question about fs/ubifs/orphan.c

public inbox for linux-mtd@lists.infradead.org
 help / color / mirror / Atom feed

* question about fs/ubifs/orphan.c
@ 2012-07-08  9:21 Julia Lawall
  2012-07-08  9:22 ` Julia Lawall
  2012-07-08 12:40 ` Artem Bityutskiy
  0 siblings, 2 replies; 7+ messages in thread
From: Julia Lawall @ 2012-07-08  9:21 UTC (permalink / raw)
  To: dedekind1, adrian.hunter, linux-mtd

The function ubifs_orphan_start_commit contains the code:

         list_for_each_entry(orphan, &c->orph_new, new_list) {
                 ubifs_assert(orphan->new);
                 orphan->new = 0;
                 *last = orphan;
                 last = &orphan->cnext;
         }
         *last = orphan->cnext;

After list_for_each_entry, orphan is just an address at an offset from the 
list head, not a pointer to a real structure.  So it does not seem correct 
to access its cnext field.

julia

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-08  9:21 question about fs/ubifs/orphan.c Julia Lawall
@ 2012-07-08  9:22 ` Julia Lawall
  2012-07-09  6:46   ` Adrian Hunter
  2012-07-08 12:40 ` Artem Bityutskiy
  1 sibling, 1 reply; 7+ messages in thread
From: Julia Lawall @ 2012-07-08  9:22 UTC (permalink / raw)
  To: dedekind1; +Cc: linux-mtd, adrian.hunter

There is another occurrence of the same pattern in the function 
consolidate in the same file.

julia

On Sun, 8 Jul 2012, Julia Lawall wrote:

> The function ubifs_orphan_start_commit contains the code:
>
>        list_for_each_entry(orphan, &c->orph_new, new_list) {
>                ubifs_assert(orphan->new);
>                orphan->new = 0;
>                *last = orphan;
>                last = &orphan->cnext;
>        }
>        *last = orphan->cnext;
>
> After list_for_each_entry, orphan is just an address at an offset from the 
> list head, not a pointer to a real structure.  So it does not seem correct 
> to access its cnext field.
>
> julia
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-08  9:21 question about fs/ubifs/orphan.c Julia Lawall
  2012-07-08  9:22 ` Julia Lawall
@ 2012-07-08 12:40 ` Artem Bityutskiy
  2012-07-08 13:06   ` Julia Lawall
  2012-07-09  6:47   ` Adrian Hunter
  1 sibling, 2 replies; 7+ messages in thread
From: Artem Bityutskiy @ 2012-07-08 12:40 UTC (permalink / raw)
  To: Julia Lawall; +Cc: linux-mtd, adrian.hunter

[-- Attachment #1: Type: text/plain, Size: 1040 bytes --]

On Sun, 2012-07-08 at 11:21 +0200, Julia Lawall wrote:
> The function ubifs_orphan_start_commit contains the code:
> 
>          list_for_each_entry(orphan, &c->orph_new, new_list) {
>                  ubifs_assert(orphan->new);
>                  orphan->new = 0;
>                  *last = orphan;
>                  last = &orphan->cnext;
>          }
>          *last = orphan->cnext;
> 
> After list_for_each_entry, orphan is just an address at an offset from the 
> list head, not a pointer to a real structure.  So it does not seem correct 
> to access its cnext field.

Looks like you've spotted a but - we write some irrelevant address to an
area within the 'struct ubifs_info'.

I think what the code meant to do is to write NULL there:

- *last = orphan->cnext;
+ *last = NULL;

I wonder if this could be a reason for some of strange bugs we have seen
reports for.

Well-spotted Julia, thanks! How did you do this - writing another cocci
script for the kernel?

-- 
Best Regards,
Artem Bityutskiy

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-08 12:40 ` Artem Bityutskiy
@ 2012-07-08 13:06   ` Julia Lawall
  2012-07-09  6:47   ` Adrian Hunter
  1 sibling, 0 replies; 7+ messages in thread
From: Julia Lawall @ 2012-07-08 13:06 UTC (permalink / raw)
  To: Artem Bityutskiy; +Cc: linux-mtd, adrian.hunter

On Sun, 8 Jul 2012, Artem Bityutskiy wrote:

> On Sun, 2012-07-08 at 11:21 +0200, Julia Lawall wrote:
>> The function ubifs_orphan_start_commit contains the code:
>>
>>          list_for_each_entry(orphan, &c->orph_new, new_list) {
>>                  ubifs_assert(orphan->new);
>>                  orphan->new = 0;
>>                  *last = orphan;
>>                  last = &orphan->cnext;
>>          }
>>          *last = orphan->cnext;
>>
>> After list_for_each_entry, orphan is just an address at an offset from the
>> list head, not a pointer to a real structure.  So it does not seem correct
>> to access its cnext field.
>
> Looks like you've spotted a but - we write some irrelevant address to an
> area within the 'struct ubifs_info'.
>
> I think what the code meant to do is to write NULL there:
>
> - *last = orphan->cnext;
> + *last = NULL;
>
> I wonder if this could be a reason for some of strange bugs we have seen
> reports for.
>
> Well-spotted Julia, thanks! How did you do this - writing another cocci
> script for the kernel?

