This checker warns when you do not free allocated memory on failure paths.
Note: while we only include 24 errors, there were lots in general; let me
know if more are useful.
Dawson
# BUGs | File Name
4 | /drivers/lvm.c
2 | /mtd/cfi_cmdset_0002.c
2 | /isdn/capi.c
2 | /media/msp3400.c
2 | /drivers/ixj.c
2 | /drivers/cpqfcTSinit.c
1 | /fs/rock.c
1 | /drivers/ixj_pcmcia.c
1 | /drivers/cs4232.c
1 | /drivers/radeonfb.c
1 | /2.4.17/socket.c
1 | /net/vlanproc.c
1 | /net/aironet4500_cs.c
1 | /mtd/sharp.c
1 | /isdn/avm_cs.c
1 | /isdn/icn.c
############################################################
# 2.4.17 specific errors
#
---------------------------------------------------------
[BUG] good stat ranking.
/u2/engler/mc/oses/linux/2.4.17/drivers/video/radeonfb.c:788:radeonfb_pci_register: ERROR:INVERSE:688:788:UNREVERSED 'rinfo' on error path! set by 'kmalloc':688 [nbytes=2216] [rank=easy] [COUNTER=kmalloc:688] [ERROR] [fit=2] [fit_fn=1] [fn_ex=4] [fn_counter=1] [ex=4] [counter=1] [z = -1.53896752812773] [fn-z = -1.53896752812773]
int i, j;
char *bios_seg = NULL;
RTRACE("radeonfb_pci_register BEGIN\n");
Start --->
rinfo = kmalloc (sizeof (struct radeonfb_info), GFP_KERNEL);
... DELETED 94 lines ...
case PCI_DEVICE_ID_RADEON_LZ:
strcpy(rinfo->name, "Radeon M6 LZ ");
rinfo->hasCRTC2 = 1;
break;
default:
Error --->
return -ENODEV;
}
/* framebuffer size */
---------------------------------------------------------
[BUG] good stat example. 2 others.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/icn/icn.c:847:icn_loadboot: ERROR:INVERSE:820:847:UNREVERSED 'codebuf' on error path! set by 'kmalloc':820 [nbytes=1] [rank=easy] [COUNTER=kmalloc:820] [ERROR] [fit=4] [fit_fn=1] [fn_ex=3] [fn_counter=1] [ex=3] [counter=1] [z = -1.83532587096449] [fn-z = -1.83532587096449]
unsigned long flags;
#ifdef BOOT_DEBUG
printk(KERN_DEBUG "icn_loadboot called, buffaddr=%08lx\n", (ulong) buffer);
#endif
Start --->
if (!(codebuf = kmalloc(ICN_CODE_STAGE1, GFP_KERNEL))) {
... DELETED 21 lines ...
}
if (!dev.mvalid) {
if (check_mem_region(dev.memaddr, 0x4000)) {
printk(KERN_WARNING
"icn: memory at 0x%08lx in use.\n", dev.memaddr);
Error --->
return -EBUSY;
}
request_mem_region(dev.memaddr, 0x4000, "icn-isdn (all cards)");
dev.shmem = ioremap(dev.memaddr, 0x4000);
---------------------------------------------------------
[BUG] no real examples though.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/avm_cs.c:184:avmcs_attach: ERROR:INVERSE:149:184:UNREVERSED 'link' on error path! set by 'kmalloc':149 [nbytes=144] [rank=easy] [COUNTER=kmalloc:149] [ERROR] [fit=6] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -4.35889894354067]
dev_link_t *link;
local_info_t *local;
int ret, i;
/* Initialize the dev_link_t structure */
Start --->
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
... DELETED 29 lines ...
link->conf.Present = PRESENT_OPTION;
/* Allocate space for private device-specific data */
local = kmalloc(sizeof(local_info_t), GFP_KERNEL);
if (!local)
Error --->
return NULL;
memset(local, 0, sizeof(local_info_t));
link->priv = local;
---------------------------------------------------------
[BUG] not good stat: no other examples.
