net: Prevent use after free in netif_napi_set_irq_locked()

The cpu_rmap_put() will call kfree() when the last reference is dropped
so it could result in a use after free when we dereference the same
pointer the next line.  Move the cpu_rmap_put() after the dereference.

Fixes: bd7c00605ee0 ("net: move aRFS rmap management and CPU affinity to core")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/5a9c53a4-5487-4b8c-9ffa-d8e5343aaaaf@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/dev.c b/net/core/dev.c
index 5c9d2bd29e156ab7f4f54fe09afc2a7082af2082..2dc705604509eb780129ccf75b1bf65ebeeb153e 100644 (file)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7072,8 +7072,8 @@ void netif_napi_set_irq_locked(struct napi_struct *napi, int irq)
 put_rmap:
 #ifdef CONFIG_RFS_ACCEL
        if (napi->dev->rx_cpu_rmap_auto) {
-               cpu_rmap_put(napi->dev->rx_cpu_rmap);
                napi->dev->rx_cpu_rmap->obj[napi->napi_rmap_idx] = NULL;
+               cpu_rmap_put(napi->dev->rx_cpu_rmap);
                napi->napi_rmap_idx = -1;
        }
 #endif