act_ife: fix a potential use-after-free

[ Upstream commit 6d784f16 ] Immediately after module_put(), user could delete this module, so e->ops could be already freed before we call e->ops->release(). Fix this by moving module_put() after ops->release(). Fixes: ef6980b6 ("introduce IFE action") Cc: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

act_ife: fix a potential use-after-free
[ Upstream commit 6d784f16 ] Immediately after module_put(), user could delete this module, so e->ops could be already freed before we call e->ops->release(). Fix this by moving module_put() after ops->release(). Fixes: ef6980b6 ("introduce IFE action") Cc: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4fb15ff1 · Cong Wang · Greg Kroah-Hartman · bc71f393 · 4fb15ff1
Commit 4fb15ff1 authored Sep 03, 2018 by Cong Wang Committed by Greg Kroah-Hartman Sep 15, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/sched/act_ife.c net/sched/act_ife.c +1 -1

No files found.
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -395,7 +395,6 @@ static void _tcf_ife_cleanup(struct tc_action *a, int bind)
 	struct tcf_meta_info *e, *n;

 	list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-		module_put(e->ops->owner);
 		list_del(&e->metalist);
 		if (e->metaval) {
 			if (e->ops->release)
@@ -403,6 +402,7 @@ static void _tcf_ife_cleanup(struct tc_action *a, int bind)
 			else
 				kfree(e->metaval);
 		}
+		module_put(e->ops->owner);
 		kfree(e);
 	}
 }