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj_pcmcia.c:75:ixj_attach: ERROR:INVERSE:62:75:UNREVERSED 'link' on error path! set by 'kmalloc':62 [nbytes=144] [rank=easy] [COUNTER=kmalloc:62] [ERROR] [fit=8] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -4.35889894354067]
client_reg_t client_reg;
dev_link_t *link;
int ret;
DEBUG(0, "ixj_attach()\n");
/* Create new ixj device */
Start --->
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
if (!link)
return NULL;
memset(link, 0, sizeof(struct dev_link_t));
link->release.function = &ixj_cs_release;
link->release.data = (u_long) link;
link->io.Attributes1 = IO_DATA_PATH_WIDTH_8;
link->io.Attributes2 = IO_DATA_PATH_WIDTH_8;
link->io.IOAddrLines = 3;
link->conf.Vcc = 50;
link->conf.IntType = INT_MEMORY_AND_IO;
link->priv = kmalloc(sizeof(struct ixj_info_t), GFP_KERNEL);
if (!link->priv)
Error --->
return NULL;
memset(link->priv, 0, sizeof(struct ixj_info_t));
/* Register with Card Services */
link->next = dev_list;
---------------------------------------------------------
[BUG] good stat: though should have a lower p0 value. (2 examples, ranked lower)
/u2/engler/mc/oses/linux/2.4.17/drivers/sound/cs4232.c:409:cs4232_isapnp_probe: ERROR:INVERSE:382:409:UNREVERSED 'isapnpcfg' on error path! set by 'kmalloc':382 [nbytes=68] [rank=easy] [COUNTER=kmalloc:382] [ERROR] [fit=9] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]
int cs4232_isapnp_probe(struct pci_dev *dev, const struct isapnp_device_id *id)
{
int ret;
struct address_info *isapnpcfg;
Start --->
isapnpcfg=(struct address_info*)kmalloc(sizeof(*isapnpcfg),GFP_KERNEL);
... DELETED 21 lines ...
isapnpcfg->dma = dev->dma_resource[0].start;
isapnpcfg->dma2 = dev->dma_resource[1].start;
isapnpcfg->io_base = dev->resource[0].start;
if (probe_cs4232(isapnpcfg,TRUE) == 0) {
printk(KERN_ERR "cs4232: ISA PnP card found, but not detected?\n");
Error --->
return -ENODEV;
}
attach_cs4232(isapnpcfg);
pci_set_drvdata(dev,isapnpcfg);
---------------------------------------------------------
[BUG] pretty sure. rank should not be easy since it's passed to FN (BROKE)
/u2/engler/mc/oses/linux/2.4.17/net/8021q/vlanproc.c:256:vlan_proc_read: ERROR:INVERSE:244:256:UNREVERSED 'page' on error path! set by 'kmalloc':244 [nbytes=1] [rank=easy] [COUNTER=kmalloc:244] [ERROR] [fit=10] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.91998558035372]
dent = inode->u.generic_ip;
if ((dent == NULL) || (dent->get_info == NULL))
return 0;
Start --->
page = kmalloc(VLAN_PROC_BUFSZ, GFP_KERNEL);
VLAN_MEM_DBG("page malloc, addr: %p size: %i\n",
page, VLAN_PROC_BUFSZ);
if (page == NULL)
return -ENOBUFS;
pos = dent->get_info(page, dent->data, 0, 0);
offs = file->f_pos;
if (offs < pos) {
len = min_t(int, pos - offs, count);
if (copy_to_user(buf, (page + offs), len))
Error --->
return -EFAULT;
file->f_pos += len;
} else {
---------------------------------------------------------
[BUG] i think so. hard to follow paths though (FPP?)
