From: Chao Yu <yuchao0@huawei•com>
To: coverity-bot <keescook@chromium•org>
Cc: Jaegeuk Kim <jaegeuk@kernel•org>,
"Gustavo A. R. Silva" <gustavo@embeddedor•com>,
<linux-next@vger•kernel.org>
Subject: Re: Coverity: add_ipu_page(): Memory - illegal accesses
Date: Tue, 12 Nov 2019 10:48:19 +0800 [thread overview]
Message-ID: <b5adecc4-68ed-09f4-8ed5-90a57f689259@huawei.com> (raw)
In-Reply-To: <201911111734.21CB897FD@keescook>
On 2019/11/12 9:34, coverity-bot wrote:
> Hello!
>
> This is an experimental automated report about issues detected by Coverity
> from a scan of next-20191108 as part of the linux-next weekly scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
>
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by recent commits:
>
> 0b20fcec8651 ("f2fs: cache global IPU bio")
>
> Coverity reported the following:
>
> *** CID 1487851: Memory - illegal accesses (USE_AFTER_FREE)
> /fs/f2fs/data.c: 604 in add_ipu_page()
> 598 break;
> 599 }
> 600 up_write(&io->bio_list_lock);
> 601 }
> 602
> 603 if (ret) {
> vvv CID 1487851: Memory - illegal accesses (USE_AFTER_FREE)
> vvv Calling "bio_put" dereferences freed pointer "*bio".
> 604 bio_put(*bio);
> 605 *bio = NULL;
> 606 }
> 607
> 608 return ret;
> 609 }
Thanks for the report.
I double check these related codes:
static int add_ipu_page(struct f2fs_sb_info *sbi, struct bio **bio,
struct page *page)
{
enum temp_type temp;
bool found = false;
int ret = -EAGAIN;
for (temp = HOT; temp < NR_TEMP_TYPE && !found; temp++) {
struct f2fs_bio_info *io = sbi->write_io[DATA] + temp;
struct list_head *head = &io->bio_list;
struct bio_entry *be;
down_write(&io->bio_list_lock);
list_for_each_entry(be, head, list) {
if (be->bio != *bio)
continue;
found = true;
if (bio_add_page(*bio, page, PAGE_SIZE, 0) == PAGE_SIZE) {
ret = 0;
break;
}
/* bio is full */
del_bio_entry(be);
__submit_bio(sbi, *bio, DATA);
break;
}
up_write(&io->bio_list_lock);
}
if (ret) {
If we get here, that means 1) found nothing due to someone has submitted bio for
us, or 2) found target bio, however bio is full, we submitted the bio. For both
conditions, previously, we grab one extra ref on bio, here, we just release the
ref and reset *bio to NULL, then caller can allocate new bio.
Let me know if I'm missing something.
bio_put(*bio);
*bio = NULL;
}
return ret;
}
>
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
>
> Reported-by: coverity-bot <keescook+coverity-bot@chromium•org>
> Addresses-Coverity-ID: 1487851 ("Memory - illegal accesses")
> Fixes: 0b20fcec8651 ("f2fs: cache global IPU bio")
>
>
> Thanks for your attention!
>
next prev parent reply other threads:[~2019-11-12 2:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 1:34 Coverity: add_ipu_page(): Memory - illegal accesses coverity-bot
2019-11-12 2:48 ` Chao Yu [this message]
2019-11-12 22:47 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b5adecc4-68ed-09f4-8ed5-90a57f689259@huawei.com \
--to=yuchao0@huawei$(echo .)com \
--cc=gustavo@embeddedor$(echo .)com \
--cc=jaegeuk@kernel$(echo .)org \
--cc=keescook@chromium$(echo .)org \
--cc=linux-next@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox