Re: New Defect found by Coverity Scan based on code change in last1.5 week
From: Cong Wang
Date: Fri Jul 06 2012 - 21:28:51 EST
On Sat, Jul 7, 2012 at 1:32 AM, Scan Subscription
<scan-subscription@xxxxxxxxxxxx> wrote:
> ________________________________________________________________________
> CID 200075: Free of array-typed value (BAD_FREE.array)
>
> /linux/fs/splice.c: 317 ( array_assign)
> 311 struct page *pages[PIPE_DEF_BUFFERS];
> 312 struct partial_page partial[PIPE_DEF_BUFFERS];
> ...
> 316 int error, page_nr;
>>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>>> Assigning: "spd.pages" = "pages".
> 317 struct splice_pipe_desc spd = {
> 318 .pages = pages,
> 319 .partial = partial,
> 320 .nr_pages_max = PIPE_DEF_BUFFERS,
> 321 .flags = flags,
>
> /linux/fs/splice.c: 503 ( incorrect_free)
> 500 if (spd.nr_pages)
> 501 error = splice_to_pipe(pipe, &spd);
> 502
>>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
> 503 splice_shrink_spd(&spd);
> 504 return error;
> 505 }
> 506
> 507 /**
This one should be bogus, splice_shrink_spd() only
frees it when spd->nr_pages_max > PIPE_DEF_BUFFERS
because splice_grow_spd() only allocates memory
in that case. Otherwise, the array allocated on stack is
used.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/