From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jeff Liu <jeff.liu@oracle.com>
Cc: xfs@oss.sgi.com
Subject: Re: potential use after free in xfs_iomap_write_allocate()
Date: Mon, 10 Feb 2014 17:50:41 +0300 [thread overview]
Message-ID: <20140210145041.GC26776@mwanda> (raw)
In-Reply-To: <52F8E086.8030805@oracle.com>
On Mon, Feb 10, 2014 at 10:21:58PM +0800, Jeff Liu wrote:
>
> On 02/10 2014 18:36 PM, Dan Carpenter wrote:
> > There is a static checker warning in xfs_iomap_write_allocate(). It's
> > sort of old so probably it's a false positive.
> >
> > fs/xfs/xfs_iomap.c:798 xfs_iomap_write_allocate()
> > warn: 'tp' was already freed.
> >
> > fs/xfs/xfs_iomap.c
> > 677
> > 678 while (count_fsb != 0) {
> >
> > There are some paths where if (count_fsb == 0) then "tp" is free.
>
> I can not see a call pach would introduce "count_fsb == 0" because we only
> call xfs_iomap_write_allocate() in extent delayed allocation context,
> that is the count_fsb should be >= 1.
I am confused. That's a while condition and not an if condition.
On line 792 we do:
count_fsb -= imap->br_blockcount;
I assume you saw that, and it's still a false positive but I just want
to be sure.
regards,
dan carpenter
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2014-02-10 14:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 10:36 potential use after free in xfs_iomap_write_allocate() Dan Carpenter
2014-02-10 14:21 ` Jeff Liu
2014-02-10 14:50 ` Dan Carpenter [this message]
2014-02-10 21:34 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140210145041.GC26776@mwanda \
--to=dan.carpenter@oracle.com \
--cc=jeff.liu@oracle.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.