From patchwork Wed May 18 15:28:45 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilya Dryomov <idryomov@gmail.com>
X-Patchwork-Id: 9120611
Return-Path: <ceph-devel-owner@kernel.org>
X-Original-To: patchwork-ceph-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 80799BF29F
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 18 May 2016 15:29:16 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9CBD820351
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 18 May 2016 15:29:15 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id ADD8B20166
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 18 May 2016 15:29:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753477AbcERP3M (ORCPT
	<rfc822;patchwork-ceph-devel@patchwork.kernel.org>);
	Wed, 18 May 2016 11:29:12 -0400
Received: from mail-wm0-f67.google.com ([74.125.82.67]:33802 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753427AbcERP3K (ORCPT
	<rfc822; ceph-devel@vger.kernel.org>); Wed, 18 May 2016 11:29:10 -0400
Received: by mail-wm0-f67.google.com with SMTP id n129so13847163wmn.1
	for <ceph-devel@vger.kernel.org>;
	Wed, 18 May 2016 08:29:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=AwfwUQaJjlnXW4krNAdl3rDJO9vqzl/6eB5l7BmIDhs=;
	b=lgfGqkoA+CqoVnRdjKFIp4rlQhYI/fUsnsExmlmywE0lpSfBKwtLZ7a89+j1uhCeuj
	+MTdPWIC6dtF9qyFhns85WosYH4iSysvc/C51MWbUSYE9/F/I9yNi9odsrfxM142wU3+
	fyhvHjanulv3MYZ/vQstbXdzdLWFABxdhXdWQuP8tCKXMr/K4tpIa1bt8xvWsj+D7H7e
	pECwmCxu6EOvrLdsbSTrkVRAOhICwS4IyD5WwAiqL7zybGb/7OkgfCu0BYxPn5YrpF8l
	KeGl5L2fxyEM5hiKtKakDY4lbKVfefBfD9UCHQKwz44adi/9zLNku8C2PX7H8V13HY30
	hQGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=AwfwUQaJjlnXW4krNAdl3rDJO9vqzl/6eB5l7BmIDhs=;
	b=erdpaf+1JA7Spx467YSp9G4Jis5SqAuJS+xIMsSj3wpcLi0BJeydYsDoLNLNfpw7b2
	i20vy4EK9utyap5gB1MJZnFjIiDHjqDf5PdpMJPBpEg8EoTrWvEMQRwq8/C1tv+AnYFK
	W59EKWLJHPeg3G1THl/WsnhYW8rPL3GMGXdb/rpGBtvn14VURaCj8Tv7rIojr+i4a0NS
	nC2j87BYL/pDmHf5gWn5Wt2dyHnocNgNwe+3nlhAjTp0aG7H4kqHWIosmlg44Wwb7R+Y
	MyqJOywSbgXosPmFWcOYwjP7XKkzEcoZV5iCQLZF38ibHr5w/PKXnwRw9M7TcD65EmB5
	l7MA==
X-Gm-Message-State: 
 AOPr4FWuT5yvCqj3hDSeXgF8UU/CscPTUvOmnSmOS52hfLSpUntFvYXdpy2YtUEXhjOLKw==
X-Received: by 10.194.22.167 with SMTP id e7mr8030053wjf.9.1463585348222;
	Wed, 18 May 2016 08:29:08 -0700 (PDT)
Received: from localhost.localdomain.com
	(ip-94-112-165-81.net.upcbroadband.cz. [94.112.165.81])
	by smtp.gmail.com with ESMTPSA id
	e8sm9243817wjm.23.2016.05.18.08.29.07
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 18 May 2016 08:29:07 -0700 (PDT)
From: Ilya Dryomov <idryomov@gmail.com>
To: ceph-devel@vger.kernel.org
Cc: Alex Elder <elder@linaro.org>
Subject: [PATCH] rbd: get/put img_request in rbd_img_request_submit()
Date: Wed, 18 May 2016 17:28:45 +0200
Message-Id: <1463585325-24631-1-git-send-email-idryomov@gmail.com>
X-Mailer: git-send-email 2.4.3
Sender: ceph-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <ceph-devel.vger.kernel.org>
X-Mailing-List: ceph-devel@vger.kernel.org
X-Spam-Status: No, score=-8.2 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,
	T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

By the time we get to checking for_each_obj_request_safe(img_request)
terminating condition, all obj_requests may be complete and img_request
ref, that rbd_img_request_submit() takes away from its caller, may be
put.  Moving the next_obj_request cursor is then a use-after-free on
img_request.

It's totally benign, as the value that's read is never used, but
I think it's still worth fixing.

Cc: Alex Elder <elder@linaro.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
 drivers/block/rbd.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 465c839e0a65..b1e68dacba18 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2973,17 +2973,20 @@ static int rbd_img_request_submit(struct rbd_img_request *img_request)
 {
 	struct rbd_obj_request *obj_request;
 	struct rbd_obj_request *next_obj_request;
+	int ret = 0;
 
 	dout("%s: img %p\n", __func__, img_request);
-	for_each_obj_request_safe(img_request, obj_request, next_obj_request) {
-		int ret;
 
+	rbd_img_request_get(img_request);
+	for_each_obj_request_safe(img_request, obj_request, next_obj_request) {
 		ret = rbd_img_obj_request_submit(obj_request);
 		if (ret)
-			return ret;
+			goto out_put_ireq;
 	}
 
-	return 0;
+out_put_ireq:
+	rbd_img_request_put(img_request);
+	return ret;
 }
 
 static void rbd_img_parent_read_callback(struct rbd_img_request *img_request)