Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp406237imu;
        Tue, 27 Nov 2018 00:08:19 -0800 (PST)
X-Google-Smtp-Source: AFSGD/XeY3dKLtwKeupk4hJelKirkaiAF1yugpTxaRbDhxrha+DJ5/bWt3giQCnvOZjIy3uG4aV7
X-Received: by 2002:a17:902:598e:: with SMTP id p14mr31120053pli.260.1543306099368;
        Tue, 27 Nov 2018 00:08:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543306099; cv=none;
        d=google.com; s=arc-20160816;
        b=uHzXede7ICLmMvOjJtLpaTHDir0YKmMGKkcOxP1GUq83yawAPczkdE3ByFfi43k43E
         vJxQhSD/CnyNlfnu7go/sFb2h/fRG2YT1lji4QPjfXMePcVRbnOXn6h7j44zXxQtp6iu
         /CfPk9zGKgwhAcuz/YtZxkNCxDokLphdV7ahX2kDTTn6A6frSWqUbM71y8K7PWroZyKm
         JUYaMzGZcQwDwkKoz/sl2bX0p0HZsK2sxKMRsa7epRXaapiPe2qkZevLCRzRM9pwDvw1
         4YEwR7vO+40Pe45D+YcCcRDtY+Nz3Aq3Td2u23dfFQa4/m+4LKubwLFsQaWgJrWu441H
         3lgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=n4qcQHCUeLmjnPnVLjh/wKr5FAa6bQ0ff11NUi0uUiw=;
        b=MiyuemimrmXc+U1rDkrDELCs4kJ+RXPXw3wKbc3I/3LzyJ0WDYcPILmsnWVzyOVghf
         QcUkTbPv0M0XcddK+wFTDjHcRn7viq79KtIdK0BjoJn4zPgaolC4RLQ9SVPe6mIVWcix
         1z7UoytIEVkxw3b7pkz3TwbiGPj0RGvktFQMwY678qxCp0wo9u3DyUNB/alKvBxrgsSC
         w/6f3Gl5Pd/59JD8flCP1liOkTiqMncWQkjHBr0Oz3sULl8fpZPecTDDAziGleLm3U91
         Z7ki/K5fCmlzUImjhJc8YMFcxwRHfxPo/CVTZRG7Gz42ef+KE3ngJvJOgMTsUBxTSKbM
         BNig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=El22LD7o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v9si3064796pgt.464.2018.11.27.00.08.04;
        Tue, 27 Nov 2018 00:08:19 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=El22LD7o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728928AbeK0R7P (ORCPT <rfc822;carmate383@gmail.com>
        + 99 others); Tue, 27 Nov 2018 12:59:15 -0500
Received: from m12-12.163.com ([220.181.12.12]:60153 "EHLO m12-12.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728597AbeK0R7P (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Nov 2018 12:59:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
        s=s110527; h=From:Subject:Date:Message-Id; bh=n4qcQHCUeLmjnPnVLj
        h/wKr5FAa6bQ0ff11NUi0uUiw=; b=El22LD7oU3p2nJ0h7Y8voiZOxZJlw9au4c
        5BlumJGD3bWLvMuQwA6Jn3mxtmnZmmnA7ULGCN0YxETZTcN6ncisNoogC9Co+acT
        +gn4LLIvE4co9GoR1idff7sNn/qz5lu1SHgYZAIdSzl0e215JeD6X4Ra6Gm4JD66
        Z6wyfLsqI=
Received: from bp.localdomain (unknown [106.120.213.96])
        by smtp8 (Coremail) with SMTP id DMCowAB3uzHv6_xbhguxCA--.15263S3;
        Tue, 27 Nov 2018 15:02:09 +0800 (CST)
From:   Pan Bian <bianpan2016@163.com>
To:     Ilya Dryomov <idryomov@gmail.com>, "Yan, Zheng" <zyan@redhat.com>,
        Sage Weil <sage@redhat.com>,
        "David S. Miller" <davem@davemloft.net>
Cc:     ceph-devel@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Pan Bian <bianpan2016@163.com>
Subject: [PATCH] libceph: fix use after free
Date:   Tue, 27 Nov 2018 15:02:07 +0800
Message-Id: <1543302127-14435-1-git-send-email-bianpan2016@163.com>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: DMCowAB3uzHv6_xbhguxCA--.15263S3
X-Coremail-Antispam: 1Uf129KBjvdXoWrKr4DCFy5XFy7XF45GFWfKrg_yoWDJrX_Za
        yjvr92ga1IyFWFk3ZFkws8AF4Igw1ruF1fGr1fCrW8A34UJFZxArs2v3s5ZF1fWF4UC3W7
        XF4q9ry5Jr4xZjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUnO6pDUUUUU==
X-Originating-IP: [106.120.213.96]
X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiDhEMclXlpnhhiAAAsm
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The function ceph_monc_handle_map calls kfree(old) to free the old
monitor map, old points to monc->monmap. However, after that, it reads
monc->monmap->epoch and passes it to __ceph_monc_got_map. This result in
a use-after-free bug. The patch moves the free operation after the call
to __ceph_monc_got_map.

Fixes: 82dcabad750("libceph: revamp subs code, switch to SUBSCRIBE2
protocol")

Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 net/ceph/mon_client.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 18deb3d..05ef5aa 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -478,9 +478,10 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
 	}
 
 	client->monc.monmap = monmap;
-	kfree(old);
 
 	__ceph_monc_got_map(monc, CEPH_SUB_MONMAP, monc->monmap->epoch);
+	kfree(old);
+
 	client->have_fsid = true;
 
 out:
-- 
2.7.4