From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 23 Oct 2015 17:41:48 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.14.56~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3371ca888acf11a3ece5109a1377fd296761bf0;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	rbd-fix-double-free-on-rbd_dev-header_name.patch
---

diff --git a/queue-3.10/rbd-fix-double-free-on-rbd_dev-header_name.patch b/queue-3.10/rbd-fix-double-free-on-rbd_dev-header_name.patch
new file mode 100644
index 00000000000..dc5f08c4603
--- /dev/null
+++ b/queue-3.10/rbd-fix-double-free-on-rbd_dev-header_name.patch
@@ -0,0 +1,35 @@
+From 3ebe138ac642a195c7f2efdb918f464734421fd6 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 31 Aug 2015 15:21:39 +0300
+Subject: rbd: fix double free on rbd_dev->header_name
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream.
+
+If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
+is freed twice: once in rbd_dev_probe_parent() and then in its caller
+rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
+handle parent images).
+
+rbd_dev_probe_parent() is responsible for probing the parent, so it
+shouldn't muck with clone's fields.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -4860,7 +4860,6 @@ static int rbd_dev_probe_parent(struct r
+ out_err:
+ 	if (parent) {
+ 		rbd_dev_unparent(rbd_dev);
+-		kfree(rbd_dev->header_name);
+ 		rbd_dev_destroy(parent);
+ 	} else {
+ 		rbd_put_client(rbdc);
diff --git a/queue-3.10/series b/queue-3.10/series
index 01089b2ace2..e79cc683d9b 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -14,3 +14,4 @@ crypto-ahash-ensure-statesize-is-non-zero.patch
 i2c-rcar-enable-runtimepm-before-registering-to-the-core.patch
 workqueue-make-sure-delayed-work-run-in-local-cpu.patch
 dm-thin-fix-missing-pool-reference-count-decrement-in-pool_ctr-error-path.patch
+rbd-fix-double-free-on-rbd_dev-header_name.patch