From: Nigel Cunningham <nigel@nigelcunningham.com.au>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [PATCH] Re: New Defect(s) reported by Coverity Scan
Date: Tue, 01 Jan 2013 13:37:24 +1100 [thread overview]
Message-ID: <50E24BE4.5040704@nigelcunningham.com.au> (raw)
In-Reply-To: <C0A4ACBB26D853488EA0C68388B70268168CDC32@BLUPRD0511MB401.namprd05.prod.outlook.com>
From b41864867464bfe0e2d114528bc9b39e2d9f546e Mon Sep 17 00:00:00 2001
From: Nigel Cunningham <nigel@nigelcunningham.com.au>
Date: Tue, 1 Jan 2013 13:03:50 +1100
Subject: [PATCH] Fix rbd use after free.
This patch addresses Coverity #753114.
The use of ceph_opts in rbd_add is currently confusing - there
are three possible outcomes of the call to rbd_get_client:
1) An existing, matching and usable rdb client is found and returned by
rbd_client_find. ceph_opts is freed by rbd_get_client and should not
be freed by rbd_add. This the code path triggering the Coverity
warning.
2) An existing, matching and usable rdb client is NOT found and returned
by rbd_client_find. rbd_client_create successfully executes, passing
responsibility for ceph_opts to the newly created client. It should
not be freed by rbd_add.
3) An existing, matching and usable rdb client is NOT found and returned
by rbd_client_find. rbd_client_create fails to create a new client,
freeing ceph_opts in its error path. It should not be freed by rbd_add.
So then, regardless of the outcome of rbd_get_client, if it is called, we
should not attempt to free ceph_opts. The solution is then simple: there
is no need to seek to free ceph_opts in rbd_add (or do anything with it)
because rbd_get_client is called immediately after the structure is
allocated by rbd_add_parse_args.
Signed-off-by: Nigel Cunningham <nigel@nigelcunningham.com.au>
---
drivers/block/rbd.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 89576a0..dfb7ef8 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -3629,7 +3629,6 @@ static ssize_t rbd_add(struct bus_type *bus,
rc = PTR_ERR(rbdc);
goto err_out_args;
}
- ceph_opts = NULL; /* rbd_dev client now owns this */
/* pick the pool */
osdc = &rbdc->client->osdc;
@@ -3658,8 +3657,6 @@ err_out_rbd_dev:
err_out_client:
rbd_put_client(rbdc);
err_out_args:
- if (ceph_opts)
- ceph_destroy_options(ceph_opts);
kfree(rbd_opts);
rbd_spec_put(spec);
err_out_module:
--
1.7.10.4
next prev parent reply other threads:[~2013-01-01 2:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-01 0:13 New Defect(s) reported by Coverity Scan Scan Subscription
2013-01-01 2:37 ` Nigel Cunningham [this message]
2013-01-01 2:58 ` [PATCH 2] " Nigel Cunningham
2013-01-01 2:59 ` [PATCH 3] " Nigel Cunningham
2013-01-03 8:08 ` [PATCH 1/3] f2fs: initialize newly allocated dnode structure Jaegeuk Kim
2013-01-03 8:08 ` [PATCH 2/3] f2fs: avoid null dereference in f2fs_acl_from_disk Jaegeuk Kim
2013-01-03 8:08 ` [PATCH 3/3] f2fs: check return value during recovery Jaegeuk Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50E24BE4.5040704@nigelcunningham.com.au \
--to=nigel@nigelcunningham.com.au \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.