From: Julia Lawall <julia@diku.dk>
Date: Tue, 22 Dec 2009 20:30:59 +0000 (+0100)
Subject: drivers/dma: Correct use after free
X-Git-Tag: v2.6.33-rc3~33^2~1
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=0794ec8ce327ec74416b569b8fb1951274693700;p=karo-tx-linux.git

drivers/dma: Correct use after free

Move the kfree after the iounmap that refers to the same structure.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression x,e;
identifier f;
iterator I;
statement S;
@@

*kfree(x);
... when != &x
    when != x = e
    when != I(x,...) S
*x->f
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---

diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
index 4a99cd94536b..b5f2ee0f8e2c 100644
--- a/drivers/dma/coh901318.c
+++ b/drivers/dma/coh901318.c
@@ -1294,8 +1294,8 @@ static int __exit coh901318_remove(struct platform_device *pdev)
 	dma_async_device_unregister(&base->dma_slave);
 	coh901318_pool_destroy(&base->pool);
 	free_irq(platform_get_irq(pdev, 0), base);
-	kfree(base);
 	iounmap(base->virtbase);
+	kfree(base);
 	release_mem_region(pdev->resource->start,
 			   resource_size(pdev->resource));
 	return 0;