V4L/DVB (13948): radio: Correct use after free

It is not clear how to share the unlock in the case where the structure
containing the lock has to be freed.  So the unlock is now duplicated, with
one copy moved before the free.  The unlock label furthermore is no longer
useful and is thus deleted.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression x,e;
identifier f;
iterator I;
statement S;
@@

*kfree(x);
... when != &x
    when != x = e
    when != I(x,...) S
*x->f
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index a96e1b9dd646..a0a79c70dd5b 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -590,8 +590,9 @@ int si470x_fops_release(struct file *file)
                         video_unregister_device(radio->videodev);
                         kfree(radio->int_in_buffer);
                         kfree(radio->buffer);
+                        mutex_unlock(&radio->disconnect_lock);
                         kfree(radio);
-                        goto unlock;
+                        goto done;
                 }
 
                 /* cancel read processes */
@@ -601,7 +602,6 @@ int si470x_fops_release(struct file *file)
                 retval = si470x_stop(radio);
                 usb_autopm_put_interface(radio->intf);
         }
-unlock:
         mutex_unlock(&radio->disconnect_lock);
 done:
         return retval;