diff options
author | Julia Lawall <Julia.Lawall@lip6.fr> | 2012-07-09 09:27:14 +0200 |
---|---|---|
committer | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2012-07-20 10:27:25 +0300 |
commit | 7074e5eb233343e4bad8c0a3f9e73167cf85a159 (patch) | |
tree | 0910c11994429ac78cc55fdbc2f217b630280dd4 /fs/ubifs | |
parent | d51f17ea0a3afe11fb4c4ad6635877e24df2758f (diff) | |
download | lwn-7074e5eb233343e4bad8c0a3f9e73167cf85a159.tar.gz lwn-7074e5eb233343e4bad8c0a3f9e73167cf85a159.zip |
UBIFS: remove invalid reference to list iterator variable
If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure. Thus this value should not be used after
the end of the iterator. Replace a field access from orphan by NULL in two
places.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
identifier c;
expression E;
iterator name list_for_each_entry;
statement S;
@@
list_for_each_entry(c,...) { ... when != break;
when forall
when strict
}
...
(
c = E
|
*c
)
// </smpl>
Artem: fortunately, this did not cause any issues because we iterate the orphan
list using the elements count, so we never dereferenced the corrupted pointer.
This is why I do not send this patch to -stable. But otherwise - well spotted!
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Diffstat (limited to 'fs/ubifs')
-rw-r--r-- | fs/ubifs/orphan.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c index b02734db187c..cebf17ea0458 100644 --- a/fs/ubifs/orphan.c +++ b/fs/ubifs/orphan.c @@ -176,7 +176,7 @@ int ubifs_orphan_start_commit(struct ubifs_info *c) *last = orphan; last = &orphan->cnext; } - *last = orphan->cnext; + *last = NULL; c->cmt_orphans = c->new_orphans; c->new_orphans = 0; dbg_cmt("%d orphans to commit", c->cmt_orphans); @@ -382,7 +382,7 @@ static int consolidate(struct ubifs_info *c) last = &orphan->cnext; cnt += 1; } - *last = orphan->cnext; + *last = NULL; ubifs_assert(cnt == c->tot_orphans - c->new_orphans); c->cmt_orphans = cnt; c->ohead_lnum = c->orph_first; |