UBIFS: remove invalid reference to list iterator variable
If list_for_each_entry, etc complete a traversal of the list, the iterator variable ends up pointing to an address at an offset from the list head, and not a meaningful structure. Thus this value should not be used after the end of the iterator. Replace a field access from orphan by NULL in two places. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ identifier c; expression E; iterator name list_for_each_entry; statement S; @@ list_for_each_entry(c,...) { ... when != break; when forall when strict } ... ( c = E | *c ) // </smpl> Artem: fortunately, this did not cause any issues because we iterate the orphan list using the elements count, so we never dereferenced the corrupted pointer. This is why I do not send this patch to -stable. But otherwise - well spotted! Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
This commit is contained in:
Julia Lawall
Artem Bityutskiy
parent
d51f17ea0a
commit
7074e5eb23
1 changed files with 2 additions and 2 deletions
|
|
@ -176,7 +176,7 @@ int ubifs_orphan_start_commit(struct ubifs_info *c)
|
|||
*last = orphan;
|
||||
last = &orphan->cnext;
|
||||
}
|
||||
*last = orphan->cnext;
|
||||
*last = NULL;
|
||||
c->cmt_orphans = c->new_orphans;
|
||||
c->new_orphans = 0;
|
||||
dbg_cmt("%d orphans to commit", c->cmt_orphans);
|
||||
|
|
@ -382,7 +382,7 @@ static int consolidate(struct ubifs_info *c)
|
|||
last = &orphan->cnext;
|
||||
cnt += 1;
|
||||
}
|
||||
*last = orphan->cnext;
|
||||
*last = NULL;
|
||||
ubifs_assert(cnt == c->tot_orphans - c->new_orphans);
|
||||
c->cmt_orphans = cnt;
|
||||
c->ohead_lnum = c->orph_first;
|
||||
|
|
|
|||
Loading…
Reference in a new issue