Hi all! I accidentally found use-after-free of local_err in mirror, and decided to search for similar cases with help of small coccinelle script (patch 01). Happily, there no many cases.
Better to fix zero Error* pointer after each freeing everywhere, but this is too much for 5.0 and most of these cases will be covered by error-auto-propagation series. Note also, that there are still a lot of use-after-free cases possible when error is not local variable but field of some structure, shared by several functions. Vladimir Sementsov-Ogievskiy (6): scripts/coccinelle: add error-use-after-free.cocci block/mirror: fix use after free of local_err dump/win_dump: fix use after free of err migration/colo: fix use after free of local_err migration/ram: fix use after free of local_err qga/commands-posix: fix use after free of local_err scripts/coccinelle/error-use-after-free.cocci | 52 +++++++++++++++++++ block/mirror.c | 1 + dump/win_dump.c | 4 +- migration/colo.c | 1 + migration/ram.c | 1 + qga/commands-posix.c | 3 ++ MAINTAINERS | 1 + 7 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 scripts/coccinelle/error-use-after-free.cocci -- 2.21.0