* Coverity: add_ipu_page(): Memory - illegal accesses
@ 2019-11-12 1:34 coverity-bot
2019-11-12 2:48 ` Chao Yu
0 siblings, 1 reply; 3+ messages in thread
From: coverity-bot @ 2019-11-12 1:34 UTC (permalink / raw)
To: Chao Yu; +Cc: Jaegeuk Kim, Gustavo A. R. Silva, linux-next
Hello!
This is an experimental automated report about issues detected by Coverity
from a scan of next-20191108 as part of the linux-next weekly scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan
You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by recent commits:
0b20fcec8651 ("f2fs: cache global IPU bio")
Coverity reported the following:
*** CID 1487851: Memory - illegal accesses (USE_AFTER_FREE)
/fs/f2fs/data.c: 604 in add_ipu_page()
598 break;
599 }
600 up_write(&io->bio_list_lock);
601 }
602
603 if (ret) {
vvv CID 1487851: Memory - illegal accesses (USE_AFTER_FREE)
vvv Calling "bio_put" dereferences freed pointer "*bio".
604 bio_put(*bio);
605 *bio = NULL;
606 }
607
608 return ret;
609 }
If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487851 ("Memory - illegal accesses")
Fixes: 0b20fcec8651 ("f2fs: cache global IPU bio")
Thanks for your attention!
--
Coverity-bot
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Coverity: add_ipu_page(): Memory - illegal accesses 2019-11-12 1:34 Coverity: add_ipu_page(): Memory - illegal accesses coverity-bot @ 2019-11-12 2:48 ` Chao Yu 2019-11-12 22:47 ` Kees Cook 0 siblings, 1 reply; 3+ messages in thread From: Chao Yu @ 2019-11-12 2:48 UTC (permalink / raw) To: coverity-bot; +Cc: Jaegeuk Kim, Gustavo A. R. Silva, linux-next On 2019/11/12 9:34, coverity-bot wrote: > Hello! > > This is an experimental automated report about issues detected by Coverity > from a scan of next-20191108 as part of the linux-next weekly scan project: > https://scan.coverity.com/projects/linux-next-weekly-scan > > You're getting this email because you were associated with the identified > lines of code (noted below) that were touched by recent commits: > > 0b20fcec8651 ("f2fs: cache global IPU bio") > > Coverity reported the following: > > *** CID 1487851: Memory - illegal accesses (USE_AFTER_FREE) > /fs/f2fs/data.c: 604 in add_ipu_page() > 598 break; > 599 } > 600 up_write(&io->bio_list_lock); > 601 } > 602 > 603 if (ret) { > vvv CID 1487851: Memory - illegal accesses (USE_AFTER_FREE) > vvv Calling "bio_put" dereferences freed pointer "*bio". > 604 bio_put(*bio); > 605 *bio = NULL; > 606 } > 607 > 608 return ret; > 609 } Thanks for the report. I double check these related codes: static int add_ipu_page(struct f2fs_sb_info *sbi, struct bio **bio, struct page *page) { enum temp_type temp; bool found = false; int ret = -EAGAIN; for (temp = HOT; temp < NR_TEMP_TYPE && !found; temp++) { struct f2fs_bio_info *io = sbi->write_io[DATA] + temp; struct list_head *head = &io->bio_list; struct bio_entry *be; down_write(&io->bio_list_lock); list_for_each_entry(be, head, list) { if (be->bio != *bio) continue; found = true; if (bio_add_page(*bio, page, PAGE_SIZE, 0) == PAGE_SIZE) { ret = 0; break; } /* bio is full */ del_bio_entry(be); __submit_bio(sbi, *bio, DATA); break; } up_write(&io->bio_list_lock); } if (ret) { If we get here, that means 1) found nothing due to someone has submitted bio for us, or 2) found target bio, however bio is full, we submitted the bio. For both conditions, previously, we grab one extra ref on bio, here, we just release the ref and reset *bio to NULL, then caller can allocate new bio. Let me know if I'm missing something. bio_put(*bio); *bio = NULL; } return ret; } > > If this is a false positive, please let us know so we can mark it as > such, or teach the Coverity rules to be smarter. If not, please make > sure fixes get into linux-next. :) For patches fixing this, please > include these lines (but double-check the "Fixes" first): > > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> > Addresses-Coverity-ID: 1487851 ("Memory - illegal accesses") > Fixes: 0b20fcec8651 ("f2fs: cache global IPU bio") > > > Thanks for your attention! > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Coverity: add_ipu_page(): Memory - illegal accesses 2019-11-12 2:48 ` Chao Yu @ 2019-11-12 22:47 ` Kees Cook 0 siblings, 0 replies; 3+ messages in thread From: Kees Cook @ 2019-11-12 22:47 UTC (permalink / raw) To: Chao Yu; +Cc: Jaegeuk Kim, Gustavo A. R. Silva, linux-next On Tue, Nov 12, 2019 at 10:48:19AM +0800, Chao Yu wrote: > On 2019/11/12 9:34, coverity-bot wrote: > > Hello! > > > > This is an experimental automated report about issues detected by Coverity > > from a scan of next-20191108 as part of the linux-next weekly scan project: > > https://scan.coverity.com/projects/linux-next-weekly-scan > > > > You're getting this email because you were associated with the identified > > lines of code (noted below) that were touched by recent commits: > > > > 0b20fcec8651 ("f2fs: cache global IPU bio") > > > > Coverity reported the following: > > > > *** CID 1487851: Memory - illegal accesses (USE_AFTER_FREE) > > /fs/f2fs/data.c: 604 in add_ipu_page() > > 598 break; > > 599 } > > 600 up_write(&io->bio_list_lock); > > 601 } > > 602 > > 603 if (ret) { > > vvv CID 1487851: Memory - illegal accesses (USE_AFTER_FREE) > > vvv Calling "bio_put" dereferences freed pointer "*bio". > > 604 bio_put(*bio); > > 605 *bio = NULL; > > 606 } > > 607 > > 608 return ret; > > 609 } > > Thanks for the report. > > I double check these related codes: > > static int add_ipu_page(struct f2fs_sb_info *sbi, struct bio **bio, > struct page *page) > { > enum temp_type temp; > bool found = false; > int ret = -EAGAIN; > > for (temp = HOT; temp < NR_TEMP_TYPE && !found; temp++) { > struct f2fs_bio_info *io = sbi->write_io[DATA] + temp; > struct list_head *head = &io->bio_list; > struct bio_entry *be; > > down_write(&io->bio_list_lock); > list_for_each_entry(be, head, list) { > if (be->bio != *bio) > continue; > > found = true; > > if (bio_add_page(*bio, page, PAGE_SIZE, 0) == PAGE_SIZE) { > ret = 0; > break; > } > > /* bio is full */ > del_bio_entry(be); > __submit_bio(sbi, *bio, DATA); > break; > } > up_write(&io->bio_list_lock); > } > > if (ret) { > > If we get here, that means 1) found nothing due to someone has submitted bio for > us, or 2) found target bio, however bio is full, we submitted the bio. For both > conditions, previously, we grab one extra ref on bio, here, we just release the > ref and reset *bio to NULL, then caller can allocate new bio. > > Let me know if I'm missing something. Okay, I've noted it as a false positive. I don't know this code at all, so I can't really comment on the lifetime expectations here. :) Thanks for looking at it! -Kees > > bio_put(*bio); > *bio = NULL; > } > > return ret; > } > > > > > If this is a false positive, please let us know so we can mark it as > > such, or teach the Coverity rules to be smarter. If not, please make > > sure fixes get into linux-next. :) For patches fixing this, please > > include these lines (but double-check the "Fixes" first): > > > > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> > > Addresses-Coverity-ID: 1487851 ("Memory - illegal accesses") > > Fixes: 0b20fcec8651 ("f2fs: cache global IPU bio") > > > > > > Thanks for your attention! > > -- Kees Cook ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-12 22:47 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-12 1:34 Coverity: add_ipu_page(): Memory - illegal accesses coverity-bot 2019-11-12 2:48 ` Chao Yu 2019-11-12 22:47 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).