On 08/31/2015 07:47 AM, Ilya Dryomov wrote:
> If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
> is freed twice: once in rbd_dev_probe_parent() and then in its caller
> rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
> handle parent images).
>
> rbd_dev_probe_parent() is responsible for probing the parent, so it
> shoudn't mock with clone's fields.
Agreed. (But I think you mean "muck with.") The other
argument is that the caller is who allocated it (via
rbd_dev_header_name()), so it should be responsible for
freeing it.
Reviewed-by: Alex Elder <elder@xxxxxxxxxx>
>
> Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
> ---
> drivers/block/rbd.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index bc67a93aa4f4..324bf35ec4dd 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -5201,7 +5201,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
> out_err:
> if (parent) {
> rbd_dev_unparent(rbd_dev);
> - kfree(rbd_dev->header_name);
> rbd_dev_destroy(parent);
> } else {
> rbd_put_client(rbdc);
>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
