Re: [PATCH] bcache: run bch_keylist_free after pop in out_nocoalesce branch of btree_gc_coalesce

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Shenghui,

On 2019/2/8 3:46 下午, Shenghui Wang wrote:
> bch_keylist_free() frees dynamic memory if any and will not change

Is there any typo in "if any and will not" ?

> pointer members of keylist. But we cannot guarantee the content of
> the freed memory is not changed on entering following while and pop
> loop. Move bch_keylist_free() calling after the while loop to avoid
> wrong content accessed.
> 

It seems here is a use-after-freed issue. I am OK with this change, good
catch :-) Could you please to explicitly point out your patch fixes a
use-after-freed bug, and fix the above typo (if it is).

Thanks.

Coly Li

> Signed-off-by: Shenghui Wang <shhuiw@xxxxxxxxxxx>
> ---
>  drivers/md/bcache/btree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
> index 23cb1dc7296b..13671f381c44 100644
> --- a/drivers/md/bcache/btree.c
> +++ b/drivers/md/bcache/btree.c
> @@ -1475,11 +1475,11 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
>  
>  out_nocoalesce:
>  	closure_sync(&cl);
> -	bch_keylist_free(&keylist);
>  
>  	while ((k = bch_keylist_pop(&keylist)))
>  		if (!bkey_cmp(k, &ZERO_KEY))
>  			atomic_dec(&b->c->prio_blocked);
> +	bch_keylist_free(&keylist);
>  
>  	for (i = 0; i < nodes; i++)
>  		if (!IS_ERR_OR_NULL(new_nodes[i])) {
> 


-- 

Coly Li



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux ARM Kernel]     [Linux Filesystem Development]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux