diff options
author | Ilya Dryomov <idryomov@gmail.com> | 2016-05-16 13:18:57 +0200 |
---|---|---|
committer | Ilya Dryomov <idryomov@gmail.com> | 2016-05-26 00:36:20 +0200 |
commit | 663ae2cc04773608e1e741f693e41200fd4faf14 (patch) | |
tree | a466793ccab81b82ae6bc36440db64bb0e6c512a /drivers/block | |
parent | 2dcd0af568b0cf583645c8a317dd12e344b1c72a (diff) | |
download | op-kernel-dev-663ae2cc04773608e1e741f693e41200fd4faf14.zip op-kernel-dev-663ae2cc04773608e1e741f693e41200fd4faf14.tar.gz |
rbd: get/put img_request in rbd_img_request_submit()
By the time we get to checking for_each_obj_request_safe(img_request)
terminating condition, all obj_requests may be complete and img_request
ref, that rbd_img_request_submit() takes away from its caller, may be
put. Moving the next_obj_request cursor is then a use-after-free on
img_request.
It's totally benign, as the value that's read is never used, but
I think it's still worth fixing.
Cc: Alex Elder <elder@linaro.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'drivers/block')
-rw-r--r-- | drivers/block/rbd.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 0ede6d7..c3089f3 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -2973,17 +2973,20 @@ static int rbd_img_request_submit(struct rbd_img_request *img_request) { struct rbd_obj_request *obj_request; struct rbd_obj_request *next_obj_request; + int ret = 0; dout("%s: img %p\n", __func__, img_request); - for_each_obj_request_safe(img_request, obj_request, next_obj_request) { - int ret; + rbd_img_request_get(img_request); + for_each_obj_request_safe(img_request, obj_request, next_obj_request) { ret = rbd_img_obj_request_submit(obj_request); if (ret) - return ret; + goto out_put_ireq; } - return 0; +out_put_ireq: + rbd_img_request_put(img_request); + return ret; } static void rbd_img_parent_read_callback(struct rbd_img_request *img_request) |