diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2015-08-31 15:21:39 +0300 |
|---|---|---|
| committer | Jiri Slaby <jslaby@suse.cz> | 2015-10-28 16:38:24 +0100 |
| commit | 7371373f99d12bfec44b011434525135fd526543 (patch) | |
| tree | bef9405ff9d656f21b58e857e4171a688a789f0f | |
| parent | 2fd9f839bad45c329b9362ed653db5a627309e12 (diff) | |
| download | lwn-7371373f99d12bfec44b011434525135fd526543.tar.gz lwn-7371373f99d12bfec44b011434525135fd526543.zip | |
rbd: fix double free on rbd_dev->header_name
commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream.
If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
is freed twice: once in rbd_dev_probe_parent() and then in its caller
rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
handle parent images).
rbd_dev_probe_parent() is responsible for probing the parent, so it
shouldn't muck with clone's fields.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
| -rw-r--r-- | drivers/block/rbd.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 63ff17fc23df..66f632730969 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -4868,7 +4868,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev) out_err: if (parent) { rbd_dev_unparent(rbd_dev); - kfree(rbd_dev->header_name); rbd_dev_destroy(parent); } else { rbd_put_client(rbdc); |