On Sun, 2012-07-08 at 11:21 +0200, Julia Lawall wrote:
> The function ubifs_orphan_start_commit contains the code:
> 
>          list_for_each_entry(orphan, &c->orph_new, new_list) {
>                  ubifs_assert(orphan->new);
>                  orphan->new = 0;
>                  *last = orphan;
>                  last = &orphan->cnext;
>          }
>          *last = orphan->cnext;
> 
> After list_for_each_entry, orphan is just an address at an offset from the 
> list head, not a pointer to a real structure.  So it does not seem correct 
> to access its cnext field.

Looks like you've spotted a but - we write some irrelevant address to an
area within the 'struct ubifs_info'.

I think what the code meant to do is to write NULL there:

- *last = orphan->cnext;
+ *last = NULL;

I wonder if this could be a reason for some of strange bugs we have seen
reports for.

Well-spotted Julia, thanks! How did you do this - writing another cocci
script for the kernel?

-- 
Best Regards,
Artem Bityutskiy