rbd: fix double free on rbd_dev->header_name

commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream. If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name is freed twice: once in rbd_dev_probe_parent() and then in its caller rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to handle parent images). rbd_dev_probe_parent() is responsible for probing the parent, so it shouldn't muck with clone's fields. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ilya Dryomov <idryomov@gmail.com> 2015-08-31 15:21:39 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-27 09:51:58 +0900
commit: dd703751ffe7818e43c85f4fea509c2868dce937 (patch)
tree: 87dd31996610bc674c67db3e44805ab15e1bb8a0
parent: 015ec5d44756f18dc887fb9b55288cccb1a659ef (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 010ce0b1f517..fe8f1e4b4c7c 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -5174,7 +5174,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
 out_err:
 	if (parent) {
 		rbd_dev_unparent(rbd_dev);
-		kfree(rbd_dev->header_name);
 		rbd_dev_destroy(parent);
 	} else {
 		rbd_put_client(rbdc);
author	Ilya Dryomov <idryomov@gmail.com>	2015-08-31 15:21:39 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-10-27 09:51:58 +0900
commit	dd703751ffe7818e43c85f4fea509c2868dce937 (patch)
tree	87dd31996610bc674c67db3e44805ab15e1bb8a0
parent	015ec5d44756f18dc887fb9b55288cccb1a659ef (diff)