On 05/09/2013 05:42 PM, Bjorn Helgaas wrote: > I think b536f69a3a5 "rbd: set up devices only for mapped images" > introduced a use-after-free error in rbd_add(): > > @@ -4964,9 +4960,12 @@ static ssize_t rbd_add(struct bus_type *bus, > if (rc < 0) > goto err_out_rbd_dev; > > - return count; > + rc = rbd_dev_device_setup(rbd_dev); > + if (!rc) > + return count; > + > + rbd_dev_image_release(rbd_dev); > err_out_rbd_dev: > - kfree(rbd_dev->header_name); > rbd_dev_destroy(rbd_dev); > > If rbd_dev_device_setup() returns an error, we call > rbd_dev_image_release(), which ultimately kfrees rbd_dev. Then we > call rbd_dev_destroy(), which references fields in the already-freed > rbd_dev struct before kfreeing it again. Thank you. I think you're right, I'll try to have a fix prepared tomorrow. -Alex > Found by Coverity (CID 1020653). > > Bjorn > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
