From julia@diku.dk  Fri Sep 11 16:02:23 2009
From: Julia Lawall <julia@diku.dk>
Date: Fri, 11 Sep 2009 18:22:27 +0200 (CEST)
Subject: Staging: dream: introduce missing kfree
To: Greg Kroah-Hartman <gregkh@suse.de>, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Message-ID: <Pine.LNX.4.64.0909111822100.10552@pc-004.diku.dk>


From: Julia Lawall <julia@diku.dk>

Error handling code following a kmalloc or kzalloc should free the
allocated data.

The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
statement S;
expression E;
identifier f,f1,l;
position p1,p2;
expression *ptr != NULL;
@@

x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...x...+> }
(
x->f1 = E
|
 (x->f1 == NULL || ...)
|
 f(...,x->f1,...)
)
...>
(
 return \(0\|<+...x...+>\|ptr\);
|
 return@p2 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
---
 drivers/staging/dream/camera/msm_v4l2.c       |    8 ++++++--
 drivers/staging/dream/camera/msm_vfe8x_proc.c |   16 ++++++++++++----
 2 files changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/staging/dream/camera/msm_v4l2.c
+++ b/drivers/staging/dream/camera/msm_v4l2.c
@@ -521,13 +521,17 @@ static int msm_v4l2_s_fmt_cap(struct fil
   ctrlcmd->value      = pfmt;
   ctrlcmd->timeout_ms = 10000;
 
-	if (pfmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE)
+	if (pfmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+		kfree(ctrlcmd);
 		return -1;
+	}
 
 #if 0
 	/* FIXEME */
-	if (pfmt->fmt.pix.pixelformat != V4L2_PIX_FMT_YVU420)
+	if (pfmt->fmt.pix.pixelformat != V4L2_PIX_FMT_YVU420) {
+		kfree(ctrlcmd);
 		return -EINVAL;
+	}
 #endif
 
 	/* Ok, but check other params, too. */
--- a/drivers/staging/dream/camera/msm_vfe8x_proc.c
+++ b/drivers/staging/dream/camera/msm_vfe8x_proc.c
@@ -967,8 +967,10 @@ vfe_send_af_stats_msg(uint32_t afBufAddr
 	/* fill message with right content. */
 	/* @todo This is causing issues, need further investigate */
 	/* spin_lock_irqsave(&ctrl->state_lock, flags); */
-	if (ctrl->vstate != VFE_STATE_ACTIVE)
+	if (ctrl->vstate != VFE_STATE_ACTIVE) {
+		kfree(msg);
 		goto af_stats_done;
+	}
 
 	msg->_d = VFE_MSG_ID_STATS_AUTOFOCUS;
 	msg->_u.msgStatsAf.afBuffer = afBufAddress;
@@ -1053,8 +1055,10 @@ static void vfe_send_awb_stats_msg(uint3
 	/* fill message with right content. */
 	/* @todo This is causing issues, need further investigate */
 	/* spin_lock_irqsave(&ctrl->state_lock, flags); */
-	if (ctrl->vstate != VFE_STATE_ACTIVE)
+	if (ctrl->vstate != VFE_STATE_ACTIVE) {
+		kfree(msg);
 		goto awb_stats_done;
+	}
 
 	msg->_d = VFE_MSG_ID_STATS_WB_EXP;
 	msg->_u.msgStatsWbExp.awbBuffer = awbBufAddress;
@@ -1483,8 +1487,10 @@ static void vfe_send_output2_msg(
 	/* fill message with right content. */
 	/* @todo This is causing issues, need further investigate */
 	/* spin_lock_irqsave(&ctrl->state_lock, flags); */
-	if (ctrl->vstate != VFE_STATE_ACTIVE)
+	if (ctrl->vstate != VFE_STATE_ACTIVE) {
+		kfree(msg);
 		goto output2_msg_done;
+	}
 
 	msg->_d = VFE_MSG_ID_OUTPUT2;
 
@@ -1518,8 +1524,10 @@ static void vfe_send_output1_msg(
 
 	/* @todo This is causing issues, need further investigate */
 	/* spin_lock_irqsave(&ctrl->state_lock, flags); */
-	if (ctrl->vstate != VFE_STATE_ACTIVE)
+	if (ctrl->vstate != VFE_STATE_ACTIVE) {
+		kfree(msg);
 		goto output1_msg_done;
+	}
 
 	msg->_d = VFE_MSG_ID_OUTPUT1;
 	memmove(&(msg->_u),