[PATCH] rbd: fix double free on rbd_dev->header_name

* [PATCH] rbd: fix double free on rbd_dev->header_name
@ 2015-08-31 12:47 Ilya Dryomov
  2015-09-01 12:26 ` Alex Elder
  0 siblings, 1 reply; 2+ messages in thread
From: Ilya Dryomov @ 2015-08-31 12:47 UTC (permalink / raw)
  To: ceph-devel

If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
is freed twice: once in rbd_dev_probe_parent() and then in its caller
rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
handle parent images).

rbd_dev_probe_parent() is responsible for probing the parent, so it
shoudn't mock with clone's fields.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
 drivers/block/rbd.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index bc67a93aa4f4..324bf35ec4dd 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -5201,7 +5201,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
 out_err:
 	if (parent) {
 		rbd_dev_unparent(rbd_dev);
-		kfree(rbd_dev->header_name);
 		rbd_dev_destroy(parent);
 	} else {
 		rbd_put_client(rbdc);
-- 
1.9.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread