Hi,
In fs/ceph/super.c::destroy_fs_client() the pointer 'fsc' is freed by
kfree() and subsequently used in a call to dout() - use after free bug.
Easily fixed by simply moving the kfree() call after the dout() call.
Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
---
super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index 08b460a..7373594 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -498,8 +498,8 @@ void destroy_fs_client(struct ceph_fs_client *fsc)
ceph_destroy_client(fsc->client);
- kfree(fsc);
dout("destroy_fs_client %p done\n", fsc);
+ kfree(fsc);
}
/*
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