/u2/engler/mc/oses/linux/2.4.17/fs/isofs/rock.c:588:rock_ridge_symlink_readpage: ERROR:INVERSE:560:588:UNREVERSED 'buffer' on error path! set by 'kmalloc':560 [nbytes=0] [rank=easy] [COUNTER=kmalloc:560] [ERROR] [fit=11] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]
CHECK_CE;
default:
break;
}
}
Start --->
MAYBE_CONTINUE(repeat, inode);
... DELETED 22 lines ...
brelse(bh);
unlock_kernel();
SetPageError(page);
kunmap(page);
UnlockPage(page);
Error --->
return -EIO;
}
struct address_space_operations isofs_symlink_aops = {
---------------------------------------------------------
[BUG] great stat example, since freed right above; p0 should be lower though.
/u2/engler/mc/oses/linux/2.4.17/drivers/net/pcmcia/aironet4500_cs.c:219:awc_attach: ERROR:INVERSE:179:219:UNREVERSED 'link' on error path! set by 'kmalloc':179 [nbytes=144] [rank=easy] [COUNTER=kmalloc:179] [ERROR] [fit=12] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]
PC_DEBUG(0, "awc_attach()\n");
flush_stale_links();
/* Create the PC card device object. */
Start --->
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
... DELETED 34 lines ...
kfree(link);
return NULL;
};
memset(dev,0,sizeof(struct net_device));
dev->priv = kmalloc(sizeof(struct awc_private), GFP_KERNEL);
Error --->
if (!dev->priv ) {printk(KERN_CRIT "out of mem on dev priv alloc \n"); return NULL;};
memset(dev->priv,0,sizeof(struct awc_private));
// link->dev->minor = dev->minor;
---------------------------------------------------------
[BUG] really good stat example --- code below frees when "on" true, showing
that its a valid path (or the other guy is wrong).
/u2/engler/mc/oses/linux/2.4.17/net/socket.c:760:sock_fasync: ERROR:INVERSE:751:760:UNREVERSED 'fna' on error path! set by 'kmalloc':751 [nbytes=16] [rank=easy] [COUNTER=kmalloc:751] [ERROR] [fit=16] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -2.91998558035372]
struct socket *sock;
struct sock *sk;
if (on)
{
Start --->
fna=(struct fasync_struct *)kmalloc(sizeof(struct fasync_struct), GFP_KERNEL);
if(fna==NULL)
return -ENOMEM;
}
sock = socki_lookup(filp->f_dentry->d_inode);
if ((sk=sock->sk) == NULL)
Error --->
return -EINVAL;
lock_sock(sk);
---------------------------------------------------------
[BUG] stat is not so good here since the bug is easy, but no corrective
action in function pushes error low.
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/sharp.c:120:sharp_probe: ERROR:INVERSE:114:120:UNREVERSED 'mtd' on error path! set by 'kmalloc':114 [nbytes=124] [rank=easy] [COUNTER=kmalloc:114] [ERROR] [fit=19] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -2.91998558035372]
{
struct mtd_info *mtd = NULL;
struct sharp_info *sharp = NULL;
int width;
Start --->
mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);
if(!mtd)
return NULL;
sharp = kmalloc(sizeof(*sharp), GFP_KERNEL);
if(!sharp)
Error --->
return NULL;
memset(mtd, 0, sizeof(*mtd));
---------------------------------------------------------
[BUG] weird though: they sometimes free, sometimes not.
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/cfi_cmdset_0002.c:177:cfi_amdstd_setup: ERROR:INVERSE:150:177:UNREVERSED 'mtd' on error path! set by 'kmalloc':150 [nbytes=124] [rank=easy] [COUNTER=kmalloc:150] [ERROR] [fit=24] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=3] [counter=2] [z = -3.59092423229804] [fn-z = -4.90076972114066]
{
struct cfi_private *cfi = map->fldrv_priv;
struct mtd_info *mtd;
unsigned long devsize = (1<<cfi->cfiq->DevSize) * cfi->interleave;
Start --->
mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);
... DELETED 21 lines ...
