Jeff Mahoney wrote: > > Hi Hans - > > I've been playing around with the Coverity code checker, and while I > think it still sees a few too many false positives, it's a good tool.
Thanks for doing that work! If you could do it for V4, that would be great too. If not, maybe Edward could do it. > > Anyway, one of the potential bugs it came up with in reiserfs was this > one: > > struct tree_balance contains a number of arrays of size MAX_HEIGHT (5). > In fix_nodes(), line 2502, we see: > p_s_tb->insert_size[n_h + 1] = > (DC_SIZE + KEY_SIZE) * (p_s_tb->blknum[n_h] > - 1); > > I haven't run a thorough analysis, but is it possible for n_h to be 4 > there, and then n_h + 1 would be 5, overrunning into the next field of > struct tree_balance? The tool seems to think so, but it also thought > that not checking that dentry->d_inode != NULL after calling > inode->i_op->mkdir was invalid, even though a successful return value > implies that dentry->d_inode != NULL. I'll let vs answer this. > > -Jeff > > -- > Jeff Mahoney > SUSE Labs