mtd: lantiq-flash: drop iounmap for devm_ allocated data

Data allocated with devm_ioremap or devm_ioremap_nocache should not be
freed using iounmap, because doing so causes a dangling pointer, and a
subsequent double free.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
expression x;
@@
(
 x = devm_ioremap(...)
|
 x = devm_ioremap_nocache(...)
)

@@
expression r.x;
@@
* iounmap(x)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/drivers/mtd/maps/lantiq-flash.c b/drivers/mtd/maps/lantiq-flash.c
index 4f10e27ada551d12f77cfd4d72b02f15ef9c5c8d..7b889de9477bcf4b0bf6c9936c38e6246e039a3a 100644 (file)
--- a/drivers/mtd/maps/lantiq-flash.c
+++ b/drivers/mtd/maps/lantiq-flash.c
@@ -159,7 +159,7 @@ ltq_mtd_probe(struct platform_device *pdev)
        if (!ltq_mtd->mtd) {
                dev_err(&pdev->dev, "probing failed\n");
                err = -ENXIO;
-               goto err_unmap;
+               goto err_free;
        }
 
        ltq_mtd->mtd->owner = THIS_MODULE;
@@ -179,8 +179,6 @@ ltq_mtd_probe(struct platform_device *pdev)
 
 err_destroy:
        map_destroy(ltq_mtd->mtd);
-err_unmap:
-       iounmap(ltq_mtd->map->virt);
 err_free:
        kfree(ltq_mtd->map);
 err_out:
@@ -198,8 +196,6 @@ ltq_mtd_remove(struct platform_device *pdev)
                        mtd_device_unregister(ltq_mtd->mtd);
                        map_destroy(ltq_mtd->mtd);
                }
-               if (ltq_mtd->map->virt)
-                       iounmap(ltq_mtd->map->virt);
                kfree(ltq_mtd->map);
                kfree(ltq_mtd);
        }