Re: [RFC PATCH] double free in decompressor.c
2013/11/22 Phillip Lougher : > On 22/11/13 21:50, Geyslan Gregório Bem wrote: >> >> Coverity caught double free possibility (CID 1130962). >> >> I can patch this, but I have to know if is correct to free comp_opts >> in the function squashfs_decompressor_create() or it had to be done in >> the caller. My bet is the caller. >> >> >> 128void *squashfs_decompressor_setup(struct super_block *sb, unsigned >> short flags) >> 129{ >> 130struct squashfs_sb_info *msblk = sb->s_fs_info; >> 131void *stream, *comp_opts = get_comp_opts(sb, flags); >> 132 >> >> 1. Condition "IS_ERR(comp_opts)", taking false branch >> 133if (IS_ERR(comp_opts)) >> 134return comp_opts; >> 135 >> >> 2. freed_arg: "squashfs_decompressor_create(struct squashfs_sb_info *, >> void *)" frees "comp_opts".[show details] >> 136stream = squashfs_decompressor_create(msblk, comp_opts); >> >> 3. Condition "IS_ERR(stream)", taking true branch >> 137if (IS_ERR(stream)) > > > FALSE positive. > > squashfs_decompressor_create() frees comp_opts only on success. > > If IS_ERR(stream) is true, then comp_opts has not been freed by > squashfs_decompressor_create(). > > Phillip > > > >> >> CID 1130962 (#1 of 1): Double free (USE_AFTER_FREE)4. double_free: >> Calling "kfree(void const *)" frees pointer "comp_opts" which has >> already been freed. >> 138kfree(comp_opts); >> 139 >> 140return stream; >> 141} >> >> > Philip, set as false positive in Coverity. Thanks. -- Regards, Geyslan G. Bem hackingbits.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC PATCH] double free in decompressor.c
On 22/11/13 21:50, Geyslan Gregório Bem wrote: Coverity caught double free possibility (CID 1130962). I can patch this, but I have to know if is correct to free comp_opts in the function squashfs_decompressor_create() or it had to be done in the caller. My bet is the caller. 128void *squashfs_decompressor_setup(struct super_block *sb, unsigned short flags) 129{ 130struct squashfs_sb_info *msblk = sb->s_fs_info; 131void *stream, *comp_opts = get_comp_opts(sb, flags); 132 1. Condition "IS_ERR(comp_opts)", taking false branch 133if (IS_ERR(comp_opts)) 134return comp_opts; 135 2. freed_arg: "squashfs_decompressor_create(struct squashfs_sb_info *, void *)" frees "comp_opts".[show details] 136stream = squashfs_decompressor_create(msblk, comp_opts); 3. Condition "IS_ERR(stream)", taking true branch 137if (IS_ERR(stream)) FALSE positive. squashfs_decompressor_create() frees comp_opts only on success. If IS_ERR(stream) is true, then comp_opts has not been freed by squashfs_decompressor_create(). Phillip CID 1130962 (#1 of 1): Double free (USE_AFTER_FREE)4. double_free: Calling "kfree(void const *)" frees pointer "comp_opts" which has already been freed. 138kfree(comp_opts); 139 140return stream; 141} -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC PATCH] double free in decompressor.c
2013/11/22 Richard Weinberger : > On Fri, Nov 22, 2013 at 10:50 PM, Geyslan Gregório Bem > wrote: >> Coverity caught double free possibility (CID 1130962). > > Just wondering, where can one find/verify such CIDs? > > -- > Thanks, > //richard Anyone can sign in (https://scan.coverity.com/) and choose an open source project or register one (as maintainer) indeed. After that, configure to receive "new defects" updates. -- Regards, Geyslan G. Bem hackingbits.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC PATCH] double free in decompressor.c
On Fri, Nov 22, 2013 at 10:50 PM, Geyslan Gregório Bem wrote: > Coverity caught double free possibility (CID 1130962). Just wondering, where can one find/verify such CIDs? -- Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[RFC PATCH] double free in decompressor.c
Coverity caught double free possibility (CID 1130962). I can patch this, but I have to know if is correct to free comp_opts in the function squashfs_decompressor_create() or it had to be done in the caller. My bet is the caller. 128void *squashfs_decompressor_setup(struct super_block *sb, unsigned short flags) 129{ 130struct squashfs_sb_info *msblk = sb->s_fs_info; 131void *stream, *comp_opts = get_comp_opts(sb, flags); 132 1. Condition "IS_ERR(comp_opts)", taking false branch 133if (IS_ERR(comp_opts)) 134return comp_opts; 135 2. freed_arg: "squashfs_decompressor_create(struct squashfs_sb_info *, void *)" frees "comp_opts".[show details] 136stream = squashfs_decompressor_create(msblk, comp_opts); 3. Condition "IS_ERR(stream)", taking true branch 137if (IS_ERR(stream)) CID 1130962 (#1 of 1): Double free (USE_AFTER_FREE)4. double_free: Calling "kfree(void const *)" frees pointer "comp_opts" which has already been freed. 138kfree(comp_opts); 139 140return stream; 141} -- Regards, Geyslan G. Bem hackingbits.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/