Coverity 9654, 9654: Use After Free

Because vmem_free() was implemented as a macro using the ',' operator to evaluate both arguments and we performed the free before evaluating size we would deference the free'd pointer. To resolve the problem we just invert the ordering and evaluate size first just as if it was evaluated by the caller when being passed to this function. This ensure that if the caller is doing something reckless like performing an assignment as part of the size argument we still perform it and it simply doesn't get removed by the macro. Oh course nobody should be doing this sort of thing, but just in case.
author: Brian Behlendorf <[email protected]> 2009-02-17 16:41:08 -0800
committer: Brian Behlendorf <[email protected]> 2009-02-17 16:51:19 -0800
commit: bb01879ebe5ba5d8e2c2177d3b1ce0272c17ce07 (patch)
tree: 16e10d8677454c210b6a86c2eef22450af640a0a /include/sys/kmem.h
parent: 15dc8b072e77cf69b36e3df94782af4801d5e8cc (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/include/sys/kmem.h b/include/sys/kmem.h
index cad652c91..278039ec9 100644
--- a/include/sys/kmem.h
+++ b/include/sys/kmem.h
@@ -147,7 +147,7 @@ extern void vmem_free_debug(void *ptr, size_t size);
                 memset(_ptr_, 0, (size));                                     \
         _ptr_;                                                                \
 })
-# define vmem_free(ptr, size)           (vfree(ptr), (void)(size))
+# define vmem_free(ptr, size)           ((void)(size), vfree(ptr))
 
 #endif /* DEBUG_KMEM */
author	Brian Behlendorf <[email protected]>	2009-02-17 16:41:08 -0800
committer	Brian Behlendorf <[email protected]>	2009-02-17 16:51:19 -0800
commit	bb01879ebe5ba5d8e2c2177d3b1ce0272c17ce07 (patch)
tree	16e10d8677454c210b6a86c2eef22450af640a0a /include/sys/kmem.h
parent	15dc8b072e77cf69b36e3df94782af4801d5e8cc (diff)