drivers/scsi/ses.c: eliminate double free

commit 9b3a6549b2602ca30f58715a0071e29f9898cae9 upstream.

The few lines below the kfree of hdr_buf may go to the label err_free
which will also free hdr_buf.  The most straightforward solution seems to
be to just move the kfree of hdr_buf after these gotos.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r@
identifier E;
expression E1;
iterator I;
statement S;
@@

*kfree(E);
... when != E = E1
    when != I(E,...) S
    when != &E
*kfree(E);
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 55b034b72708..3c8a0248ea45 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -591,8 +591,6 @@ static int ses_intf_add(struct device *cdev,
                 ses_dev->page10_len = len;
                 buf = NULL;
         }
-        kfree(hdr_buf);
-
         scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL);
         if (!scomp)
                 goto err_free;
@@ -604,6 +602,8 @@ static int ses_intf_add(struct device *cdev,
                 goto err_free;
         }
 
+        kfree(hdr_buf);
+
         edev->scratch = ses_dev;
         for (i = 0; i < components; i++)
                 edev->component[i].scratch = scomp + i;