From 736d54533aedbcbde8cfb2f9ccd542595db4d78d Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 4 Feb 2009 15:12:20 -0800 Subject: sx.c: fix missed unlock_kernel() on error path in sx_fw_ioctl() If we return directly with -EPERM then lock_kernel() is still held. This was found with a code checker (http://repo.or.cz/w/smatch.git/). [akpm@linux-foundation.org: fix another such path - missed func_exit()] Signed-off-by: Dan Carpenter Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/sx.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'drivers/char/sx.c') diff --git a/drivers/char/sx.c b/drivers/char/sx.c index b60be7b0decf..f146e90404fa 100644 --- a/drivers/char/sx.c +++ b/drivers/char/sx.c @@ -1713,8 +1713,8 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd, for (i = 0; i < SX_NBOARDS; i++) sx_dprintk(SX_DEBUG_FIRMWARE, "<%x> ", boards[i].flags); sx_dprintk(SX_DEBUG_FIRMWARE, "\n"); - unlock_kernel(); - return -EIO; + rc = -EIO; + goto out; } switch (cmd) { @@ -1747,7 +1747,8 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd, break; case SXIO_DO_RAMTEST: if (sx_initialized) /* Already initialized: better not ramtest the board. */ - return -EPERM; + rc = -EPERM; + break; if (IS_SX_BOARD(board)) { rc = do_memtest(board, 0, 0x7000); if (!rc) @@ -1844,6 +1845,7 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd, rc = -ENOTTY; break; } +out: unlock_kernel(); func_exit(); return rc; -- cgit v1.2.2 From 9b6d25100ace1dcf9750803ff08f6b61f840be79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Fri, 20 Feb 2009 15:38:45 -0800 Subject: sx.c: fix dbl statement if - add missing braces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Caused by 736d54533aed (sx.c: fix missed unlock_kernel() on error path in sx_fw_ioctl()). You guys keep breaking things this way in every single kernel release in at least couple of places... :-( Signed-off-by: Ilpo Järvinen Acked-by: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/sx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/char/sx.c') diff --git a/drivers/char/sx.c b/drivers/char/sx.c index f146e90404fa..d7c416566bd9 100644 --- a/drivers/char/sx.c +++ b/drivers/char/sx.c @@ -1746,9 +1746,10 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd, sx_dprintk(SX_DEBUG_FIRMWARE, "returning type= %ld\n", rc); break; case SXIO_DO_RAMTEST: - if (sx_initialized) /* Already initialized: better not ramtest the board. */ + if (sx_initialized) { /* Already initialized: better not ramtest the board. */ rc = -EPERM; break; + } if (IS_SX_BOARD(board)) { rc = do_memtest(board, 0, 0x7000); if (!rc) -- cgit v1.2.2 From b28fe28f2a07ee325834179174a95495d2786561 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 20 Feb 2009 15:38:46 -0800 Subject: sx.c: avoid referencing freed memory if copy_from_user() fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "break" would just result in reusing a free'd pointer. I don't have the cards myself to test it though. :/ Signed-off-by: Dan Carpenter Cc: Ilpo Järvinen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/sx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char/sx.c') diff --git a/drivers/char/sx.c b/drivers/char/sx.c index d7c416566bd9..518f2a25d91e 100644 --- a/drivers/char/sx.c +++ b/drivers/char/sx.c @@ -1789,7 +1789,7 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd, nbytes - i : SX_CHUNK_SIZE)) { kfree(tmp); rc = -EFAULT; - break; + goto out; } memcpy_toio(board->base2 + offset + i, tmp, (i + SX_CHUNK_SIZE > nbytes) ? -- cgit v1.2.2