On 28. 03. 22, 12:27, Xiaomeng Tong wrote:
On Mon, 28 Mar 2022 12:09:59 +0200, Jiri Slaby wrote:
On 28. 03. 22, 11:35, Xiaomeng Tong wrote:
The bug is here: if (s->len != flen) {
The list iterator 's' will point to a bogus position containing HEAD if the list is empty or no element is found.
Could you also explain how that can happen?
When list_for_each_entry_* do not early exits (if the list is empty or no break/goto/return hit inside the loop), it will set pos ('s' here) with a bogus pointer that point to a invalid struct computed based on &HEAD using container_of.
#define list_for_each_entry(pos, head, member) \ for (pos = list_first_entry(head, typeof(*pos), member); \ !list_entry_is_head(pos, head, member); \ pos = list_next_entry(pos, member))
No, I didn't mean what happens on that site on the code level. I think everyone understands that. Instead, I meant: what circumstances lead to this _situation_ in reality?
thanks,