static check complains about potential oops in adfs_read_map()
From: Dan Carpenter
Date: Fri Jan 06 2012 - 06:45:25 EST
My static checker is complaining about potential oops in adfs. I don't
know the code well enough to say if it's a real bug or what the correct
fix is.
fs/adfs/super.c
299 nzones = asb->s_map_size;
^^^^^^^^^^^^^^^
This could be zero. We read it from the disk. I don't see any place
where it's checked.
300 zone_size = (8 << dr->log2secsize) - le16_to_cpu(dr->zone_spare);
301 map_addr = (nzones >> 1) * zone_size -
302 ((nzones > 1) ? ADFS_DR_SIZE_BITS : 0);
303 map_addr = signed_asl(map_addr, asb->s_map2blk);
304
305 asb->s_ids_per_zone = zone_size / (asb->s_idlen + 1);
306
307 dm = kmalloc(nzones * sizeof(*dm), GFP_KERNEL);
308 if (dm == NULL) {
309 adfs_error(sb, "not enough memory");
310 return NULL;
311 }
312
313 for (zone = 0; zone < nzones; zone++, map_addr++) {
314 dm[zone].dm_startbit = 0;
315 dm[zone].dm_endbit = zone_size;
316 dm[zone].dm_startblk = zone * zone_size - ADFS_DR_SIZE_BITS;
317 dm[zone].dm_bh = sb_bread(sb, map_addr);
318
319 if (!dm[zone].dm_bh) {
320 adfs_error(sb, "unable to read map");
321 goto error_free;
322 }
323 }
324
325 /* adjust the limits for the first and last map zones */
326 i = zone - 1;
327 dm[0].dm_startblk = 0;
^^^^^
dm is the ZERO_SIZE_PTR so this would oops.
328 dm[0].dm_startbit = ADFS_DR_SIZE_BITS;
329 dm[i].dm_endbit = (le32_to_cpu(dr->disc_size_high) << (32 - dr->log2bpmb)) +
330 (le32_to_cpu(dr->disc_size) >> dr->log2bpmb) +
331 (ADFS_DR_SIZE_BITS - i * zone_size);
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/