Hello,
In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
freed by kfree() and subsequently used in a call to dout() - use after
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.
Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
---
ceph_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index f3e4a13..890bbbf 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -408,8 +408,8 @@ void ceph_destroy_client(struct ceph_client *client)
ceph_destroy_options(client->options);
- kfree(client);
dout("destroy_client %p done\n", client);
+ kfree(client);
}
EXPORT_SYMBOL(ceph_destroy_client);
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
