[CRIU] [PATCH 2/7] irmap: don't access a released variable
Pavel Emelyanov
xemul at virtuozzo.com
Wed Mar 9 04:24:26 PST 2016
On 03/08/2016 09:44 PM, Andrey Vagin wrote:
> From: Andrew Vagin <avagin at virtuozzo.com>
>
> p = &(*p)->next
> c = *p;
> *p = c->next;
> xfree(c);
> p = &(*p)->next
> ||
> \/
> p = &c->next
> *p = c->next;
> xfree(c);
> p = &(*p)->next
>
> Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
> ---
> criu/irmap.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/criu/irmap.c b/criu/irmap.c
> index c93a995..b855353 100644
> --- a/criu/irmap.c
> +++ b/criu/irmap.c
> @@ -189,7 +189,7 @@ static struct irmap *irmap_scan(struct irmap *t, unsigned int dev, unsigned long
> return NULL;
> }
>
> -static int irmap_revalidate(struct irmap *c, struct irmap **p)
> +static int irmap_revalidate(struct irmap *c)
> {
> struct stat st;
> int mntns_root;
> @@ -213,7 +213,6 @@ static int irmap_revalidate(struct irmap *c, struct irmap **p)
>
> invalid:
> pr_debug("\t%x:%lx is invalid\n", c->dev, c->ino);
> - *p = c->next;
So the freed c stays in the cacheline?
> xfree(c->path);
> xfree(c);
> return 1;
> @@ -223,7 +222,7 @@ static bool doing_predump = false;
>
> char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
> {
> - struct irmap *c, *h, **p;
> + struct irmap *c, *h, *n;
> char *path = NULL;
> int hv;
> struct irmap_path_opt *o;
> @@ -243,12 +242,12 @@ char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
> timing_start(TIME_IRMAP_RESOLVE);
>
> hv = irmap_hashfn(s_dev, i_ino);
> - for (p = &cache[hv]; *p; p = &(*p)->next) {
> - c = *p;
> + for (c = cache[hv], n = c ? c->next : NULL;
> + c; c = n, n = c ? c->next : NULL) {
> if (!(c->dev == s_dev && c->ino == i_ino))
> continue;
>
> - if (c->revalidate && irmap_revalidate(c, p))
> + if (c->revalidate && irmap_revalidate(c))
> continue;
>
> pr_debug("\tFound %s in cache\n", c->path);
>
More information about the CRIU
mailing list