[staging:staging-next 446/587] drivers/staging/lustre/lnet/lnet/lib-socket.c:212:16-19: ERROR: reference preceded by free on line 198 (fwd)

Dan Carpenter dan.carpenter at oracle.com
Sat Jan 27 15:09:39 UTC 2018


On Sat, Jan 27, 2018 at 03:09:11PM +0100, Julia Lawall wrote:
> 
> 
> On Sat, 27 Jan 2018, Dan Carpenter wrote:
> 
> > On Sat, Jan 27, 2018 at 02:37:49PM +0100, Julia Lawall wrote:
> > > Please check whether line 212 is reachable from line 198.
> > >
> >
> > No.  It's not.
> >
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao           2013-05-02  192  		nfound = ifc.ifc_len / sizeof(*ifr);
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao           2013-05-02  193  		LASSERT(nfound <= nalloc);
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao           2013-05-02  194
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao           2013-05-02  195  		if (nfound < nalloc || toobig)
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao           2013-05-02  196  			break;
> >                                                                                                                                 ^^^^^
> > The only place where the loop breaks is here.
> 
> I saw that, but does it imply that nfound is 0?
> 

No, but it implies "ifr" allocated and non-zero.  To be honest, I'm
not sure how any flow analysis would warn about a use after free here
unless perhaps it didn't reset "ifr" to allocated again on the next
assignment after the free?

regards,
dan carpenter



More information about the devel mailing list