mtd: lantiq-flash: drop iounmap for devm_ allocated data

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Data allocated with devm_ioremap or devm_ioremap_nocache should not be
freed using iounmap, because doing so causes a dangling pointer, and a
subsequent double free.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
expression x;
@@
(
x = devm_ioremap(...)
|
x = devm_ioremap_nocache(...)
)

@@
expression r.x;
@@
* iounmap(x)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

authored by

Julia Lawall and committed by

David Woodhouse 14 years ago af32b360 775c3220

+1 -5

1 changed file

expand all

drivers

mtd

maps

lantiq-flash.c

+1 -5

drivers/mtd/maps/lantiq-flash.c

··· 159 159 if (!ltq_mtd->mtd) { 160 160 dev_err(&pdev->dev, "probing failed\n"); 161 161 err = -ENXIO; 162 - goto err_unmap; 162 + goto err_free; 163 163 } 164 164 165 165 ltq_mtd->mtd->owner = THIS_MODULE; ··· 179 179 180 180 err_destroy: 181 181 map_destroy(ltq_mtd->mtd); 182 - err_unmap: 183 - iounmap(ltq_mtd->map->virt); 184 182 err_free: 185 183 kfree(ltq_mtd->map); 186 184 err_out: ··· 196 198 mtd_device_unregister(ltq_mtd->mtd); 197 199 map_destroy(ltq_mtd->mtd); 198 200 } 199 - if (ltq_mtd->map->virt) 200 - iounmap(ltq_mtd->map->virt); 201 201 kfree(ltq_mtd->map); 202 202 kfree(ltq_mtd); 203 203 }