rbd: fix double free on rbd_dev->header_name

commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream. If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name is freed twice: once in rbd_dev_probe_parent() and then in its caller rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to handle parent images). rbd_dev_probe_parent() is responsible for probing the parent, so it shouldn't muck with clone's fields. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
author: Ilya Dryomov <idryomov@gmail.com> 2015-08-31 15:21:39 +0300
committer: Jiri Slaby <jslaby@suse.cz> 2015-10-28 16:38:24 +0100
commit: 7371373f99d12bfec44b011434525135fd526543 (patch)
tree: bef9405ff9d656f21b58e857e4171a688a789f0f
parent: 2fd9f839bad45c329b9362ed653db5a627309e12 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 63ff17fc23df..66f632730969 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -4868,7 +4868,6 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
 out_err:
 	if (parent) {
 		rbd_dev_unparent(rbd_dev);
-		kfree(rbd_dev->header_name);
 		rbd_dev_destroy(parent);
 	} else {
 		rbd_put_client(rbdc);
author	Ilya Dryomov <idryomov@gmail.com>	2015-08-31 15:21:39 +0300
committer	Jiri Slaby <jslaby@suse.cz>	2015-10-28 16:38:24 +0100
commit	7371373f99d12bfec44b011434525135fd526543 (patch)
tree	bef9405ff9d656f21b58e857e4171a688a789f0f
parent	2fd9f839bad45c329b9362ed653db5a627309e12 (diff)