On Tue, Nov 27, 2018 at 11:17:26AM +0100, Ilya Dryomov wrote:
> On Tue, Nov 27, 2018 at 10:22 AM Pan Bian wrote:
> >
> > The function ceph_monc_handle_map calls kfree(old) to free the old
> > monitor map, old points to monc->monmap. However, after that, it reads
> > monc->monmap->epoch and passes
On Tue, Nov 27, 2018 at 10:22 AM Pan Bian wrote:
>
> The function ceph_monc_handle_map calls kfree(old) to free the old
> monitor map, old points to monc->monmap. However, after that, it reads
> monc->monmap->epoch and passes it to __ceph_monc_got_map. This will
> result in a use-after-free bug. T
The function ceph_monc_handle_map calls kfree(old) to free the old
monitor map, old points to monc->monmap. However, after that, it reads
monc->monmap->epoch and passes it to __ceph_monc_got_map. This will
result in a use-after-free bug. The patch moves the free operation after
the call to __ceph_
