From e5d85b9ac3133f67460ea5b2d4e33e0473d6eb4b Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Tue, 25 Nov 2008 10:57:30 -0300 Subject: [PATCH] [media] rc: Fix double free in gpio_ir_recv_probe() At the 'err_request_irq' label, rc_unregister_device(rcdev) frees its argument. So when we fall through to the 'err_gpio_request' label further down and call rc_free_device(rcdev) then that's a double free. Fix that by moving 'rcdev = NULL' from after the call to rc_free_device() to after rc_unregister_device(). That fixes the problem since rc_free_device() just does nothing if passed NULL and there's no further use of 'rcdev' after the call to rc_free_device() so it's not needed there. Signed-off-by: Jesper Juhl Signed-off-by: Mauro Carvalho Chehab --- drivers/media/rc/gpio-ir-recv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/rc/gpio-ir-recv.c b/drivers/media/rc/gpio-ir-recv.c index ba1a1eb..32db5f5 100644 --- a/drivers/media/rc/gpio-ir-recv.c +++ b/drivers/media/rc/gpio-ir-recv.c @@ -129,12 +129,12 @@ static int __devinit gpio_ir_recv_probe(struct platform_device *pdev) err_request_irq: platform_set_drvdata(pdev, NULL); rc_unregister_device(rcdev); + rcdev = NULL; err_register_rc_device: err_gpio_direction_input: gpio_free(pdata->gpio_nr); err_gpio_request: rc_free_device(rcdev); - rcdev = NULL; err_allocate_device: kfree(gpio_dev); return rc; -- 2.7.4