nbd: fix use after free on module unload

list_for_each_entry() isn't super safe if we're freeing the objects
while we traverse the list.  Also don't bother taking the extra
reference, the module refcounting stuff will save us from having anybody
messing with the device while we're trying to unload.

Reported-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
This commit is contained in:
Josef Bacik 2017-04-28 09:49:19 -04:00 committed by Jens Axboe
parent bf290f8f98
commit 60ae36ad03

View File

@ -2090,7 +2090,6 @@ static int nbd_exit_cb(int id, void *ptr, void *data)
struct list_head *list = (struct list_head *)data;
struct nbd_device *nbd = ptr;
refcount_inc(&nbd->refs);
list_add_tail(&nbd->list, list);
return 0;
}
@ -2106,11 +2105,12 @@ static void __exit nbd_cleanup(void)
idr_for_each(&nbd_index_idr, &nbd_exit_cb, &del_list);
mutex_unlock(&nbd_index_mutex);
list_for_each_entry(nbd, &del_list, list) {
if (refcount_read(&nbd->refs) != 2)
while (!list_empty(&del_list)) {
nbd = list_first_entry(&del_list, struct nbd_device, list);
list_del_init(&nbd->list);
if (refcount_read(&nbd->refs) != 1)
printk(KERN_ERR "nbd: possibly leaking a device\n");
nbd_put(nbd);
nbd_put(nbd);
}
idr_destroy(&nbd_index_idr);