diff options
author | Julia Lawall <Julia.Lawall@lip6.fr> | 2012-07-09 03:27:14 -0400 |
---|---|---|
committer | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2012-07-20 03:27:25 -0400 |
commit | 7074e5eb233343e4bad8c0a3f9e73167cf85a159 (patch) | |
tree | 0910c11994429ac78cc55fdbc2f217b630280dd4 /fs/ubifs | |
parent | d51f17ea0a3afe11fb4c4ad6635877e24df2758f (diff) |
UBIFS: remove invalid reference to list iterator variable
If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure. Thus this value should not be used after
the end of the iterator. Replace a field access from orphan by NULL in two
places.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
identifier c;
expression E;
iterator name list_for_each_entry;
statement S;
@@
list_for_each_entry(c,...) { ... when != break;
when forall
when strict
}
...
(
c = E
|
*c
)
// </smpl>
Artem: fortunately, this did not cause any issues because we iterate the orphan
list using the elements count, so we never dereferenced the corrupted pointer.
This is why I do not send this patch to -stable. But otherwise - well spotted!
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Diffstat (limited to 'fs/ubifs')
-rw-r--r-- | fs/ubifs/orphan.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c index b02734db187c..cebf17ea0458 100644 --- a/fs/ubifs/orphan.c +++ b/fs/ubifs/orphan.c | |||
@@ -176,7 +176,7 @@ int ubifs_orphan_start_commit(struct ubifs_info *c) | |||
176 | *last = orphan; | 176 | *last = orphan; |
177 | last = &orphan->cnext; | 177 | last = &orphan->cnext; |
178 | } | 178 | } |
179 | *last = orphan->cnext; | 179 | *last = NULL; |
180 | c->cmt_orphans = c->new_orphans; | 180 | c->cmt_orphans = c->new_orphans; |
181 | c->new_orphans = 0; | 181 | c->new_orphans = 0; |
182 | dbg_cmt("%d orphans to commit", c->cmt_orphans); | 182 | dbg_cmt("%d orphans to commit", c->cmt_orphans); |
@@ -382,7 +382,7 @@ static int consolidate(struct ubifs_info *c) | |||
382 | last = &orphan->cnext; | 382 | last = &orphan->cnext; |
383 | cnt += 1; | 383 | cnt += 1; |
384 | } | 384 | } |
385 | *last = orphan->cnext; | 385 | *last = NULL; |
386 | ubifs_assert(cnt == c->tot_orphans - c->new_orphans); | 386 | ubifs_assert(cnt == c->tot_orphans - c->new_orphans); |
387 | c->cmt_orphans = cnt; | 387 | c->cmt_orphans = cnt; |
388 | c->ohead_lnum = c->orph_first; | 388 | c->ohead_lnum = c->orph_first; |