Hi Shenghui,
On 2019/2/8 3:46 下午, Shenghui Wang wrote:
> bch_keylist_free() frees dynamic memory if any and will not change
Is there any typo in "if any and will not" ?
> pointer members of keylist. But we cannot guarantee the content of
> the freed memory is not changed on entering following while and pop
> loop. Move bch_keylist_free() calling after the while loop to avoid
> wrong content accessed.
>
It seems here is a use-after-freed issue. I am OK with this change, good
catch :-) Could you please to explicitly point out your patch fixes a
use-after-freed bug, and fix the above typo (if it is).
Thanks.
Coly Li
> Signed-off-by: Shenghui Wang <shhuiw@xxxxxxxxxxx>
> ---
> drivers/md/bcache/btree.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
> index 23cb1dc7296b..13671f381c44 100644
> --- a/drivers/md/bcache/btree.c
> +++ b/drivers/md/bcache/btree.c
> @@ -1475,11 +1475,11 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
>
> out_nocoalesce:
> closure_sync(&cl);
> - bch_keylist_free(&keylist);
>
> while ((k = bch_keylist_pop(&keylist)))
> if (!bkey_cmp(k, &ZERO_KEY))
> atomic_dec(&b->c->prio_blocked);
> + bch_keylist_free(&keylist);
>
> for (i = 0; i < nodes; i++)
> if (!IS_ERR_OR_NULL(new_nodes[i])) {
>
--
Coly Li
