question about fs/ubifs/orphan.c
Artem Bityutskiy
dedekind1 at gmail.com
Sun Jul 8 08:40:13 EDT 2012
On Sun, 2012-07-08 at 11:21 +0200, Julia Lawall wrote:
> The function ubifs_orphan_start_commit contains the code:
>
> list_for_each_entry(orphan, &c->orph_new, new_list) {
> ubifs_assert(orphan->new);
> orphan->new = 0;
> *last = orphan;
> last = &orphan->cnext;
> }
> *last = orphan->cnext;
>
> After list_for_each_entry, orphan is just an address at an offset from the
> list head, not a pointer to a real structure. So it does not seem correct
> to access its cnext field.
Looks like you've spotted a but - we write some irrelevant address to an
area within the 'struct ubifs_info'.
I think what the code meant to do is to write NULL there:
- *last = orphan->cnext;
+ *last = NULL;
I wonder if this could be a reason for some of strange bugs we have seen
reports for.
Well-spotted Julia, thanks! How did you do this - writing another cocci
script for the kernel?
--
Best Regards,
Artem Bityutskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/linux-mtd/attachments/20120708/931a4306/attachment.sig>
More information about the linux-mtd
mailing list