Yes: http://lkml.indiana.edu/hypermail/linux/kernel/1207.1/00028.html

I'll send a patch.

julia

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-08  9:22 ` Julia Lawall
@ 2012-07-09  6:46   ` Adrian Hunter
  2012-07-09  7:21     ` Julia Lawall
  0 siblings, 1 reply; 7+ messages in thread
From: Adrian Hunter @ 2012-07-09  6:46 UTC (permalink / raw)
  To: Julia Lawall; +Cc: linux-mtd, dedekind1

On 08/07/12 12:22, Julia Lawall wrote:
> There is another occurrence of the same pattern in the function consolidate
> in the same file.

Yes. It needs the same fix.  Will you send a patch?

> 
> julia
> 
> On Sun, 8 Jul 2012, Julia Lawall wrote:
> 
>> The function ubifs_orphan_start_commit contains the code:
>>
>>        list_for_each_entry(orphan, &c->orph_new, new_list) {
>>                ubifs_assert(orphan->new);
>>                orphan->new = 0;
>>                *last = orphan;
>>                last = &orphan->cnext;
>>        }
>>        *last = orphan->cnext;
>>
>> After list_for_each_entry, orphan is just an address at an offset from the
>> list head, not a pointer to a real structure.  So it does not seem correct
>> to access its cnext field.
>>
>> julia
>>
> 
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-08 12:40 ` Artem Bityutskiy
  2012-07-08 13:06   ` Julia Lawall
@ 2012-07-09  6:47   ` Adrian Hunter
  1 sibling, 0 replies; 7+ messages in thread
From: Adrian Hunter @ 2012-07-09  6:47 UTC (permalink / raw)
  To: Artem Bityutskiy; +Cc: Julia Lawall, linux-mtd

On 08/07/12 15:40, Artem Bityutskiy wrote:
> On Sun, 2012-07-08 at 11:21 +0200, Julia Lawall wrote:
>> The function ubifs_orphan_start_commit contains the code:
>>
>>          list_for_each_entry(orphan, &c->orph_new, new_list) {
>>                  ubifs_assert(orphan->new);
>>                  orphan->new = 0;
>>                  *last = orphan;
>>                  last = &orphan->cnext;
>>          }
>>          *last = orphan->cnext;
>>
>> After list_for_each_entry, orphan is just an address at an offset from the 
>> list head, not a pointer to a real structure.  So it does not seem correct 
>> to access its cnext field.
> 
> Looks like you've spotted a but - we write some irrelevant address to an
> area within the 'struct ubifs_info'.
> 
> I think what the code meant to do is to write NULL there:
> 
> - *last = orphan->cnext;
> + *last = NULL;
> 
> I wonder if this could be a reason for some of strange bugs we have seen
> reports for.

Perhaps not because in that case c->cmt_orphans is zero so the cnext list
is never dereferenced.

> 
> Well-spotted Julia, thanks! How did you do this - writing another cocci
> script for the kernel?
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: question about fs/ubifs/orphan.c
  2012-07-09  6:46   ` Adrian Hunter
@ 2012-07-09  7:21     ` Julia Lawall
  0 siblings, 0 replies; 7+ messages in thread
From: Julia Lawall @ 2012-07-09  7:21 UTC (permalink / raw)
  To: Adrian Hunter; +Cc: linux-mtd, dedekind1

On Mon, 9 Jul 2012, Adrian Hunter wrote:

> On 08/07/12 12:22, Julia Lawall wrote:
>> There is another occurrence of the same pattern in the function consolidate
>> in the same file.
>
> Yes. It needs the same fix.  Will you send a patch?

Oops, I seem to have overlooked it again.  I will send a patch that fixes 
both.

julia

>>
>> julia
>>
>> On Sun, 8 Jul 2012, Julia Lawall wrote:
>>
>>> The function ubifs_orphan_start_commit contains the code:
>>>
>>>        list_for_each_entry(orphan, &c->orph_new, new_list) {
>>>                ubifs_assert(orphan->new);
>>>                orphan->new = 0;
>>>                *last = orphan;
>>>                last = &orphan->cnext;
>>>        }
>>>        *last = orphan->cnext;
>>>
>>> After list_for_each_entry, orphan is just an address at an offset from the
>>> list head, not a pointer to a real structure.  So it does not seem correct
>>> to access its cnext field.
>>>
>>> julia
>>>
>>
>>
>
>
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2012-07-09  7:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-08  9:21 question about fs/ubifs/orphan.c Julia Lawall
2012-07-08  9:22 ` Julia Lawall
2012-07-09  6:46   ` Adrian Hunter
2012-07-09  7:21     ` Julia Lawall
2012-07-08 12:40 ` Artem Bityutskiy
2012-07-08 13:06   ` Julia Lawall
2012-07-09  6:47   ` Adrian Hunter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox