potential use after free in xfs_iomap_write_allocate()
Dan Carpenter
dan.carpenter at oracle.com
Mon Feb 10 08:50:41 CST 2014
On Mon, Feb 10, 2014 at 10:21:58PM +0800, Jeff Liu wrote:
>
> On 02/10 2014 18:36 PM, Dan Carpenter wrote:
> > There is a static checker warning in xfs_iomap_write_allocate(). It's
> > sort of old so probably it's a false positive.
> >
> > fs/xfs/xfs_iomap.c:798 xfs_iomap_write_allocate()
> > warn: 'tp' was already freed.
> >
> > fs/xfs/xfs_iomap.c
> > 677
> > 678 while (count_fsb != 0) {
> >
> > There are some paths where if (count_fsb == 0) then "tp" is free.
>
> I can not see a call pach would introduce "count_fsb == 0" because we only
> call xfs_iomap_write_allocate() in extent delayed allocation context,
> that is the count_fsb should be >= 1.
I am confused. That's a while condition and not an if condition.
On line 792 we do:
count_fsb -= imap->br_blockcount;
I assume you saw that, and it's still a false positive but I just want
to be sure.
regards,
dan carpenter
More information about the xfs
mailing list