[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1384268137.2697.10.camel@menhir>
Date: Tue, 12 Nov 2013 14:55:37 +0000
From: Steven Whitehouse <swhiteho@...hat.com>
To: Geyslan Gregório Bem <geyslan@...il.com>
Cc: cluster-devel@...hat.com, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [RFC] Coverity 1128444 - Dereference after null check
(FORWARD_NULL) in glock.c
Hi,
On Tue, 2013-11-12 at 12:53 -0200, Geyslan Gregório Bem wrote:
> Hello,
>
> Coverity detected in 'fs/gfs2/glock.c' a possible dereference after
> null check. Maybe a positive one.
>
> There is a initial check for possible 'gl' NULL. After that 'gl' is
> dereferenced in the looping check by __lockref_is_dead().
>
> What do you think?
>
I've already been sent a patch for that, and its in the GFS2 -fixes
tree. Thanks,
Steve.
>
> 1875static int gfs2_glock_iter_next(struct gfs2_glock_iter *gi)
> 1876{
> 1877 struct gfs2_glock *gl;
> 1878
> 1879 do {
> 1880 gl = gi->gl;
>
> 1. Condition "gl", taking false branch
>
> 2. var_compare_op: Comparing "gl" to null implies that "gl" might be null.
> 1881 if (gl) {
> 1882 gi->gl = glock_hash_next(gl);
> 1883 gi->nhash++;
> 1884 } else {
>
> 3. Condition "gi->hash >= (32768 /* 1 << 15 */)", taking false branch
> 1885 if (gi->hash >= GFS2_GL_HASH_SIZE) {
> 1886 rcu_read_unlock();
> 1887 return 1;
> 1888 }
> 1889 gi->gl = glock_hash_chain(gi->hash);
> 1890 gi->nhash = 0;
> 1891 }
>
> 4. Condition "gi->gl == NULL", taking true branch
>
> 7. Condition "gi->gl == NULL", taking false branch
> 1892 while (gi->gl == NULL) {
> 1893 gi->hash++;
>
> 5. Condition "gi->hash >= (32768 /* 1 << 15 */)", taking false branch
> 1894 if (gi->hash >= GFS2_GL_HASH_SIZE) {
> 1895 rcu_read_unlock();
> 1896 return 1;
> 1897 }
> 1898 gi->gl = glock_hash_chain(gi->hash);
> 1899 gi->nhash = 0;
>
> 6. Jumping back to the beginning of the loop
> 1900 }
> 1901 /* Skip entries for other sb and dead entries */
>
> 8. Condition "gi->sdp != gi->gl->gl_sbd", taking false branch
>
> CID 1128444 (#1 of 1): Dereference after null check (FORWARD_NULL)9.
> var_deref_model: Passing null pointer "&gl->gl_lockref" to function
> "__lockref_is_dead(struct lockref const *)", which dereferences
> it.[show details]
> 1902 } while (gi->sdp != gi->gl->gl_sbd ||
> __lockref_is_dead(&gl->gl_lockref));
> 1903
> 1904 return 0;
> 1905}
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists