Showing error 1678

User: Jiri Slaby
Error type: Invalid Pointer Dereference
Error type description: A pointer which is invalid is being dereferenced
File location: net/rxrpc/ar-connection.c
Line in file: 516
Project: Linux Kernel
Project version: 2.6.28
Confirmation: Fixed by 0975ecba3b670df7c488a5e0e6fe9f1f370a8ad8
Tools: Smatch (1.59)
Entered: 2013-09-10 07:54:05 UTC

Source: 

486                        if (!(gfp & __GFP_WAIT)) {
487                                _leave(" = -EAGAIN");
488                                return -EAGAIN;
489                        }
490
491                        add_wait_queue(&bundle->chanwait, &myself);
492                        for (;;) {
493                                set_current_state(TASK_INTERRUPTIBLE);
494                                if (bundle->num_conns < 20 ||
495                                    !list_empty(&bundle->unused_conns) ||
496                                    !list_empty(&bundle->avail_conns))
497                                        break;
498                                if (signal_pending(current))
499                                        goto interrupted_dequeue;
500                                schedule();
501                        }
502                        remove_wait_queue(&bundle->chanwait, &myself);
503                        __set_current_state(TASK_RUNNING);
504                        spin_lock(&trans->client_lock);
505                        continue;
506                }
507
508                /* not yet present - create a candidate for a new connection and then
509                 * redo the check */
510                candidate = rxrpc_alloc_connection(gfp);
511                if (IS_ERR(candidate)) {
512                        _leave(" = %ld", PTR_ERR(candidate));
513                        return PTR_ERR(candidate);
514                }
515
516                candidate->trans = trans;
517                candidate->bundle = bundle;
518                candidate->service_id = bundle->service_id;
519                candidate->epoch = rxrpc_epoch;
520                candidate->in_clientflag = 0;
521                candidate->out_clientflag = RXRPC_CLIENT_INITIATED;
522                candidate->cid = 0;
523                candidate->state = RXRPC_CONN_CLIENT;
524                candidate->avail_calls = RXRPC_MAXCALLS;
525                candidate->security_level = rx->min_sec_level;
526                candidate->key = key_get(bundle->key);
Show full sources