From patchwork Sat Dec 25 18:11:41 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jesper Juhl X-Patchwork-Id: 76695 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id C810EB70CF for ; Sun, 26 Dec 2010 05:22:04 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751695Ab0LYSV2 (ORCPT ); Sat, 25 Dec 2010 13:21:28 -0500 Received: from swampdragon.chaosbits.net ([90.184.90.115]:14379 "EHLO swampdragon.chaosbits.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750977Ab0LYSV1 (ORCPT ); Sat, 25 Dec 2010 13:21:27 -0500 Received: by swampdragon.chaosbits.net (Postfix, from userid 1000) id E42149403D; Sat, 25 Dec 2010 19:11:41 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by swampdragon.chaosbits.net (Postfix) with ESMTP id DD5259403B; Sat, 25 Dec 2010 19:11:41 +0100 (CET) Date: Sat, 25 Dec 2010 19:11:41 +0100 (CET) From: Jesper Juhl To: ceph-devel@vger.kernel.org cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "David S. Miller" , Sage Weil Subject: [PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy() Message-ID: User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is freed by kfree() and subsequently used in a call to dout() - use after free bug. Easily fixed by simply moving the kfree() call after the dout() call. Signed-off-by: Jesper Juhl --- messenger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index b6ff4a1..26514a7 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr) dout("destroy %p\n", msgr); kunmap(msgr->zero_page); __free_page(msgr->zero_page); - kfree(msgr); dout("destroyed messenger %p\n", msgr); + kfree(msgr); } EXPORT_SYMBOL(ceph_messenger_destroy);