mtd->numeraseregions = cfi->cfiq->NumEraseRegions * cfi->numchips;
mtd->eraseregions = kmalloc(sizeof(struct mtd_erase_region_info) * mtd->numeraseregions, GFP_KERNEL);
if (!mtd->eraseregions) {
printk(KERN_WARNING "Failed to allocate memory for MTD erase region info\n");
kfree(cfi->cmdset_priv);
Error --->
return NULL;
}
for (i=0; i<cfi->cfiq->NumEraseRegions; i++) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/cfi_cmdset_0002.c:200:cfi_amdstd_setup: ERROR:INVERSE:150:200:UNREVERSED 'mtd' on error path! set by 'kmalloc':150 [nbytes=124] [rank=easy] [COUNTER=kmalloc:150] [ERROR] [fit=24] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=3] [counter=2] [z = -3.59092423229804] [fn-z = -4.90076972114066]
{
struct cfi_private *cfi = map->fldrv_priv;
struct mtd_info *mtd;
unsigned long devsize = (1<<cfi->cfiq->DevSize) * cfi->interleave;
Start --->
mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);
... DELETED 44 lines ...
if (offset != devsize) {
/* Argh */
printk(KERN_WARNING "Sum of regions (%lx) != total size of set of interleaved chips (%lx)\n", offset, devsize);
kfree(mtd->eraseregions);
kfree(cfi->cmdset_priv);
Error --->
return NULL;
}
#if 0
// debug
---------------------------------------------------------
[BUG] security --- has an example at the very end.
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/cpqfcTSinit.c:554:cpqfcTS_ioctl: ERROR:INVERSE:539:554:UNREVERSED 'buf' on error path! set by 'kmalloc':539 [nbytes=0] [rank=easy] [COUNTER=kmalloc:539] [ERROR] [fit=25] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.90076972114066]
vendor_cmd = ioc.argp; // i.e., CPQ specific command struct
// If necessary, grab a kernel/DMA buffer
if( vendor_cmd->len)
{
Start --->
buf = kmalloc( vendor_cmd->len, GFP_KERNEL);
... DELETED 9 lines ...
// Need data from user?
// make sure caller's buffer is in kernel space.
if( (vendor_cmd->rw_flag == VENDOR_WRITE_OPCODE) &&
vendor_cmd->len)
if( copy_from_user( buf, vendor_cmd->bufp, vendor_cmd->len))
Error --->
return( -EFAULT);
// copy the CDB (if/when MAX_COMMAND_SIZE is 16, remove copy below)
memcpy( &ScsiPassThruCmnd->cmnd[0],
---------------------------------------------------------
[BUG] beautiful example of how stat helps --- frees it right below!
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/cpqfcTSinit.c:630:cpqfcTS_ioctl: ERROR:INVERSE:539:630:UNREVERSED 'buf' on error path! set by 'kmalloc':539 [nbytes=0] [rank=easy] [COUNTER=kmalloc:539] [ERROR] [fit=25] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.90076972114066]
vendor_cmd = ioc.argp; // i.e., CPQ specific command struct
// If necessary, grab a kernel/DMA buffer
if( vendor_cmd->len)
{
Start --->
buf = kmalloc( vendor_cmd->len, GFP_KERNEL);
... DELETED 85 lines ...
// need to pass data back to user (space)?
