From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon, 3 Sep 2018 18:08:15 +0000 (-0700)
Subject: act_ife: fix a potential use-after-free
X-Git-Tag: v4.18.8~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5c34c4a092efd3aba7f0573d207a1aab28ec2c4;p=thirdparty%2Fkernel%2Fstable.git

act_ife: fix a potential use-after-free

[ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ]

Immediately after module_put(), user could delete this
module, so e->ops could be already freed before we call
e->ops->release().

Fix this by moving module_put() after ops->release().

Fixes: ef6980b6becb ("introduce IFE action")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 20d7d36b2fc9b..201e599baed95 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -393,7 +393,6 @@ static void _tcf_ife_cleanup(struct tc_action *a)
 	struct tcf_meta_info *e, *n;
 
 	list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-		module_put(e->ops->owner);
 		list_del(&e->metalist);
 		if (e->metaval) {
 			if (e->ops->release)
@@ -401,6 +400,7 @@ static void _tcf_ife_cleanup(struct tc_action *a)
 			else
 				kfree(e->metaval);
 		}
+		module_put(e->ops->owner);
 		kfree(e);
 	}
 }