[PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy()

[Jesper Juhl <jj@xxxxxxxxxxxxx>]

Hi,

In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is 
freed by kfree() and subsequently used in a call to dout() - use after 
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.

Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
---
 messenger.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b6ff4a1..26514a7 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
 	dout("destroy %p\n", msgr);
 	kunmap(msgr->zero_page);
 	__free_page(msgr->zero_page);
-	kfree(msgr);
 	dout("destroyed messenger %p\n", msgr);
+	kfree(msgr);
 }
 EXPORT_SYMBOL(ceph_messenger_destroy);
 

-- 
Jesper Juhl <jj@xxxxxxxxxxxxx>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html