Commit 04dc923c authored by Ilya Dryomov's avatar Ilya Dryomov

rbd: img_data requests don't own their page array

Move the check into rbd_obj_request_destroy() to avoid use-after-free
on errors in rbd_img_request_fill(..., OBJ_REQUEST_PAGES, ...), where
pages, owned by the caller, gets freed in rbd_img_request_fill().
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarAlex Elder <elder@linaro.org>
Reviewed-by: default avatarDavid Disseldorp <ddiss@suse.de>
parent 7c84883a
...@@ -2147,7 +2147,9 @@ static void rbd_obj_request_destroy(struct kref *kref) ...@@ -2147,7 +2147,9 @@ static void rbd_obj_request_destroy(struct kref *kref)
bio_chain_put(obj_request->bio_list); bio_chain_put(obj_request->bio_list);
break; break;
case OBJ_REQUEST_PAGES: case OBJ_REQUEST_PAGES:
if (obj_request->pages) /* img_data requests don't own their page array */
if (obj_request->pages &&
!obj_request_img_data_test(obj_request))
ceph_release_page_vector(obj_request->pages, ceph_release_page_vector(obj_request->pages,
obj_request->page_count); obj_request->page_count);
break; break;
...@@ -2368,13 +2370,6 @@ static bool rbd_img_obj_end_request(struct rbd_obj_request *obj_request) ...@@ -2368,13 +2370,6 @@ static bool rbd_img_obj_end_request(struct rbd_obj_request *obj_request)
xferred = obj_request->length; xferred = obj_request->length;
} }
/* Image object requests don't own their page array */
if (obj_request->type == OBJ_REQUEST_PAGES) {
obj_request->pages = NULL;
obj_request->page_count = 0;
}
if (img_request_child_test(img_request)) { if (img_request_child_test(img_request)) {
rbd_assert(img_request->obj_request != NULL); rbd_assert(img_request->obj_request != NULL);
more = obj_request->which < img_request->obj_request_count - 1; more = obj_request->which < img_request->obj_request_count - 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment