[media] rc: Fix double free in gpio_ir_recv_probe()

At the 'err_request_irq' label, rc_unregister_device(rcdev) frees its
argument. So when we fall through to the 'err_gpio_request' label
further down and call rc_free_device(rcdev) then that's a double free.
Fix that by moving 'rcdev = NULL' from after the call to
rc_free_device() to after rc_unregister_device(). That fixes the
problem since rc_free_device() just does nothing if passed NULL and
there's no further use of 'rcdev' after the call to rc_free_device()
so it's not needed there.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/rc/gpio-ir-recv.c b/drivers/media/rc/gpio-ir-recv.c
index ba1a1eb356cf765d47d48b0e829f37b0133b5259..32db5f59fbc3ca7bfde811173cc4832ed4577bf3 100644 (file)
--- a/drivers/media/rc/gpio-ir-recv.c
+++ b/drivers/media/rc/gpio-ir-recv.c
@@ -129,12 +129,12 @@ static int __devinit gpio_ir_recv_probe(struct platform_device *pdev)
 err_request_irq:
        platform_set_drvdata(pdev, NULL);
        rc_unregister_device(rcdev);
+       rcdev = NULL;
 err_register_rc_device:
 err_gpio_direction_input:
        gpio_free(pdata->gpio_nr);
 err_gpio_request:
        rc_free_device(rcdev);
-       rcdev = NULL;
 err_allocate_device:
        kfree(gpio_dev);
        return rc;