lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230203141515.125205-1-n.petrova@fintech.ru>
Date:   Fri, 3 Feb 2023 17:15:15 +0300
From:   Natalia Petrova <n.petrova@...tech.ru>
To:     Ilya Dryomov <idryomov@...il.com>
CC:     Natalia Petrova <n.petrova@...tech.ru>,
        Dongsheng Yang <dongsheng.yang@...ystack.cn>,
        Jens Axboe <axboe@...nel.dk>, <ceph-devel@...r.kernel.org>,
        <linux-block@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <lvc-project@...uxtesting.org>,
        "Alexey Khoroshilov" <khoroshilov@...ras.ru>
Subject: [PATCH] rbd: avoid double free memory on error path in rbd_dev_create()

If rbd_dev_create() fails after assignment 'opts' to 'rbd_dev->opts',
double free of 'rbd_options' happens:
one is in rbd_dev_free() and another one is in do_rbd_add().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue")
Signed-off-by: Natalia Petrova <n.petrova@...tech.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
---
 drivers/block/rbd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 04453f4a319c..ab6bfc352cde 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -5357,7 +5357,6 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
 	if (!rbd_dev)
 		return NULL;
 
-	rbd_dev->opts = opts;
 
 	/* get an id and fill in device name */
 	rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0,
@@ -5372,6 +5371,7 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
 	if (!rbd_dev->task_wq)
 		goto fail_dev_id;
 
+	rbd_dev->opts = opts;
 	/* we have a ref from do_rbd_add() */
 	__module_get(THIS_MODULE);
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