From 574bac488f384ddaa344378e25653c27124a2b69 Mon Sep 17 00:00:00 2001
From: Lorenz Meier <lm@inf.ethz.ch>
Date: Mon, 19 Jan 2015 20:14:26 +0100
Subject: Critical hotfixes for memory accesses. Found via Coverity by Pavel
 Kirienko

---
 nuttx/drivers/pipes/pipe.c    | 5 ++++-
 nuttx/drivers/usbdev/cdcacm.c | 8 ++++----
 nuttx/mm/mm_granalloc.c       | 3 ++-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/nuttx/drivers/pipes/pipe.c b/nuttx/drivers/pipes/pipe.c
index 20c160475..86cdeba84 100644
--- a/nuttx/drivers/pipes/pipe.c
+++ b/nuttx/drivers/pipes/pipe.c
@@ -275,7 +275,10 @@ errout_with_wrfd:
 errout_with_driver:
   unregister_driver(devname);
 errout_with_dev:
-  pipecommon_freedev(dev);
+  if (dev)
+    {
+      pipecommon_freedev(dev);
+    }
 errout_with_pipe:
   pipe_free(pipeno);
 errout:
diff --git a/nuttx/drivers/usbdev/cdcacm.c b/nuttx/drivers/usbdev/cdcacm.c
index 2584ce428..d3ddb8e4d 100644
--- a/nuttx/drivers/usbdev/cdcacm.c
+++ b/nuttx/drivers/usbdev/cdcacm.c
@@ -1181,12 +1181,12 @@ static void cdcacm_unbind(FAR struct usbdevclass_driver_s *driver,
         }
       DEBUGASSERT(priv->nwrq == 0);
       irqrestore(flags);
-    }
 
-  /* Clear out all data in the circular buffer */
+      /* Clear out all data in the circular buffer */
 
-  priv->serdev.xmit.head = 0;
-  priv->serdev.xmit.tail = 0;
+      priv->serdev.xmit.head = 0;
+      priv->serdev.xmit.tail = 0;
+    }
 }
 
 /****************************************************************************
diff --git a/nuttx/mm/mm_granalloc.c b/nuttx/mm/mm_granalloc.c
index e95709b31..df6bde805 100644
--- a/nuttx/mm/mm_granalloc.c
+++ b/nuttx/mm/mm_granalloc.c
@@ -313,9 +313,10 @@ static inline FAR void *gran_common_alloc(FAR struct gran_s *priv, size_t size)
               bitidx += shift;
             }
         }
+
+        gran_leave_critical(priv);
     }
 
-  gran_leave_critical(priv);
   return NULL;
 }
 
-- 
cgit v1.2.3


From e4c914e261d2647e44d05222afa7aa3cc90d3c67 Mon Sep 17 00:00:00 2001
From: Lorenz Meier <lm@inf.ethz.ch>
Date: Wed, 21 Jan 2015 15:56:43 +0100
Subject: Color the stack anyways with 0xFF, even if the per-function checking
 is not enabled

---
 nuttx/arch/arm/src/armv7-m/up_initialstate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nuttx/arch/arm/src/armv7-m/up_initialstate.c b/nuttx/arch/arm/src/armv7-m/up_initialstate.c
index 04089f8ac..8bcf3b442 100644
--- a/nuttx/arch/arm/src/armv7-m/up_initialstate.c
+++ b/nuttx/arch/arm/src/armv7-m/up_initialstate.c
@@ -97,11 +97,11 @@ void up_initial_state(struct tcb_s *tcb)
   /* Set the stack limit value */
 
   xcp->regs[REG_R10]     = (uint32_t)tcb->stack_alloc_ptr + 64;
+#endif
 
   /* Fill the stack with a watermark value */
 
   memset(tcb->stack_alloc_ptr, 0xff, tcb->adj_stack_size);
-#endif
 
   /* Save the task entry point (stripping off the thumb bit) */
 
-- 
cgit v1.2.3