I think b536f69a3a5 "rbd: set up devices only for mapped images"
introduced a use-after-free error in rbd_add():
@@ -4964,9 +4960,12 @@ static ssize_t rbd_add(struct bus_type *bus,
if (rc < 0)
goto err_out_rbd_dev;
- return count;
+ rc = rbd_dev_device_setup(rbd_dev);
+ if (!rc)
+ return count;
+
+ rbd_dev_image_release(rbd_dev);
err_out_rbd_dev:
- kfree(rbd_dev->header_name);
rbd_dev_destroy(rbd_dev);
If rbd_dev_device_setup() returns an error, we call
rbd_dev_image_release(), which ultimately kfrees rbd_dev. Then we
call rbd_dev_destroy(), which references fields in the already-freed
rbd_dev struct before kfreeing it again.
Found by Coverity (CID 1020653).
Bjorn
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
