[PATCH 2/2] fs/ext4: Eliminate double free

linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 2/2] fs/ext4: Eliminate double free
@ 2009-12-20 17:07 Julia Lawall
  2009-12-23 12:53 ` tytso
  0 siblings, 1 reply; 2+ messages in thread
From: Julia Lawall @ 2009-12-20 17:07 UTC (permalink / raw)
  To: tytso, Andreas Dilger, linux-ext4, linux-kernel, kernel-janitors

From: Julia Lawall <julia@diku.dk>

b_entry_name and buffer are initially NULL, are initialized within a loop
to the result of calling kmalloc, and are freed at the bottom of this loop.
The loop contains gotos to cleanup, which also frees b_entry_name and
buffer.  Some of these gotos are before the reinitializations of
b_entry_name and buffer.  To maintain the invariant that b_entry_name and
buffer are NULL at the top of the loop, and thus acceptable arguments to
kfree, these variables are now set to NULL after the kfrees.

This seems to be the simplest solution.  A more complicated solution
would be to introduce more labels in the error handling code at the end of
the function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r@
identifier E;
expression E1;
iterator I;
statement S;
@@

*kfree(E);
... when != E = E1
    when != I(E,...) S
    when != &E
*kfree(E);
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>

---
 fs/ext4/xattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 83218be..f3a2f7e 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1332,6 +1332,8 @@ retry:
 			goto cleanup;
 		kfree(b_entry_name);
 		kfree(buffer);
+		b_entry_name = NULL;
+		buffer = NULL;
 		brelse(is->iloc.bh);
 		kfree(is);
 		kfree(bs);

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 2/2] fs/ext4: Eliminate double free
  2009-12-20 17:07 [PATCH 2/2] fs/ext4: Eliminate double free Julia Lawall
@ 2009-12-23 12:53 ` tytso
  0 siblings, 0 replies; 2+ messages in thread
From: tytso @ 2009-12-23 12:53 UTC (permalink / raw)
  To: Julia Lawall; +Cc: Andreas Dilger, linux-ext4, linux-kernel, kernel-janitors

On Sun, Dec 20, 2009 at 06:07:10PM +0100, Julia Lawall wrote:
> From: Julia Lawall <julia@diku.dk>
> 
> b_entry_name and buffer are initially NULL, are initialized within a loop
> to the result of calling kmalloc, and are freed at the bottom of this loop.
> The loop contains gotos to cleanup, which also frees b_entry_name and
> buffer.  Some of these gotos are before the reinitializations of
> b_entry_name and buffer.  To maintain the invariant that b_entry_name and
> buffer are NULL at the top of the loop, and thus acceptable arguments to
> kfree, these variables are now set to NULL after the kfrees.
> 
> This seems to be the simplest solution.  A more complicated solution
> would be to introduce more labels in the error handling code at the end of
> the function.

Thanks, added to the ext4 patch queue.

						- Ted

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-12-23 12:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-20 17:07 [PATCH 2/2] fs/ext4: Eliminate double free Julia Lawall
2009-12-23 12:53 ` tytso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).