Re: [PATCH] mtd: virt_concat: fix use-after-free in mtd_virt_concat_destroy_joins()

Next message: Zhan Xusheng: "[PATCH] erofs: handle 48-bit blocks_hi for compressed inodes"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v6 2/8] dt-bindings: clock: qcom,glymur-tcsr: Add mahua support"
In reply to: Luca Ceresoli: "Re: [PATCH] mtd: virt_concat: fix use-after-free in mtd_virt_concat_destroy_joins()"
Next in thread: Harshit Mogalapalli: "Re: [PATCH] mtd: virt_concat: fix use-after-free in mtd_virt_concat_destroy_joins()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miquel Raynal

Date: Mon Jun 22 2026 - 03:34:34 EST

On 16/06/2026 at 22:31:28 +02, "Luca Ceresoli" <luca.ceresoli@xxxxxxxxxxx> wrote:

> On Tue Jun 16, 2026 at 12:13 PM CEST, Dan Carpenter wrote:
>> On Tue, Jun 16, 2026 at 11:51:53AM +0200, Luca Ceresoli wrote:

Yes, container_of() for issue 1 seems to be a better approach.

>>> Issue 2: in mtd_virt_concat_destroy_joins():
>>>
>>> list_for_each_entry_safe(item, tmp, &concat_node_list, head) {
>>> mtd = &item->concat->mtd; [0]
>>> if (item->concat) { [1]
>>>
>>> At line [0] we dereference item->concat, but at line [1] we apparently
>>> handle the case where item->concat can be NULL. Either [1] is always true
>>> and we can remove the if(), or [1] can be false, so [0] is a bug and should
>>> probably be moved to inside the if().
>>
>> That's not a dereference on line 0, it's pointer math. So the code
>> works. But a lot of people find the distinction confusing.
>
> Ah, indeed, you are right on both aspects: it's just pointer math (not a
> bug) + it is confusing code.
>
> So moving [0] inside the if() would be a readability improvement IMO, but
> definitely not a bugfix.

Yes!

Thanks,
Miquèl