* [bug report] ubifs: Don't leak orphans on memory during commit
@ 2019-05-21 7:09 Dan Carpenter
2019-05-21 7:22 ` Richard Weinberger
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2019-05-21 7:09 UTC (permalink / raw)
To: richard; +Cc: linux-mtd
Hello Richard Weinberger,
The patch c16e73587ad6: "ubifs: Don't leak orphans on memory during
commit" from May 15, 2019, leads to the following static checker
warning:
fs/ubifs/orphan.c:231 ubifs_delete_orphan()
warn: 'orph' was already freed.
fs/ubifs/orphan.c
214 void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
215 {
216 struct ubifs_orphan *orph, *child_orph, *tmp_o;
217
218 spin_lock(&c->orphan_lock);
219
220 orph = lookup_orphan(c, inum);
221 if (!orph) {
222 spin_unlock(&c->orphan_lock);
223 ubifs_err(c, "missing orphan ino %lu", (unsigned long)inum);
224 dump_stack();
225
226 return;
227 }
228
229 orphan_delete(c, orph);
^^^^
The "orph" pointer is sometimes free in orphan_delete().
230
231 list_for_each_entry_safe(child_orph, tmp_o, &orph->child_list, child_list) {
^^^^
use after free?
232 list_del(&child_orph->child_list);
233 orphan_delete(c, child_orph);
234 }
235
236 spin_unlock(&c->orphan_lock);
237 }
regards,
dan carpenter
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [bug report] ubifs: Don't leak orphans on memory during commit
2019-05-21 7:09 [bug report] ubifs: Don't leak orphans on memory during commit Dan Carpenter
@ 2019-05-21 7:22 ` Richard Weinberger
0 siblings, 0 replies; 2+ messages in thread
From: Richard Weinberger @ 2019-05-21 7:22 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-mtd
Dan,
----- Ursprüngliche Mail -----
> Von: "Dan Carpenter" <dan.carpenter@oracle.com>
> An: "richard" <richard@nod.at>
> CC: "linux-mtd" <linux-mtd@lists.infradead.org>
> Gesendet: Dienstag, 21. Mai 2019 09:09:37
> Betreff: [bug report] ubifs: Don't leak orphans on memory during commit
> Hello Richard Weinberger,
>
> The patch c16e73587ad6: "ubifs: Don't leak orphans on memory during
> commit" from May 15, 2019, leads to the following static checker
> warning:
>
> fs/ubifs/orphan.c:231 ubifs_delete_orphan()
> warn: 'orph' was already freed.
>
> fs/ubifs/orphan.c
> 214 void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
> 215 {
> 216 struct ubifs_orphan *orph, *child_orph, *tmp_o;
> 217
> 218 spin_lock(&c->orphan_lock);
> 219
> 220 orph = lookup_orphan(c, inum);
> 221 if (!orph) {
> 222 spin_unlock(&c->orphan_lock);
> 223 ubifs_err(c, "missing orphan ino %lu", (unsigned
> long)inum);
> 224 dump_stack();
> 225
> 226 return;
> 227 }
> 228
> 229 orphan_delete(c, orph);
> ^^^^
> The "orph" pointer is sometimes free in orphan_delete().
>
> 230
> 231 list_for_each_entry_safe(child_orph, tmp_o, &orph->child_list,
> child_list) {
> ^^^^
> use after free?
>
> 232 list_del(&child_orph->child_list);
> 233 orphan_delete(c, child_orph);
> 234 }
> 235
> 236 spin_unlock(&c->orphan_lock);
> 237 }
Thanks a lot for the heads up.
This commit is not ready yet and will be replaced with a newer version.
Thanks,
//richard
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-05-21 7:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-21 7:09 [bug report] ubifs: Don't leak orphans on memory during commit Dan Carpenter
2019-05-21 7:22 ` Richard Weinberger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.