[Ocfs2-tools-devel] [PATCH 1/1] libocfs2: Do not dereference pointer after free in ocfs2_size_slot_map()

Joel Becker Joel.Becker at oracle.com
Mon Feb 23 14:33:04 PST 2009 

On Mon, Feb 23, 2009 at 01:44:51PM -0800, Sunil Mushran wrote:
> In ocfs2_size_slot_map(), we are accessing an element of the cached inode
> after we have freed it.
> 
> Signed-off-by: Sunil Mushran <sunil.mushran at oracle.com>

	Half of these hunks are not needed - ci is valid when you use it
for blkno everywhere except when you re-read it.  However, I see that
you're basically doing "we have a blkno variable, might as well use it."
Ounds good.

Signed-off-by: Joel Becker <joel.becker at oracle.com>

> ---
>  libocfs2/slot_map.c |   14 +++++++-------
>  1 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/libocfs2/slot_map.c b/libocfs2/slot_map.c
> index 5bb19a4..c33f458 100644
> --- a/libocfs2/slot_map.c
> +++ b/libocfs2/slot_map.c
> @@ -359,8 +359,10 @@ static errcode_t ocfs2_size_slot_map(ocfs2_filesys *fs,
>  	struct ocfs2_dinode *di;
>  	unsigned int clusters;
>  	uint64_t new_size;
> +	uint64_t blkno;
>  
>  	di = sf->ci->ci_inode;
> +	blkno = sf->ci->ci_blkno;
>  
>  	clusters = sf->needed_bytes + fs->fs_clustersize - 1;
>  	clusters = clusters >> OCFS2_RAW_SB(fs->fs_super)->s_clustersize_bits;
> @@ -381,7 +383,7 @@ static errcode_t ocfs2_size_slot_map(ocfs2_filesys *fs,
>  	}
>  
>  	if (clusters > di->i_clusters) {
> -		ret = ocfs2_extend_allocation(fs, sf->ci->ci_blkno,
> +		ret = ocfs2_extend_allocation(fs, blkno,
>  					      (clusters - di->i_clusters));
>  		if (ret)
>  			goto out;
> @@ -390,8 +392,7 @@ static errcode_t ocfs2_size_slot_map(ocfs2_filesys *fs,
>  		 * work done in extend_allocation won't be reflected
>  		 * in our now stale copy. */
>  		ocfs2_free_cached_inode(fs, sf->ci);
> -		ret = ocfs2_read_cached_inode(fs, sf->ci->ci_blkno,
> -					      &sf->ci);
> +		ret = ocfs2_read_cached_inode(fs, blkno, &sf->ci);
>  		if (ret) {
>  			sf->ci = NULL;
>  			goto out;
> @@ -400,13 +401,12 @@ static errcode_t ocfs2_size_slot_map(ocfs2_filesys *fs,
>  	} else if (clusters < di->i_clusters) {
>  		new_size = clusters <<
>  				OCFS2_RAW_SB(fs->fs_super)->s_clustersize_bits;
> -		ret = ocfs2_truncate(fs, sf->ci->ci_blkno, new_size);
> +		ret = ocfs2_truncate(fs, blkno, new_size);
>  		if (ret)
>  			goto out;
>  
>  		ocfs2_free_cached_inode(fs, sf->ci);
> -		ret = ocfs2_read_cached_inode(fs, sf->ci->ci_blkno,
> -					      &sf->ci);
> +		ret = ocfs2_read_cached_inode(fs, blkno, &sf->ci);
>  		if (ret) {
>  			sf->ci = NULL;
>  			goto out;
> @@ -423,7 +423,7 @@ static errcode_t ocfs2_size_slot_map(ocfs2_filesys *fs,
>  			OCFS2_RAW_SB(fs->fs_super)->s_clustersize_bits;
>  	di->i_mtime = time(NULL);
>  
> -	ret = ocfs2_write_inode(fs, sf->ci->ci_blkno, (char *)di);
> +	ret = ocfs2_write_inode(fs, blkno, (char *)di);
>  	if (ret)
>  		goto out;
>  
> -- 
> 1.5.6.3
> 
> 
> _______________________________________________
> Ocfs2-tools-devel mailing list
> Ocfs2-tools-devel at oss.oracle.com
> http://oss.oracle.com/mailman/listinfo/ocfs2-tools-devel

-- 

"There are only two ways to live your life. One is as though nothing
 is a miracle. The other is as though everything is a miracle."
        - Albert Einstein

Joel Becker
Principal Software Developer
Oracle
E-mail: joel.becker at oracle.com
Phone: (650) 506-8127

More information about the Ocfs2-tools-devel mailing list