diff options
author | Julia Lawall <Julia.Lawall@lip6.fr> | 2012-07-09 09:27:14 +0200 |
---|---|---|
committer | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2012-07-20 10:27:25 +0300 |
commit | 7074e5eb233343e4bad8c0a3f9e73167cf85a159 (patch) | |
tree | 0910c11994429ac78cc55fdbc2f217b630280dd4 /fs/ubifs/dir.c | |
parent | d51f17ea0a3afe11fb4c4ad6635877e24df2758f (diff) | |
download | op-kernel-dev-7074e5eb233343e4bad8c0a3f9e73167cf85a159.zip op-kernel-dev-7074e5eb233343e4bad8c0a3f9e73167cf85a159.tar.gz |
UBIFS: remove invalid reference to list iterator variable
If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure. Thus this value should not be used after
the end of the iterator. Replace a field access from orphan by NULL in two
places.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
identifier c;
expression E;
iterator name list_for_each_entry;
statement S;
@@
list_for_each_entry(c,...) { ... when != break;
when forall
when strict
}
...
(
c = E
|
*c
)
// </smpl>
Artem: fortunately, this did not cause any issues because we iterate the orphan
list using the elements count, so we never dereferenced the corrupted pointer.
This is why I do not send this patch to -stable. But otherwise - well spotted!
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@linux.intel.com>
Diffstat (limited to 'fs/ubifs/dir.c')
0 files changed, 0 insertions, 0 deletions