drivers/serial/sunsu.c: Correct use after free

The of_iounmap is at the out_unmap label, but at that point up has already been freed. The free cannot be moved to the out_unmap label, because that label is reachable from cases where up should not be freed. So the call to of_iounmap is just duplicated, and the goto converted to a return. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: N Julia Lawall <julia@diku.dk> Signed-off-by: N David S. Miller <davem@davemloft.net>

drivers/serial/sunsu.c: Correct use after free
The of_iounmap is at the out_unmap label, but at that point up has already been freed. The free cannot be moved to the out_unmap label, because that label is reachable from cases where up should not be freed. So the call to of_iounmap is just duplicated, and the goto converted to a return. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: N Julia Lawall <julia@diku.dk> Signed-off-by: N David S. Miller <davem@davemloft.net>
c4a3987f · Julia Lawall · David S. Miller · 9e8307ec · c4a3987f
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

drivers/serial/sunsu.c drivers/serial/sunsu.c +3 -1

未找到文件。
--- a/drivers/serial/sunsu.c
+++ b/drivers/serial/sunsu.c
@@ -1453,8 +1453,10 @@ static int __devinit su_probe(struct of_device *op, const struct of_device_id *m
 	if (up->su_type == SU_PORT_KBD || up->su_type == SU_PORT_MS) {
 		err = sunsu_kbd_ms_init(up);
 		if (err) {
+			of_iounmap(&op->resource[0],
+				   up->port.membase, up->reg_size);
 			kfree(up);
-			goto out_unmap;
+			return err;
 		}
 		dev_set_drvdata(&op->dev, up);