On 28. 03. 22, 12:27, Xiaomeng Tong wrote:
On Mon, 28 Mar 2022 12:09:59 +0200, Jiri Slaby wrote:
On 28. 03. 22, 11:35, Xiaomeng Tong wrote:
The bug is here:
if (s->len != flen) {
The list iterator 's' will point to a bogus position containing
HEAD if the list is empty or no element is found.
Could you also explain how that can happen?
When list_for_each_entry_* do not early exits (if the list is empty
or no break/goto/return hit inside the loop), it will set pos ('s' here)
with a bogus pointer that point to a invalid struct computed based
on &HEAD using container_of.
#define list_for_each_entry(pos, head, member) \
for (pos = list_first_entry(head, typeof(*pos), member); \
!list_entry_is_head(pos, head, member); \
pos = list_next_entry(pos, member))
No, I didn't mean what happens on that site on the code level. I think
everyone understands that. Instead, I meant: what circumstances lead to
this _situation_ in reality?
thanks,
--
js
suse labs
