[PATCH] rbd: avoid double free memory on error path in rbd_dev_create()
From: Natalia Petrova
Date: Fri Feb 03 2023 - 09:16:37 EST
If rbd_dev_create() fails after assignment 'opts' to 'rbd_dev->opts',
double free of 'rbd_options' happens:
one is in rbd_dev_free() and another one is in do_rbd_add().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue")
Signed-off-by: Natalia Petrova <n.petrova@xxxxxxxxxx>
Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
---
drivers/block/rbd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 04453f4a319c..ab6bfc352cde 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -5357,7 +5357,6 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
if (!rbd_dev)
return NULL;
- rbd_dev->opts = opts;
/* get an id and fill in device name */
rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0,
@@ -5372,6 +5371,7 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc,
if (!rbd_dev->task_wq)
goto fail_dev_id;
+ rbd_dev->opts = opts;
/* we have a ref from do_rbd_add() */
__module_get(THIS_MODULE);
--
2.34.1