Re: [Patch net] act_ife: fix a potential use-after-free

[David Miller]

From: Cong Wang 
Date: Mon,  3 Sep 2018 11:08:15 -0700

> Immediately after module_put(), user could delete this
> module, so e->ops could be already freed before we call
> e->ops->release().
> 
> Fix this by moving module_put() after ops->release().
> 
> Fixes: ef6980b6becb ("introduce IFE action")
> Signed-off-by: Cong Wang 

Applied and queued up for -stable, thanks Cong.

[Patch net] act_ife: fix a potential use-after-free

[Cong Wang]

Immediately after module_put(), user could delete this
module, so e->ops could be already freed before we call
e->ops->release().

Fix this by moving module_put() after ops->release().

Fixes: ef6980b6becb ("introduce IFE action")
Cc: Jamal Hadi Salim 
Signed-off-by: Cong Wang 
---
 net/sched/act_ife.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 196430aefe87..fc412769a1be 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -400,7 +400,6 @@ static void _tcf_ife_cleanup(struct tc_action *a)
struct tcf_meta_info *e, *n;
 
list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-   module_put(e->ops->owner);
list_del(&e->metalist);
if (e->metaval) {
if (e->ops->release)
@@ -408,6 +407,7 @@ static void _tcf_ife_cleanup(struct tc_action *a)
else
kfree(e->metaval);
}
+   module_put(e->ops->owner);
kfree(e);
}
 }
-- 
2.14.4