Re: [PATCH] UBI: dereference after kfree in create_vtbl

[Artem Bityutskiy]

On Sat, 2007-05-05 at 19:02 +0530, Satyam Sharma wrote:
> > write_error:
> > 	if (err == -EIO && ++tries <= 5) {
> > 		/*
> > 		 * Probably this physical eraseblock went bad, try to pick
> > 		 * another one.
> > 		 */
> > 		list_add_tail(&new_seb->u.list, &si->corr);
> > 		goto retry;
> > 	}
> > 	kfree(new_seb);
> > out_free:
> > 	ubi_free_vid_hdr(ubi, vid_hdr);
> > 	return err;
> 
> Ummm ...
> 
> 1. "if (err == -EIO)" applies to adding new_seb to the corrupted list,
> and not to retrying. We wouldn't want _not_ to retry if there's some
> other error, or would we?

In case of other error - no, we do not want to retry. Only in case of
-EIO because we just might have hit a new badblock, which is unlikely,
but possible.

If it is anything else then -EIO, then we just return an error and
_refuse_ to attach this MTD device. In this case it does not matter
where we add new_seb. We just drop it. We free all allocated data
structures.

> 2. "if (++tries <= 5)" applies to "goto retry" and not to adding
> new_seb to the corrupted list. If we hit write failure for the 5th
> time and err == -EIO, we should still be adding it to corrupted list,
> but not retry, of course. Otherwise we would add the first 4 write
> failure (with -EIO) eraseblocks to si->corr, but the 5th _similar_
> case is ... just freed?

If we hit -EIO more then five times, there is probably something _really
bad_ with this MTD device and we _refuse_ attaching it. We return error,
and every data structure is freed. It does not matter if we add new_seb
anywhere or not. It is anyway just freed.

-- 
Best regards,
Artem Bityutskiy (ÐÐÑÑÑÐÐÐ ÐÑÑÑÐ)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/