From patchwork Mon Mar 29 09:39:53 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julia Lawall X-Patchwork-Id: 48819 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0ECA5B7CF9 for ; Mon, 29 Mar 2010 20:40:12 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753490Ab0C2JkA (ORCPT ); Mon, 29 Mar 2010 05:40:00 -0400 Received: from mgw1.diku.dk ([130.225.96.91]:59939 "EHLO mgw1.diku.dk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752931Ab0C2Jj7 (ORCPT ); Mon, 29 Mar 2010 05:39:59 -0400 Received: from localhost (localhost [127.0.0.1]) by mgw1.diku.dk (Postfix) with ESMTP id 0F90252C375; Mon, 29 Mar 2010 11:39:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at diku.dk Received: from mgw1.diku.dk ([127.0.0.1]) by localhost (mgw1.diku.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTDHWcE7FPAL; Mon, 29 Mar 2010 11:39:53 +0200 (CEST) Received: from nhugin.diku.dk (nhugin.diku.dk [130.225.96.140]) by mgw1.diku.dk (Postfix) with ESMTP id B0E0552C33E; Mon, 29 Mar 2010 11:39:53 +0200 (CEST) Received: from ask.diku.dk (ask.diku.dk [130.225.96.225]) by nhugin.diku.dk (Postfix) with ESMTP id 5EC1C6DFBF1; Mon, 29 Mar 2010 11:33:44 +0200 (CEST) Received: by ask.diku.dk (Postfix, from userid 3767) id 97C5C200B0; Mon, 29 Mar 2010 11:39:53 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by ask.diku.dk (Postfix) with ESMTP id 8C55B200AF; Mon, 29 Mar 2010 11:39:53 +0200 (CEST) Date: Mon, 29 Mar 2010 11:39:53 +0200 (CEST) From: Julia Lawall To: "David S. Miller" , sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] drivers/serial/sunsu.c: Correct use after free Message-ID: MIME-Version: 1.0 Sender: sparclinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: sparclinux@vger.kernel.org From: Julia Lawall The of_iounmap is at the out_unmap label, but at that point up has already been freed. The free cannot be moved to the out_unmap label, because that label is reachable from cases where up should not be freed. So the call to of_iounmap is just duplicated, and the goto converted to a return. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // Signed-off-by: Julia Lawall --- drivers/serial/sunsu.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/serial/sunsu.c b/drivers/serial/sunsu.c index 170d3d6..cbcfb18 100644 --- a/drivers/serial/sunsu.c +++ b/drivers/serial/sunsu.c @@ -1453,8 +1453,10 @@ static int __devinit su_probe(struct of_device *op, const struct of_device_id *m if (up->su_type == SU_PORT_KBD || up->su_type == SU_PORT_MS) { err = sunsu_kbd_ms_init(up); if (err) { + of_iounmap(&op->resource[0], + up->port.membase, up->reg_size); kfree(up); - goto out_unmap; + return err; } dev_set_drvdata(&op->dev, up);