Re: Coverity: blkdev_zone_mgmt(): Memory - illegal accesses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 11, 2019 at 05:35:00PM -0800, coverity-bot wrote:
> Hello!
> 
> This is an experimental automated report about issues detected by Coverity
> from a scan of next-20191108 as part of the linux-next weekly scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
> 
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by recent commits:
> 
> a2d6b3a2d390 ("block: Improve zone reset execution")
> 
> Coverity reported the following:
> 
> *** CID 1487849:  Memory - illegal accesses  (USE_AFTER_FREE)
> /block/blk-zoned.c: 293 in blkdev_zone_mgmt()
> 287
> 288     		/* This may take a while, so be nice to others */
> 289     		cond_resched();
> 290     	}
> 291
> 292     	ret = submit_bio_wait(bio);
> vvv     CID 1487849:  Memory - illegal accesses  (USE_AFTER_FREE)
> vvv     Calling "bio_put" dereferences freed pointer "bio".
> 293     	bio_put(bio);

I don't know this area of the code very well, but looking through the
helpers here, it does seem like "bio" gets (or can be) freed before
returning from submit_bio_wait() (regardless to what the comment
says):

submit_bio_wait()
  submit_bio()
    generic_make_request()
      generic_make_request_check()
        bio_endio()
          __bio_chain_endio()
            bio_put()

The path passes into some error handling here, but it does seem like it
could be possible to hit both bio_put()s?

Can anyone speak to this?

-Kees

> 294
> 295     	return ret;
> 296     }
> 297     EXPORT_SYMBOL_GPL(blkdev_zone_mgmt);
> 298
> 
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
> 
> Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx>
> Addresses-Coverity-ID: 1487849 ("Memory - illegal accesses")
> Fixes: a2d6b3a2d390 ("block: Improve zone reset execution")
> 
> 
> Thanks for your attention!
> 
> -- 
> Coverity-bot

-- 
Kees Cook



[Index of Archives]     [Linux Kernel]     [Linux USB Development]     [Yosemite News]     [Linux SCSI]

  Powered by Linux