2013/11/22 Phillip Lougher <phil...@lougher.demon.co.uk>:
> On 22/11/13 21:50, Geyslan Gregório Bem wrote:
>>
>> Coverity caught double free possibility (CID 1130962).
>>
>> I can patch this, but I have to know if is correct to free comp_opts
>> in the function squashfs_decompressor_create() or it had to be done in
>> the caller. My bet is the caller.
>>
>>
>> 128void *squashfs_decompressor_setup(struct super_block *sb, unsigned
>> short flags)
>> 129{
>> 130 struct squashfs_sb_info *msblk = sb->s_fs_info;
>> 131 void *stream, *comp_opts = get_comp_opts(sb, flags);
>> 132
>>
>> 1. Condition "IS_ERR(comp_opts)", taking false branch
>> 133 if (IS_ERR(comp_opts))
>> 134 return comp_opts;
>> 135
>>
>> 2. freed_arg: "squashfs_decompressor_create(struct squashfs_sb_info *,
>> void *)" frees "comp_opts".[show details]
>> 136 stream = squashfs_decompressor_create(msblk, comp_opts);
>>
>> 3. Condition "IS_ERR(stream)", taking true branch
>> 137 if (IS_ERR(stream))
>
>
> FALSE positive.
>
> squashfs_decompressor_create() frees comp_opts only on success.
>
> If IS_ERR(stream) is true, then comp_opts has not been freed by
> squashfs_decompressor_create().
>
> Phillip
>
>
>
>>
>> CID 1130962 (#1 of 1): Double free (USE_AFTER_FREE)4. double_free:
>> Calling "kfree(void const *)" frees pointer "comp_opts" which has
>> already been freed.
>> 138 kfree(comp_opts);
>> 139
>> 140 return stream;
>> 141}
>>
>>
>
Philip, set as false positive in Coverity. Thanks.
--
Regards,
Geyslan G. Bem
hackingbits.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
