Commit 56e509c8 authored by Marcin Spiewak's avatar Marcin Spiewak Committed by Konrad Sztyber
Browse files

module/fsdev/aio: fixed 'use after free' error 



Fixed issues detected by Coverity.

The file_handle_delete(fhandle) function, which frees memory
pointed by 'fhandle', was called before the 'fhandle' was
printed by SPDK_DEBUGLOG(). This caused that Coverity scan
detected 'use after free' error. Now file_handle_delete(fhandle)
is called after the pointer value is printed, so this shall
remove the error. Changing the order of calls will not change
anything in this case, but shall keep the Coverity happy.

BTW, printing the pointer value after the memory pointed by it
is freed shall be harmless, but let's keep the code clean and try
to avoid future error/warnings generated by scan tools.

Change-Id: Ie0c407befe77984704bf7d3533271297d70bf259
Signed-off-by: default avatarMarcin Spiewak <marcin.spiewak@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/24632


Reviewed-by: default avatarKonrad Sztyber <konrad.sztyber@intel.com>
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarChangpeng Liu <changpeliu@tencent.com>
Community-CI: Mellanox Build Bot
parent 5c782a70

module/fsdev/aio/fsdev_aio.c

+5 −10
Original line number Diff line number Diff line
@@ -453,16 +453,10 @@ lo_releasedir(struct spdk_io_channel *ch, struct spdk_fsdev_io *fsdev_io) 
		return -EINVAL;

	}



	file_handle_delete(fhandle);



	/*

	 * scan-build doesn't understand that we only print the value of an already

	 * freed pointer and falsely reports "Use of memory after it is freed" here.

	 */

#ifndef __clang_analyzer__

	SPDK_DEBUGLOG(fsdev_aio, "RELEASEDIR succeeded for " FOBJECT_FMT " (fh=%p)\n",

		      FOBJECT_ARGS(fobject), fhandle);

#endif



	file_handle_delete(fhandle);



	return 0;

}
@@ -1029,10 +1023,11 @@ lo_release(struct spdk_io_channel *ch, struct spdk_fsdev_io *fsdev_io) 
		return -EINVAL;

	}



	file_handle_delete(fhandle);



	SPDK_DEBUGLOG(fsdev_aio, "RELEASE succeeded for " FOBJECT_FMT " fh=%p)\n",

		      FOBJECT_ARGS(fobject), fhandle);



	file_handle_delete(fhandle);



	return 0;

}