From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Elder <elder@inktank.com>
Subject: Re: Use-after-free error in rbd_add()
Date: Thu, 09 May 2013 21:09:35 -0500
Message-ID: <518C56DF.70206@inktank.com>
References: <CAErSpo79gvppE0xb6c1OB65ia6vSO-f8KunH4wrF_EGP2DdD4Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <ceph-devel-owner@vger.kernel.org>
Received: from mail-ie0-f181.google.com ([209.85.223.181]:36045 "EHLO
	mail-ie0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755007Ab3EJCJj (ORCPT
	<rfc822;ceph-devel@vger.kernel.org>); Thu, 9 May 2013 22:09:39 -0400
Received: by mail-ie0-f181.google.com with SMTP id x12so7056958ief.12
        for <ceph-devel@vger.kernel.org>; Thu, 09 May 2013 19:09:38 -0700 (PDT)
In-Reply-To: <CAErSpo79gvppE0xb6c1OB65ia6vSO-f8KunH4wrF_EGP2DdD4Q@mail.gmail.com>
Sender: ceph-devel-owner@vger.kernel.org
List-ID: <ceph-devel.vger.kernel.org>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: Sage Weil <sage@inktank.com>, ceph-devel@vger.kernel.org

On 05/09/2013 05:42 PM, Bjorn Helgaas wrote:
> I think b536f69a3a5 "rbd: set up devices only for mapped images"
> introduced a use-after-free error in rbd_add():
> 
> @@ -4964,9 +4960,12 @@ static ssize_t rbd_add(struct bus_type *bus,
>         if (rc < 0)
>                 goto err_out_rbd_dev;
> 
> -       return count;
> +       rc = rbd_dev_device_setup(rbd_dev);
> +       if (!rc)
> +               return count;
> +
> +       rbd_dev_image_release(rbd_dev);
>  err_out_rbd_dev:
> -       kfree(rbd_dev->header_name);
>         rbd_dev_destroy(rbd_dev);
> 
> If rbd_dev_device_setup() returns an error, we call
> rbd_dev_image_release(), which ultimately kfrees rbd_dev.  Then we
> call rbd_dev_destroy(), which references fields in the already-freed
> rbd_dev struct before kfreeing it again.

Thank you.  I think you're right, I'll try to
have a fix prepared tomorrow.

					-Alex

> Found by Coverity (CID 1020653).
> 
> Bjorn
>