[PATCH] UBI: dereference after kfree in create_vtbl
Artem Bityutskiy
dedekind at infradead.org
Sat May 5 09:48:21 EDT 2007
On Sat, 2007-05-05 at 19:02 +0530, Satyam Sharma wrote:
> > write_error:
> > if (err == -EIO && ++tries <= 5) {
> > /*
> > * Probably this physical eraseblock went bad, try to pick
> > * another one.
> > */
> > list_add_tail(&new_seb->u.list, &si->corr);
> > goto retry;
> > }
> > kfree(new_seb);
> > out_free:
> > ubi_free_vid_hdr(ubi, vid_hdr);
> > return err;
>
> Ummm ...
>
> 1. "if (err == -EIO)" applies to adding new_seb to the corrupted list,
> and not to retrying. We wouldn't want _not_ to retry if there's some
> other error, or would we?
In case of other error - no, we do not want to retry. Only in case of
-EIO because we just might have hit a new badblock, which is unlikely,
but possible.
If it is anything else then -EIO, then we just return an error and
_refuse_ to attach this MTD device. In this case it does not matter
where we add new_seb. We just drop it. We free all allocated data
structures.
> 2. "if (++tries <= 5)" applies to "goto retry" and not to adding
> new_seb to the corrupted list. If we hit write failure for the 5th
> time and err == -EIO, we should still be adding it to corrupted list,
> but not retry, of course. Otherwise we would add the first 4 write
> failure (with -EIO) eraseblocks to si->corr, but the 5th _similar_
> case is ... just freed?
If we hit -EIO more then five times, there is probably something _really
bad_ with this MTD device and we _refuse_ attaching it. We return error,
and every data structure is freed. It does not matter if we add new_seb
anywhere or not. It is anyway just freed.
--
Best regards,
Artem Bityutskiy (Битюцкий Артём)
More information about the linux-mtd
mailing list