aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ubifs
diff options
context:
space:
mode:
authorJulia Lawall <Julia.Lawall@lip6.fr>2012-07-09 03:27:14 -0400
committerArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2012-07-20 03:27:25 -0400
commit7074e5eb233343e4bad8c0a3f9e73167cf85a159 (patch)
tree0910c11994429ac78cc55fdbc2f217b630280dd4 /fs/ubifs
parentd51f17ea0a3afe11fb4c4ad6635877e24df2758f (diff)
UBIFS: remove invalid reference to list iterator variable
If list_for_each_entry, etc complete a traversal of the list, the iterator variable ends up pointing to an address at an offset from the list head, and not a meaningful structure. Thus this value should not be used after the end of the iterator. Replace a field access from orphan by NULL in two places. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ identifier c; expression E; iterator name list_for_each_entry; statement S; @@ list_for_each_entry(c,...) { ... when != break; when forall when strict } ... ( c = E | *c ) // </smpl> Artem: fortunately, this did not cause any issues because we iterate the orphan list using the elements count, so we never dereferenced the corrupted pointer. This is why I do not send this patch to -stable. But otherwise - well spotted! Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Diffstat (limited to 'fs/ubifs')
-rw-r--r--fs/ubifs/orphan.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c
index b02734db187c..cebf17ea0458 100644
--- a/fs/ubifs/orphan.c
+++ b/fs/ubifs/orphan.c
@@ -176,7 +176,7 @@ int ubifs_orphan_start_commit(struct ubifs_info *c)
176 *last = orphan; 176 *last = orphan;
177 last = &orphan->cnext; 177 last = &orphan->cnext;
178 } 178 }
179 *last = orphan->cnext; 179 *last = NULL;
180 c->cmt_orphans = c->new_orphans; 180 c->cmt_orphans = c->new_orphans;
181 c->new_orphans = 0; 181 c->new_orphans = 0;
182 dbg_cmt("%d orphans to commit", c->cmt_orphans); 182 dbg_cmt("%d orphans to commit", c->cmt_orphans);
@@ -382,7 +382,7 @@ static int consolidate(struct ubifs_info *c)
382 last = &orphan->cnext; 382 last = &orphan->cnext;
383 cnt += 1; 383 cnt += 1;
384 } 384 }
385 *last = orphan->cnext; 385 *last = NULL;
386 ubifs_assert(cnt == c->tot_orphans - c->new_orphans); 386 ubifs_assert(cnt == c->tot_orphans - c->new_orphans);
387 c->cmt_orphans = cnt; 387 c->cmt_orphans = cnt;
388 c->ohead_lnum = c->orph_first; 388 c->ohead_lnum = c->orph_first;