Hello Roger Pau Monne,
The patch 4d4f270f1880: "xen-blkback: move free persistent grants
code" from Nov 16, 2012, leads to the following warning:
drivers/block/xen-blkback/blkback.c:238 free_persistent_gnts()
warn: 'persistent_gnt' was already freed.
drivers/block/xen-blkback/blkback.c
232 pages[segs_to_unmap] = persistent_gnt->page;
233 rb_erase(&persistent_gnt->node, root);
234 kfree(persistent_gnt);
^^^^^^^^^^^^^^^^^^^^
kfree();
235 num--;
236
237 if (++segs_to_unmap == BLKIF_MAX_SEGMENTS_PER_REQUEST ||
238 !rb_next(&persistent_gnt->node)) {
^^^^^^^^^^^^^^^^^^^^^
Dereferenced inside the call to rb_next().
239 ret = gnttab_unmap_refs(unmap, NULL, pages,
240 segs_to_unmap);
regards,
dan carpenter
On Tue, Dec 04, 2012 at 12:11:48AM +0300, Dan Carpenter wrote:> Hello Roger Pau Monne, > > The patch 4d4f270f1880: "xen-blkback: move free persistent grants > code" from Nov 16, 2012, leads to the following warning: > drivers/block/xen-blkback/blkback.c:238 free_persistent_gnts() > warn: 'persistent_gnt' was already freed. > > drivers/block/xen-blkback/blkback.c > 232 pages[segs_to_unmap] = persistent_gnt->page; > 233 rb_erase(&persistent_gnt->node, root); > 234 kfree(persistent_gnt); > ^^^^^^^^^^^^^^^^^^^^ > kfree(); >Also persistent_gnt is the list iterator inside a foreach_grant() loop. It needs a _safe() version like list_for_each_safe() where it saves the next entry in the list at the start so we don't dereference a freed entry. regards, dan carpenter
Apparently Analagous Threads
- xen-blkback: move free persistent grants code
- [PATCH] xen-blk: persistent-grants fixes
- [PATCH RFC 09/12] xen-blkback: move pending handles list from blkbk to pending_req
- xen/blkback: Persistent grant maps for xen blk drivers
- xen/blkback: Persistent grant maps for xen blk drivers