act_ife: fix a potential use-after-free
authorCong Wang <xiyou.wangcong@gmail.com>
Mon, 3 Sep 2018 18:08:15 +0000 (11:08 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Sep 2018 19:18:25 +0000 (12:18 -0700)
Immediately after module_put(), user could delete this
module, so e->ops could be already freed before we call
e->ops->release().

Fix this by moving module_put() after ops->release().

Fixes: ef6980b6becb ("introduce IFE action")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/act_ife.c

index 196430aefe87a355a9a237ef7184fa2a4830a3a3..fc412769a1bef07ea0c7df955d0613b2e8359696 100644 (file)
@@ -400,7 +400,6 @@ static void _tcf_ife_cleanup(struct tc_action *a)
        struct tcf_meta_info *e, *n;
 
        list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-               module_put(e->ops->owner);
                list_del(&e->metalist);
                if (e->metaval) {
                        if (e->ops->release)
@@ -408,6 +407,7 @@ static void _tcf_ife_cleanup(struct tc_action *a)
                        else
                                kfree(e->metaval);
                }
+               module_put(e->ops->owner);
                kfree(e);
        }
 }