[CRIU] [PATCH 2/7] irmap: don't access a released variable

Andrew Vagin avagin at virtuozzo.com
Wed Mar 9 08:37:03 PST 2016 

Pls, drop this patch. It's incorrect.

I sent "irmap: don't try to dereference a null pointer" to fix this
issue.

Thanks,
Andrew

On Wed, Mar 09, 2016 at 03:24:26PM +0300, Pavel Emelyanov wrote:
> On 03/08/2016 09:44 PM, Andrey Vagin wrote:
> > From: Andrew Vagin <avagin at virtuozzo.com>
> > 
> > p = &(*p)->next
> > c = *p;
> > *p = c->next;
> > xfree(c);
> > p = &(*p)->next
> >      ||
> >      \/
> > p = &c->next
> > *p = c->next;
> > xfree(c);
> > p = &(*p)->next
> > 
> > Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
> > ---
> >  criu/irmap.c | 11 +++++------
> >  1 file changed, 5 insertions(+), 6 deletions(-)
> > 
> > diff --git a/criu/irmap.c b/criu/irmap.c
> > index c93a995..b855353 100644
> > --- a/criu/irmap.c
> > +++ b/criu/irmap.c
> > @@ -189,7 +189,7 @@ static struct irmap *irmap_scan(struct irmap *t, unsigned int dev, unsigned long
> >  	return NULL;
> >  }
> >  
> > -static int irmap_revalidate(struct irmap *c, struct irmap **p)
> > +static int irmap_revalidate(struct irmap *c)
> >  {
> >  	struct stat st;
> >  	int mntns_root;
> > @@ -213,7 +213,6 @@ static int irmap_revalidate(struct irmap *c, struct irmap **p)
> >  
> >  invalid:
> >  	pr_debug("\t%x:%lx is invalid\n", c->dev, c->ino);
> > -	*p = c->next;
> 
> So the freed c stays in the cacheline?
> 
> >  	xfree(c->path);
> >  	xfree(c);
> >  	return 1;
> > @@ -223,7 +222,7 @@ static bool doing_predump = false;
> >  
> >  char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
> >  {
> > -	struct irmap *c, *h, **p;
> > +	struct irmap *c, *h, *n;
> >  	char *path = NULL;
> >  	int hv;
> >  	struct irmap_path_opt *o;
> > @@ -243,12 +242,12 @@ char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
> >  	timing_start(TIME_IRMAP_RESOLVE);
> >  
> >  	hv = irmap_hashfn(s_dev, i_ino);
> > -	for (p = &cache[hv]; *p; p = &(*p)->next) {
> > -		c = *p;
> > +	for (c = cache[hv], n = c ? c->next : NULL;
> > +				c; c = n, n = c ? c->next : NULL) {
> >  		if (!(c->dev == s_dev && c->ino == i_ino))
> >  			continue;
> >  
> > -		if (c->revalidate && irmap_revalidate(c, p))
> > +		if (c->revalidate && irmap_revalidate(c))
> >  			continue;
> >  
> >  		pr_debug("\tFound %s in cache\n", c->path);
> > 
>

More information about the CRIU mailing list