| Message ID | 1283595164-29146-1-git-send-email-julia@diku.dk (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | Benjamin Herrenschmidt |
| Headers | show |
On Sat, Sep 04, 2010 at 12:12:43PM +0200, Julia Lawall wrote: > In this case, a device_node structure is stored in another structure that > is then freed without first decrementing the reference count of the > device_node structure. > > The semantic match that finds this problem is as follows: > (http://coccinelle.lip6.fr/) > > // <smpl> > @r exists@ > expression x; > identifier f; > position p1,p2; > @@ > > x@p1->f = \(of_find_node_by_path\|of_find_node_by_name\|of_find_node_by_phandle\|of_get_parent\|of_get_next_parent\|of_get_next_child\|of_find_compatible_node\|of_match_node\|of_find_node_by_type\|of_find_node_with_property\|of_find_matching_node\|of_parse_phandle\|of_node_get\)(...); > ... when != of_node_put(x) > kfree@p2(x) > > @script:python@ > p1 << r.p1; > p2 << r.p2; > @@ > cocci.print_main("call",p1) > cocci.print_secs("free",p2) > // </smpl> > > Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Wolfram Sang <w.sang@pengutronix.de> > > --- > drivers/net/fs_enet/fs_enet-main.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/fs_enet/fs_enet-main.c b/drivers/net/fs_enet/fs_enet-main.c > index d6e3111..d684f18 100644 > --- a/drivers/net/fs_enet/fs_enet-main.c > +++ b/drivers/net/fs_enet/fs_enet-main.c > @@ -1036,7 +1036,7 @@ static int __devinit fs_enet_probe(struct platform_device *ofdev, > ndev = alloc_etherdev(privsize); > if (!ndev) { > ret = -ENOMEM; > - goto out_free_fpi; > + goto out_put; > } > > SET_NETDEV_DEV(ndev, &ofdev->dev); > @@ -1099,6 +1099,7 @@ out_cleanup_data: > out_free_dev: > free_netdev(ndev); > dev_set_drvdata(&ofdev->dev, NULL); > +out_put: > of_node_put(fpi->phy_node); > out_free_fpi: > kfree(fpi); > > _______________________________________________ > devicetree-discuss mailing list > devicetree-discuss@lists.ozlabs.org > https://lists.ozlabs.org/listinfo/devicetree-discuss
From: Julia Lawall <julia@diku.dk> Date: Sat, 4 Sep 2010 12:12:43 +0200 > In this case, a device_node structure is stored in another structure that > is then freed without first decrementing the reference count of the > device_node structure. > > The semantic match that finds this problem is as follows: > (http://coccinelle.lip6.fr/) ... > Signed-off-by: Julia Lawall <julia@diku.dk> Applied.
diff --git a/drivers/net/fs_enet/fs_enet-main.c b/drivers/net/fs_enet/fs_enet-main.c index d6e3111..d684f18 100644 --- a/drivers/net/fs_enet/fs_enet-main.c +++ b/drivers/net/fs_enet/fs_enet-main.c @@ -1036,7 +1036,7 @@ static int __devinit fs_enet_probe(struct platform_device *ofdev, ndev = alloc_etherdev(privsize); if (!ndev) { ret = -ENOMEM; - goto out_free_fpi; + goto out_put; } SET_NETDEV_DEV(ndev, &ofdev->dev); @@ -1099,6 +1099,7 @@ out_cleanup_data: out_free_dev: free_netdev(ndev); dev_set_drvdata(&ofdev->dev, NULL); +out_put: of_node_put(fpi->phy_node); out_free_fpi: kfree(fpi);
In this case, a device_node structure is stored in another structure that is then freed without first decrementing the reference count of the device_node structure. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ expression x; identifier f; position p1,p2; @@ x@p1->f = \(of_find_node_by_path\|of_find_node_by_name\|of_find_node_by_phandle\|of_get_parent\|of_get_next_parent\|of_get_next_child\|of_find_compatible_node\|of_match_node\|of_find_node_by_type\|of_find_node_with_property\|of_find_matching_node\|of_parse_phandle\|of_node_get\)(...); ... when != of_node_put(x) kfree@p2(x) @script:python@ p1 << r.p1; p2 << r.p2; @@ cocci.print_main("call",p1) cocci.print_secs("free",p2) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> --- drivers/net/fs_enet/fs_enet-main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)