From c4a3987fa075b2d15ebc3d59b01fb7ed403cd3e1 Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Mon, 29 Mar 2010 22:33:28 -0700 Subject: drivers/serial/sunsu.c: Correct use after free The of_iounmap is at the out_unmap label, but at that point up has already been freed. The free cannot be moved to the out_unmap label, because that label is reachable from cases where up should not be freed. So the call to of_iounmap is just duplicated, and the goto converted to a return. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // Signed-off-by: Julia Lawall Signed-off-by: David S. Miller --- drivers/serial/sunsu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/serial/sunsu.c b/drivers/serial/sunsu.c index 170d3d68c8f..cbcfb1885f7 100644 --- a/drivers/serial/sunsu.c +++ b/drivers/serial/sunsu.c @@ -1453,8 +1453,10 @@ static int __devinit su_probe(struct of_device *op, const struct of_device_id *m if (up->su_type == SU_PORT_KBD || up->su_type == SU_PORT_MS) { err = sunsu_kbd_ms_init(up); if (err) { + of_iounmap(&op->resource[0], + up->port.membase, up->reg_size); kfree(up); - goto out_unmap; + return err; } dev_set_drvdata(&op->dev, up); -- cgit From bdd32ce95f79fb5cc964cd789d7ae4500bba7c6f Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 4 Apr 2010 01:12:50 -0700 Subject: sunxvr500: Ignore secondary output PCI devices. These just represent the secondary and further heads attached to the card, and they have different sets of PCI bar registers to map. So don't try to drive them in the main driver. Reported-by: Frans van Berckel Tested-by: Frans van Berckel Signed-off-by: David S. Miller --- drivers/video/sunxvr500.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/video/sunxvr500.c b/drivers/video/sunxvr500.c index 4cd50497264..3803745d6ee 100644 --- a/drivers/video/sunxvr500.c +++ b/drivers/video/sunxvr500.c @@ -242,11 +242,27 @@ static int __devinit e3d_set_fbinfo(struct e3d_info *ep) static int __devinit e3d_pci_register(struct pci_dev *pdev, const struct pci_device_id *ent) { + struct device_node *of_node; + const char *device_type; struct fb_info *info; struct e3d_info *ep; unsigned int line_length; int err; + of_node = pci_device_to_OF_node(pdev); + if (!of_node) { + printk(KERN_ERR "e3d: Cannot find OF node of %s\n", + pci_name(pdev)); + return -ENODEV; + } + + device_type = of_get_property(of_node, "device_type", NULL); + if (!device_type) { + printk(KERN_INFO "e3d: Ignoring secondary output device " + "at %s\n", pci_name(pdev)); + return -ENODEV; + } + err = pci_enable_device(pdev); if (err < 0) { printk(KERN_ERR "e3d: Cannot enable PCI device %s\n", @@ -265,13 +281,7 @@ static int __devinit e3d_pci_register(struct pci_dev *pdev, ep->info = info; ep->pdev = pdev; spin_lock_init(&ep->lock); - ep->of_node = pci_device_to_OF_node(pdev); - if (!ep->of_node) { - printk(KERN_ERR "e3d: Cannot find OF node of %s\n", - pci_name(pdev)); - err = -ENODEV; - goto err_release_fb; - } + ep->of_node = of_node; /* Read the PCI base register of the frame buffer, which we * need in order to interpret the RAMDAC_VID_*FB* values in -- cgit