rbd: img_data requests don't own their page array

Move the check into rbd_obj_request_destroy() to avoid use-after-free
on errors in rbd_img_request_fill(..., OBJ_REQUEST_PAGES, ...), where
pages, owned by the caller, gets freed in rbd_img_request_fill().

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>

1 files changed, 3 insertions, 8 deletions

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 02e9a0f0bf7b..e46f4f05fb01 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2147,7 +2147,9 @@ static void rbd_obj_request_destroy(struct kref *kref)
                         bio_chain_put(obj_request->bio_list);
                 break;
         case OBJ_REQUEST_PAGES:
-                if (obj_request->pages)
+                /* img_data requests don't own their page array */
+                if (obj_request->pages &&
+                    !obj_request_img_data_test(obj_request))
                         ceph_release_page_vector(obj_request->pages,
                                                 obj_request->page_count);
                 break;
@@ -2368,13 +2370,6 @@ static bool rbd_img_obj_end_request(struct rbd_obj_request *obj_request)
                 xferred = obj_request->length;
         }
 
-        /* Image object requests don't own their page array */
-
-        if (obj_request->type == OBJ_REQUEST_PAGES) {
-                obj_request->pages = NULL;
-                obj_request->page_count = 0;
-        }
-
         if (img_request_child_test(img_request)) {
                 rbd_assert(img_request->obj_request != NULL);
                 more = obj_request->which < img_request->obj_request_count - 1;