ 2011-12-27 8:36 UTC (permalink / raw)
To: Artem Bityutskiy
Cc: kernel-janitors, David Woodhouse, linux-kernel, linux-mtd
On Tue, 27 Dec 2011, Artem Bityutskiy wrote:
> On Mon, 2011-12-26 at 18:38 +0100, Julia Lawall wrote:
>> From: Julia Lawall <julia@diku.dk>
>>
>> Data allocated with devm_ioremap or devm_ioremap_nocache should not be
>> freed using iounmap, because doing so causes a dangling pointer, and a
>> subsequent double free.
>>
>> The semantic match that finds this problem is as follows:
>> (http://coccinelle.lip6.fr/)
>>
>> // <smpl>
>> @r@
>> expression x;
>> @@
>> (
>> x = devm_ioremap(...)
>> |
>> x = devm_ioremap_nocache(...)
>> )
>>
>> @@
>> expression r.x;
>> @@
>> * iounmap(x)
>> // </smpl>
>
> Thanks Julia,
>
> surely this semantic patch script is worth adding to scripts/coccinelle?
> Are you going to take care of this?
OK, I will do that.
julia
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-12-27 8:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-26 17:38 [PATCH 2/2] drivers/mtd/maps/lantiq-flash.c: drop iounmap for devm_ allocated data Julia Lawall
2011-12-27 8:23 ` Artem Bityutskiy
2011-12-27 8:36 ` Julia Lawall
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox