| To: | Jeff Liu <jeff.liu@xxxxxxxxxx> |
|---|---|
| Subject: | Re: potential use after free in xfs_iomap_write_allocate() |
| From: | Dan Carpenter <dan.carpenter@xxxxxxxxxx> |
| Date: | Mon, 10 Feb 2014 17:50:41 +0300 |
| Cc: | xfs@xxxxxxxxxxx |
| Delivered-to: | xfs@xxxxxxxxxxx |
| In-reply-to: | <52F8E086.8030805@xxxxxxxxxx> |
| References: | <20140210103626.GA15018@xxxxxxxxxxxxxx> <52F8E086.8030805@xxxxxxxxxx> |
| User-agent: | Mutt/1.5.21 (2010-09-15) |
On Mon, Feb 10, 2014 at 10:21:58PM +0800, Jeff Liu wrote:
>
> On 02/10 2014 18:36 PM, Dan Carpenter wrote:
> > There is a static checker warning in xfs_iomap_write_allocate(). It's
> > sort of old so probably it's a false positive.
> >
> > fs/xfs/xfs_iomap.c:798 xfs_iomap_write_allocate()
> > warn: 'tp' was already freed.
> >
> > fs/xfs/xfs_iomap.c
> > 677
> > 678 while (count_fsb != 0) {
> >
> > There are some paths where if (count_fsb == 0) then "tp" is free.
>
> I can not see a call pach would introduce "count_fsb == 0" because we only
> call xfs_iomap_write_allocate() in extent delayed allocation context,
> that is the count_fsb should be >= 1.
I am confused. That's a while condition and not an if condition.
On line 792 we do:
count_fsb -= imap->br_blockcount;
I assume you saw that, and it's still a false positive but I just want
to be sure.
regards,
dan carpenter
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [PATCH] xfs: avoid AGI/AGF deadlock scenario for inode chunk allocation, Brian Foster |
|---|---|
| Next by Date: | Re: [PATCH 5/6] xfs: add xfs_verifier_error(), Eric Sandeen |
| Previous by Thread: | Re: potential use after free in xfs_iomap_write_allocate(), Jeff Liu |
| Next by Thread: | Re: potential use after free in xfs_iomap_write_allocate(), Dave Chinner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |