提交 60ae36ad 编写于 作者: J Josef Bacik 提交者: Jens Axboe

nbd: fix use after free on module unload

list_for_each_entry() isn't super safe if we're freeing the objects
while we traverse the list.  Also don't bother taking the extra
reference, the module refcounting stuff will save us from having anybody
messing with the device while we're trying to unload.
Reported-by: NMing Lei <ming.lei@redhat.com>
Signed-off-by: NJosef Bacik <jbacik@fb.com>
Signed-off-by: NJens Axboe <axboe@fb.com>
上级 bf290f8f
...@@ -2090,7 +2090,6 @@ static int nbd_exit_cb(int id, void *ptr, void *data) ...@@ -2090,7 +2090,6 @@ static int nbd_exit_cb(int id, void *ptr, void *data)
struct list_head *list = (struct list_head *)data; struct list_head *list = (struct list_head *)data;
struct nbd_device *nbd = ptr; struct nbd_device *nbd = ptr;
refcount_inc(&nbd->refs);
list_add_tail(&nbd->list, list); list_add_tail(&nbd->list, list);
return 0; return 0;
} }
...@@ -2106,11 +2105,12 @@ static void __exit nbd_cleanup(void) ...@@ -2106,11 +2105,12 @@ static void __exit nbd_cleanup(void)
idr_for_each(&nbd_index_idr, &nbd_exit_cb, &del_list); idr_for_each(&nbd_index_idr, &nbd_exit_cb, &del_list);
mutex_unlock(&nbd_index_mutex); mutex_unlock(&nbd_index_mutex);
list_for_each_entry(nbd, &del_list, list) { while (!list_empty(&del_list)) {
if (refcount_read(&nbd->refs) != 2) nbd = list_first_entry(&del_list, struct nbd_device, list);
list_del_init(&nbd->list);
if (refcount_read(&nbd->refs) != 1)
printk(KERN_ERR "nbd: possibly leaking a device\n"); printk(KERN_ERR "nbd: possibly leaking a device\n");
nbd_put(nbd); nbd_put(nbd);
nbd_put(nbd);
} }
idr_destroy(&nbd_index_idr); idr_destroy(&nbd_index_idr);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册