Use-after-free error in rbd_add()

Use-after-free error in rbd_add()

[Bjorn Helgaas]

I think b536f69a3a5 "rbd: set up devices only for mapped images"
introduced a use-after-free error in rbd_add():

@@ -4964,9 +4960,12 @@ static ssize_t rbd_add(struct bus_type *bus,
        if (rc < 0)
                goto err_out_rbd_dev;

-       return count;
+       rc = rbd_dev_device_setup(rbd_dev);
+       if (!rc)
+               return count;
+
+       rbd_dev_image_release(rbd_dev);
 err_out_rbd_dev:
-       kfree(rbd_dev->header_name);
        rbd_dev_destroy(rbd_dev);

If rbd_dev_device_setup() returns an error, we call
rbd_dev_image_release(), which ultimately kfrees rbd_dev.  Then we
call rbd_dev_destroy(), which references fields in the already-freed
rbd_dev struct before kfreeing it again.

Found by Coverity (CID 1020653).

Bjorn

Re: Use-after-free error in rbd_add()

[Alex Elder]

On 05/09/2013 05:42 PM, Bjorn Helgaas wrote:
> I think b536f69a3a5 "rbd: set up devices only for mapped images"
> introduced a use-after-free error in rbd_add():
> 
> @@ -4964,9 +4960,12 @@ static ssize_t rbd_add(struct bus_type *bus,
>         if (rc < 0)
>                 goto err_out_rbd_dev;
> 
> -       return count;
> +       rc = rbd_dev_device_setup(rbd_dev);
> +       if (!rc)
> +               return count;
> +
> +       rbd_dev_image_release(rbd_dev);
>  err_out_rbd_dev:
> -       kfree(rbd_dev->header_name);
>         rbd_dev_destroy(rbd_dev);
> 
> If rbd_dev_device_setup() returns an error, we call
> rbd_dev_image_release(), which ultimately kfrees rbd_dev.  Then we
> call rbd_dev_destroy(), which references fields in the already-freed
> rbd_dev struct before kfreeing it again.

Thank you.  I think you're right, I'll try to
have a fix prepared tomorrow.

					-Alex

> Found by Coverity (CID 1020653).
> 
> Bjorn
>