[PATCH 4.18 001/197] act_ife: fix a potential use-after-free

From: Greg Kroah-Hartman
Date: Thu Sep 13 2018 - 09:50:20 EST


4.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@xxxxxxxxx>

[ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ]

Immediately after module_put(), user could delete this
module, so e->ops could be already freed before we call
e->ops->release().

Fix this by moving module_put() after ops->release().

Fixes: ef6980b6becb ("introduce IFE action")
Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
Signed-off-by: Cong Wang <xiyou.wangcong@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/sched/act_ife.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -393,7 +393,6 @@ static void _tcf_ife_cleanup(struct tc_a
struct tcf_meta_info *e, *n;

list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
- module_put(e->ops->owner);
list_del(&e->metalist);
if (e->metaval) {
if (e->ops->release)
@@ -401,6 +400,7 @@ static void _tcf_ife_cleanup(struct tc_a
else
kfree(e->metaval);
}
+ module_put(e->ops->owner);
kfree(e);
}
}