summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIlya Dryomov <idryomov@gmail.com>2015-08-31 15:21:39 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-10-27 09:45:59 +0900
commitd11f754e68258c46d07b1e48ba1e4bf69a802637 (patch)
tree896b722a0101f56ee64c08d0c73c7afb3039dc54
parent9e7042c2fffcd110d4265f6b258f22175673c28f (diff)
downloadlwn-d11f754e68258c46d07b1e48ba1e4bf69a802637.tar.gz
lwn-d11f754e68258c46d07b1e48ba1e4bf69a802637.zip
rbd: fix double free on rbd_dev->header_name
commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream. If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name is freed twice: once in rbd_dev_probe_parent() and then in its caller rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to handle parent images). rbd_dev_probe_parent() is responsible for probing the parent, so it shouldn't muck with clone's fields. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/block/rbd.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index b583773e4ecb..2ea515509ca6 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -4851,7 +4851,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
out_err:
if (parent) {
rbd_dev_unparent(rbd_dev);
- kfree(rbd_dev->header_name);
rbd_dev_destroy(parent);
} else {
rbd_put_client(rbdc);