Hi, On Mon, Jan 21, 2013 at 02:02:57PM +0100, Julia Lawall wrote: > From: Julia Lawall <Julia.Lawall@xxxxxxx> > > Delete successive tests to the same location. Data is the just previously > allocated and tested value. Test the result of the allocation made here > instead. > > A simplified version of the semantic match that finds this problem is as > follows: (http://coccinelle.lip6.fr/) > > // <smpl> > @s exists@ > local idexpression y; > expression x,e; > @@ > > *if ( \(x == NULL\|IS_ERR(x)\|y != 0\) ) > { ... when forall > return ...; } > ... when != \(y = e\|y += e\|y -= e\|y |= e\|y &= e\|y++\|y--\|&y\) > when != \(XT_GETPAGE(...,y)\|WMI_CMD_BUF(...)\) > *if ( \(x == NULL\|IS_ERR(x)\|y != 0\) ) > { ... when forall > return ...; } > // </smpl> > > Signed-off-by: Julia Lawall <Julia.Lawall@xxxxxxx> Already in my tree ;-) commit b37457d80bc3e2a6bb86a6036c572574614a7631 Author: Sergei Shtylyov <sshtylyov@xxxxxxxxxxxxx> Date: Tue Jan 8 22:11:14 2013 +0300 usb: musb: omap2430: fix wrong devm_kzalloc() result check Commit 00a0b1d58af873d842580dcac55f3b156c3a4077 (usb: musb: omap: Add device tree support for omap musb glue) assigns result of devm_kzalloc() call to the 'config' variable but then checks for NULL the 'data' variable (already checked after previous call). Thus we risk a kernel oops further when data pointed by 'config' is written to by subsequent of_property_read_u32() calls iff the allocation happens to fail... Signed-off-by: Sergei Shtylyov <sshtylyov@xxxxxxxxxxxxx> Signed-off-by: Felipe Balbi <balbi@xxxxxx> diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c index b15bb05..bb48796 100644 --- a/drivers/usb/musb/omap2430.c +++ b/drivers/usb/musb/omap2430.c @@ -543,7 +543,7 @@ static int omap2430_probe(struct platform_device *pdev) } config = devm_kzalloc(&pdev->dev, sizeof(*config), GFP_KERNEL); - if (!data) { + if (!config) { dev_err(&pdev->dev, "failed to allocate musb hdrc config\n"); goto err2; -- balbi
Attachment:
signature.asc
Description: Digital signature