if( (vendor_cmd->rw_flag == VENDOR_READ_OPCODE) &&
vendor_cmd->len )
if( copy_to_user( vendor_cmd->bufp, buf, vendor_cmd->len))
Error --->
return( -EFAULT);
if( buf)
kfree( buf);
---------------------------------------------------------
[BUG] good stat example.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/capi.c:1194:capinc_raw_write: ERROR:INVERSE:1182:1194:UNREVERSED 'skb' on error path! set by 'alloc_skb':1182 [nbytes=168] [rank=easy] [COUNTER=alloc_skb:1182] [ERROR] [fit=26] [fit_fn=1] [fn_ex=2] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.12948320967011]
return -ESPIPE;
if (!mp || !mp->nccip)
return -EINVAL;
Start --->
skb = alloc_skb(CAPI_DATA_B3_REQ_LEN+count, GFP_USER);
if (!skb)
return -ENOMEM;
skb_reserve(skb, CAPI_DATA_B3_REQ_LEN);
if ((retval = copy_from_user(skb_put(skb, count), buf, count))) {
kfree_skb(skb);
return -EFAULT;
}
while (skb_queue_len(&mp->outqueue) > CAPINC_MAX_SENDQUEUE) {
if (file->f_flags & O_NONBLOCK)
Error --->
return -EAGAIN;
interruptible_sleep_on(&mp->sendwait);
if (mp->nccip == 0) {
kfree_skb(skb);
---------------------------------------------------------
[BUG] another stat.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/capi.c:1201:capinc_raw_write: ERROR:INVERSE:1182:1201:UNREVERSED 'skb' on error path! set by 'alloc_skb':1182 [nbytes=168] [rank=easy] [COUNTER=alloc_skb:1182] [ERROR] [fit=26] [fit_fn=1] [fn_ex=2] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.12948320967011]
return -ESPIPE;
if (!mp || !mp->nccip)
return -EINVAL;
Start --->
skb = alloc_skb(CAPI_DATA_B3_REQ_LEN+count, GFP_USER);
... DELETED 13 lines ...
if (mp->nccip == 0) {
kfree_skb(skb);
return -EIO;
}
if (signal_pending(current))
Error --->
return -ERESTARTNOHAND;
}
skb_queue_tail(&mp->outqueue, skb);
mp->outbytes += skb->len;
---------------------------------------------------------
[BUG] security hole (not good for stat though)
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj.c:5998:ixj_build_filter_cadence: ERROR:INVERSE:5987:5998:UNREVERSED 'lcp' on error path! set by 'kmalloc':5987 [nbytes=32] [rank=easy] [COUNTER=kmalloc:5987] [ERROR] [fit=29] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
}
static int ixj_build_filter_cadence(IXJ *j, IXJ_FILTER_CADENCE * cp)
{
IXJ_FILTER_CADENCE *lcp;
Start --->
lcp = kmalloc(sizeof(IXJ_FILTER_CADENCE), GFP_KERNEL);
if (lcp == NULL) {
if(ixjdebug & 0x0001) {
printk(KERN_INFO "Could not allocate memory for cadence\n");
}
return -ENOMEM;
}
if (copy_from_user(lcp, (char *) cp, sizeof(IXJ_FILTER_CADENCE))) {
if(ixjdebug & 0x0001) {
printk(KERN_INFO "Could not copy cadence to kernel\n");
}
Error --->
return -EFAULT;
}
if (lcp->filter > 5) {
if(ixjdebug & 0x0001) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj.c:6004:ixj_build_filter_cadence: ERROR:INVERSE:5987:6004:UNREVERSED 'lcp' on error path! set by 'kmalloc':5987 [nbytes=32] [rank=easy] [COUNTER=kmalloc:5987] [ERROR] [fit=29] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
}
static int ixj_build_filter_cadence(IXJ *j, IXJ_FILTER_CADENCE * cp)
{
IXJ_FILTER_CADENCE *lcp;
Start --->
lcp = kmalloc(sizeof(IXJ_FILTER_CADENCE), GFP_KERNEL);
... DELETED 11 lines ...
