rbd: fix double free on rbd_dev->header_name

commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream. If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name is freed twice: once in rbd_dev_probe_parent() and then in its caller rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to handle parent images). rbd_dev_probe_parent() is responsible for probing the parent, so it shouldn't muck with clone's fields. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ilya Dryomov <idryomov@gmail.com> 2015-08-31 15:21:39 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-27 09:44:51 +0900
commit: f22714069f1bc94b91b463bdc00cc82782f0e363 (patch)
tree: 223311812729824a8225d05292fc81383ed1874a
parent: ad824a8286dd4db9c23e3e3febdd63d4c2c4ae9e (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 01677543248d..2fa22c24fa5d 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -4860,7 +4860,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
 out_err:
 	if (parent) {
 		rbd_dev_unparent(rbd_dev);
-		kfree(rbd_dev->header_name);
 		rbd_dev_destroy(parent);
 	} else {
 		rbd_put_client(rbdc);
author	Ilya Dryomov <idryomov@gmail.com>	2015-08-31 15:21:39 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-10-27 09:44:51 +0900
commit	f22714069f1bc94b91b463bdc00cc82782f0e363 (patch)
tree	223311812729824a8225d05292fc81383ed1874a
parent	ad824a8286dd4db9c23e3e3febdd63d4c2c4ae9e (diff)