diff options
author | Alex Elder <elder@inktank.com> | 2013-05-13 20:35:37 -0500 |
---|---|---|
committer | Alex Elder <elder@inktank.com> | 2013-05-17 12:50:10 -0500 |
commit | 3abef3b3585bbc67d56fdc9c67761a900fb4b69d (patch) | |
tree | d94c9555797c77e4c92f2fea22049a962af48de9 /fs/ceph | |
parent | 7262cfca430a1a0e0707149af29ae86bc0ded230 (diff) | |
download | op-kernel-dev-3abef3b3585bbc67d56fdc9c67761a900fb4b69d.zip op-kernel-dev-3abef3b3585bbc67d56fdc9c67761a900fb4b69d.tar.gz |
rbd: fix cleanup in rbd_add()
Bjorn Helgaas pointed out that a recent commit introduced a
use-after-free condition in an error path for rbd_add().
He correctly stated:
I think b536f69a3a5 "rbd: set up devices only for mapped images"
introduced a use-after-free error in rbd_add():
...
If rbd_dev_device_setup() returns an error, we call
rbd_dev_image_release(), which ultimately kfrees rbd_dev.
Then we call rbd_dev_destroy(), which references fields in
the already-freed rbd_dev struct before kfreeing it again.
The simple fix is to return the error code after the call to
rbd_dev_image_release().
Closer examination revealed that there's no need to clean up
rbd_opts in that function, so fix that too.
Update some other comments that have also become out of date.
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
Diffstat (limited to 'fs/ceph')
0 files changed, 0 insertions, 0 deletions