From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from he.sipsolutions.net ([78.46.109.217]:32795 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757413Ab1EMNzX (ORCPT ); Fri, 13 May 2011 09:55:23 -0400 Subject: Re: [PATCH 2/3] net/rfkill/core.c: Avoid leaving freed data in a list From: Johannes Berg To: Julia Lawall Cc: kernel-janitors@vger.kernel.org, "John W. Linville" , "David S. Miller" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <1305294731-12127-2-git-send-email-julia@diku.dk> References: <1305294731-12127-2-git-send-email-julia@diku.dk> Content-Type: text/plain; charset="UTF-8" Date: Fri, 13 May 2011 15:55:12 +0200 Message-ID: <1305294912.3468.0.camel@jlt3.sipsolutions.net> (sfid-20110513_155601_458463_D809CF3A) Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Fri, 2011-05-13 at 15:52 +0200, Julia Lawall wrote: > The list_for_each_entry loop can fail, in which case the list element is > not removed from the list rfkill_fds. Since this list is not accessed by > the loop, the addition of &data->list into the list is just moved after the > loop. > > The sematic match that finds this problem is as follows: > (http://coccinelle.lip6.fr/) > > // > @@ > expression E,E1,E2; > identifier l; > @@ > > *list_add(&E->l,E1); > ... when != E1 > when != list_del(&E->l) > when != list_del_init(&E->l) > when != E = E2 > *kfree(E);// > > Signed-off-by: Julia Lawall > > --- > I have only verified that rfkill_fds is not accessed by the loop by > inspecting the code. If this analysis is not correct, the other solution > would be to leave the list_add where it is and delete the element from the > list explicitly. Looks right to me, thanks! johannes