From: Catalin Marinas Date: Wed, 8 Jul 2009 10:17:40 +0000 (+0100) Subject: Free struct device in fw_dev_release() X-Git-Tag: v2.6.31-rc3~54 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0f2f2221b4ad816567394a52643963428fd353cd;p=platform%2Fupstream%2Fkernel-adaptation-pc.git Free struct device in fw_dev_release() The f_dev in _request_firmware() is allocated via the fw_setup_device() and fw_register_device() calls and its class set to firmware_class (the class release function is fw_dev_release). Commit 6acf70f078ca replaced the kfree(dev) in fw_dev_release() with a put_device() call but my understanding is that the release function is called via put_device -> kobject_put -> kref_put -> koject_release etc. and it should call kfree since it's the last to see this device structure alive. Because of that, the _request_firmware() function on its -ENOENT error path only calls device_unregister(f_dev) which would eventually call fw_dev_release() but there is no kfree (the subsequent put_device call would just make the kref negative). Signed-off-by: Catalin Marinas Acked-by: Cornelia Huck Acked-by: Ming Lei Signed-off-by: Linus Torvalds --- diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index ddeb819..fc46653 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -357,7 +357,7 @@ static void fw_dev_release(struct device *dev) kfree(fw_priv->pages); kfree(fw_priv->fw_id); kfree(fw_priv); - put_device(dev); + kfree(dev); module_put(THIS_MODULE); } @@ -408,13 +408,11 @@ static int fw_register_device(struct device **dev_p, const char *fw_name, if (retval) { dev_err(device, "%s: device_register failed\n", __func__); put_device(f_dev); - goto error_kfree_fw_id; + return retval; } *dev_p = f_dev; return 0; -error_kfree_fw_id: - kfree(fw_priv->fw_id); error_kfree: kfree(f_dev); kfree(fw_priv);