}
if (lcp->filter > 5) {
if(ixjdebug & 0x0001) {
printk(KERN_INFO "Cadence out of range\n");
}
Error --->
return -1;
}
j->cadence_f[lcp->filter].state = 0;
j->cadence_f[lcp->filter].enable = lcp->enable;
---------------------------------------------------------
[BUG] but should have been demoted. good for stat [example above]
/u2/engler/mc/oses/linux/2.4.17/drivers/media/video/msp3400.c:1265:msp_attach: ERROR:INVERSE:1243:1265:UNREVERSED 'c' on error path! set by 'kmalloc':1243 [nbytes=60] [rank=easy] [COUNTER=kmalloc:1243] [ERROR] [fit=31] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
if (-1 == msp3400c_reset(&client_template)) {
dprintk("msp3400: no chip found\n");
return -1;
}
Start --->
if (NULL == (c = kmalloc(sizeof(struct i2c_client),GFP_KERNEL)))
... DELETED 16 lines ...
init_waitqueue_head(&msp->wq);
if (-1 == msp3400c_reset(c)) {
kfree(msp);
dprintk("msp3400: no chip found\n");
Error --->
return -1;
}
rev1 = msp3400c_read(c, I2C_MSP3400C_DFP, 0x1e);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/media/video/msp3400.c:1274:msp_attach: ERROR:INVERSE:1243:1274:UNREVERSED 'c' on error path! set by 'kmalloc':1243 [nbytes=60] [rank=easy] [COUNTER=kmalloc:1243] [ERROR] [fit=31] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
if (-1 == msp3400c_reset(&client_template)) {
dprintk("msp3400: no chip found\n");
return -1;
}
Start --->
if (NULL == (c = kmalloc(sizeof(struct i2c_client),GFP_KERNEL)))
... DELETED 25 lines ...
if (-1 != rev1)
rev2 = msp3400c_read(c, I2C_MSP3400C_DFP, 0x1f);
if ((-1 == rev1) || (0 == rev1 && 0 == rev2)) {
kfree(msp);
printk("msp3400: error while reading chip version\n");
Error --->
return -1;
}
#if 0
---------------------------------------------------------
[BUG] security hole; reasonable example for stat (final cleanup frees)
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1529:lvm_do_vg_create: ERROR:INVERSE:1510:1529:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
}
}
}
size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
if ((snap_lv_ptr = vmalloc ( size)) == NULL) {
... DELETED 13 lines ...
if ((lvp = vg_ptr->lv[l]) != NULL) {
if (copy_from_user(&lv, lvp, sizeof(lv_t)) != 0) {
P_IOCTL("ERROR: copying LV ptr %p (%d bytes)\n",
lvp, sizeof(lv_t));
lvm_do_vg_remove(minor);
Error --->
return -EFAULT;
}
if ( lv.lv_access & LV_SNAPSHOT) {
snap_lv_ptr[ls] = lvp;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1541:lvm_do_vg_create: ERROR:INVERSE:1510:1541:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
}
}
}
size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
if ((snap_lv_ptr = vmalloc ( size)) == NULL) {
... DELETED 25 lines ...
}
vg_ptr->lv[l] = NULL;
/* only create original logical volumes for now */
if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
lvm_do_vg_remove(minor);
Error --->
return -EFAULT;
}
}
}
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1552:lvm_do_vg_create: ERROR:INVERSE:1510:1552:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
}
}
}
size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
if ((snap_lv_ptr = vmalloc ( size)) == NULL) {
... DELETED 36 lines ...
in place during first path above */
for (l = 0; l < ls; l++) {
lv_t *lvp = snap_lv_ptr[l];
if (copy_from_user(&lv, lvp, sizeof(lv_t)) != 0) {
lvm_do_vg_remove(minor);
Error --->
return -EFAULT;
}
if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
lvm_do_vg_remove(minor);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1556:lvm_do_vg_create: ERROR:INVERSE:1510:1556:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
}
}
}
size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
if ((snap_lv_ptr = vmalloc ( size)) == NULL) {
... DELETED 40 lines ...
lvm_do_vg_remove(minor);
return -EFAULT;
}
if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
lvm_do_vg_remove(minor);
Error --->
return -EFAULT;
}
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jun 15 2002 - 22:00:15 EST