drbd: use after free in drbd_create_device()

The drbd_destroy_connection() frees the "connection" so use the _safe() iterator to prevent a use after free. Fixes: b6f85ef9 ("drbd: Iterate over all connections") Signed-off-by: N Dan Carpenter <error27@gmail.com> Reviewed-by: N Christoph Böhmwalder <christoph.boehmwalder@linbit.com> Link: https://lore.kernel.org/r/Y3Jd5iZRbNQ9w6gm@kiliSigned-off-by: N Jens Axboe <axboe@kernel.dk>

drbd: use after free in drbd_create_device()
The drbd_destroy_connection() frees the "connection" so use the _safe() iterator to prevent a use after free. Fixes: b6f85ef9 ("drbd: Iterate over all connections") Signed-off-by: N Dan Carpenter <error27@gmail.com> Reviewed-by: N Christoph Böhmwalder <christoph.boehmwalder@linbit.com> Link: https://lore.kernel.org/r/Y3Jd5iZRbNQ9w6gm@kiliSigned-off-by: N Jens Axboe <axboe@kernel.dk>
a7a15981 · Dan Carpenter · Jens Axboe · d7dbd43f · a7a15981
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

drivers/block/drbd/drbd_main.c drivers/block/drbd/drbd_main.c +2 -2

未找到文件。
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -2672,7 +2672,7 @@ static int init_submitter(struct drbd_device *device)
 enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsigned int minor)
 {
 	struct drbd_resource *resource = adm_ctx->resource;
-	struct drbd_connection *connection;
+	struct drbd_connection *connection, *n;
 	struct drbd_device *device;
 	struct drbd_peer_device *peer_device, *tmp_peer_device;
 	struct gendisk *disk;
@@ -2789,7 +2789,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
 	return NO_ERROR;
 out_idr_remove_from_resource:
-	for_each_connection(connection, resource) {
+	for_each_connection_safe(connection, n, resource) {
 		peer_device = idr_remove(&connection->peer_devices, vnr);
 		if (peer_device)
 			kref_put(&connection->kref, drbd_destroy_connection);