Re: [PATCH 1/1] Free fw_priv in fw_create_instance

[Greg KH]

On Wed, Aug 31, 2011 at 01:16:24AM +0530, Rajan Aggarwal wrote:
> Hi,
> 
> 
> On Wed, Aug 31, 2011 at 12:49 AM, Greg KH <gregkh@xxxxxxx> wrote:
> > On Wed, Aug 31, 2011 at 12:36:32AM +0530, Rajan Aggarwal wrote:
> >> fw_priv is not being freed in some of the error scenarios in
> >> fw_create_instance.
> >
> > Not true.
> >
> >> This patch makes sure that this is kfreed properly in all error
> >> situations in the fw_create_instance logic where it is required.
> >
> > Nope, this will cause a double-free to happen.
> 
> >From what you say, the only suspicious line seems to be the following
> assignment:
> f_dev = &fw_priv->dev;
> However, I cannot make out how this can be freed by device_del or
> put_device as I don't see the logic anywhere where f_dev is
> decremented to get the address of fw_priv.

Look at the release function for the f_dev that was set up when the
class pointer was assigned to it.  That function takes a pointer to a
"base" struct device, and back casts it to the fw_priv structure, and
then frees it.

That is how the driver core, and the kobject, and the kref model works.
When the last reference to the object is released, the release
function is called, freeing up the memory of the object.

Take a look at the Documentation/kobject.txt file for details as to how
this all works if you are still curious.

Hope this helps,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/