I totally missed the conditional check in both the functions :
spd->nr_pages_max <= PIPE_DEF_BUFFERS
That check should take care of everything.
Cheers.
Pavi
On Mon, Aug 10, 2015 at 6:48 PM, Sergei Antonov <saproj@xxxxxxxxx> wrote:
> On 10 August 2015 at 13:30, pavi1729 <pavitra1729@xxxxxxxxx> wrote:
>> Hi,
>>
>> ISSUE: kfree frees an array
>>
>>
>> I see that FUNCTION: tracing_splice_read_pipe (in
>> FILE:src/kernel/trace/trace.c) calls FUNCTION:splice_shrink_spd (in
>> FILE:fs/splice.c) which does kfree(spd->partial) on error path.
>>
>>
>> But the spd->partial in FUNCTION "tracing_splice_read_pipe" is an array as below
>>
>>
>> FILE: src/kernel/trace/trace.c
>> static ssize_t tracing_splice_read_pipe(struct file *filp,
>> loff_t *ppos,
>> struct pipe_inode_info *pipe,
>> size_t len,
>> unsigned int flags)
>> {
>> struct page *pages_def[PIPE_DEF_BUFFERS];
>> struct partial_page partial_def[PIPE_DEF_BUFFERS]; <----- This is an array
>> struct trace_iterator *iter = filp->private_data;
>> struct splice_pipe_desc spd = {
>> .pages = pages_def,
>> .partial = partial_def,
>> <---------------------------------------- Kfree'ing this pointer ??
>> .nr_pages = 0, /* This gets updated below. */
>> .nr_pages_max = PIPE_DEF_BUFFERS,
>> .flags = flags,
>> .ops = &tracing_pipe_buf_ops,
>> .spd_release = tracing_spd_release_pipe,
>> };
>>
>> ..
>> ..
>> }
>>
>>
>> FILE:fs/splice.c
>> void splice_shrink_spd(struct splice_pipe_desc *spd)
>> {
>> if (spd->nr_pages_max <= PIPE_DEF_BUFFERS)
>> return;
>>
>> kfree(spd->pages);
>> kfree(spd->partial); <----------------------- Freeing the array ??
>> }
>
> No. If the condition above is false, the memory got reallocated in
> FUNCTION:splice_grow_spd.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
