[staging:staging-next 446/587] drivers/staging/lustre/lnet/lnet/lib-socket.c:212:16-19: ERROR: reference preceded by free on line 198 (fwd)
Dan Carpenter
dan.carpenter at oracle.com
Sat Jan 27 15:09:39 UTC 2018
On Sat, Jan 27, 2018 at 03:09:11PM +0100, Julia Lawall wrote:
>
>
> On Sat, 27 Jan 2018, Dan Carpenter wrote:
>
> > On Sat, Jan 27, 2018 at 02:37:49PM +0100, Julia Lawall wrote:
> > > Please check whether line 212 is reachable from line 198.
> > >
> >
> > No. It's not.
> >
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao 2013-05-02 192 nfound = ifc.ifc_len / sizeof(*ifr);
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao 2013-05-02 193 LASSERT(nfound <= nalloc);
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao 2013-05-02 194
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao 2013-05-02 195 if (nfound < nalloc || toobig)
> > > d7e09d039 drivers/staging/lustre/lustre/libcfs/linux/linux-tcpip.c Peng Tao 2013-05-02 196 break;
> > ^^^^^
> > The only place where the loop breaks is here.
>
> I saw that, but does it imply that nfound is 0?
>
No, but it implies "ifr" allocated and non-zero. To be honest, I'm
not sure how any flow analysis would warn about a use after free here
unless perhaps it didn't reset "ifr" to allocated again on the next
assignment after the free?
regards,
dan carpenter
More information about the devel
mailing list