svn commit: r226398 - head/sys/dev/iicbus

[Christian Brueffer]

On 10/16/11 17:46 , Pawel Jakub Dawidek wrote:
> On Sat, Oct 15, 2011 at 03:57:56PM +0000, Christian Brueffer wrote:
>> Author: brueffer
>> Date: Sat Oct 15 15:57:55 2011
>> New Revision: 226398
>> URL: http://svn.freebsd.org/changeset/base/226398
>>
>> Log:
>>    Properly free resources in an error case.
>>
>>    CID:		4203
>>    Found with:	Coverity Prevent(tm)
>>    MFC after:	1 week
>>
>> Modified:
>>    head/sys/dev/iicbus/iic.c
>>
>> Modified: head/sys/dev/iicbus/iic.c
>> ==============================================================================
>> --- head/sys/dev/iicbus/iic.c	Sat Oct 15 15:21:33 2011	(r226397)
>> +++ head/sys/dev/iicbus/iic.c	Sat Oct 15 15:57:55 2011	(r226398)
>> @@ -348,8 +348,10 @@ iicioctl(struct cdev *dev, u_long cmd, c
>>   		buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_TEMP, M_WAITOK);
>>   		usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK);
>>   		error = copyin(d->msgs, buf, sizeof(*d->msgs) * d->nmsgs);
>> -		if (error)
>> +		if (error) {
>> +			free(usrbufs, M_TEMP);
>>   			break;
>> +		}
>
> I think that better fix is to move usrbufs allocation after copyin(), as
> usrbufs is not used there.
>

Agreed, how about the attached patch?
-------------- next part --------------
Index: iic.c
===================================================================
--- iic.c	(revision 226398)
+++ iic.c	(working copy)
@@ -346,13 +346,11 @@
 
 	case I2CRDWR:
 		buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_TEMP, M_WAITOK);
-		usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK);
 		error = copyin(d->msgs, buf, sizeof(*d->msgs) * d->nmsgs);
-		if (error) {
-			free(usrbufs, M_TEMP);
+		if (error)
 			break;
-		}
 		/* Alloc kernel buffers for userland data, copyin write data */
+		usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK);
 		for (i = 0; i < d->nmsgs; i++) {
 			m = &((struct iic_msg *)buf)[i];
 			usrbufs[i] = m->buf;