Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4fb15ff1 authored by Cong Wang's avatar Cong Wang Committed by Greg Kroah-Hartman
Browse files

act_ife: fix a potential use-after-free 



[ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ]

Immediately after module_put(), user could delete this
module, so e->ops could be already freed before we call
e->ops->release().

Fix this by moving module_put() after ops->release().

Fixes: ef6980b6 ("introduce IFE action")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent bc71f393

net/sched/act_ife.c

+1 −1
Original line number Diff line number Diff line
@@ -395,7 +395,6 @@ static void _tcf_ife_cleanup(struct tc_action *a, int bind) 
	struct tcf_meta_info *e, *n;



	list_for_each_entry_safe(e, n, &ife->metalist, metalist) {

		module_put(e->ops->owner);

		list_del(&e->metalist);

		if (e->metaval) {

			if (e->ops->release)
@@ -403,6 +402,7 @@ static void _tcf_ife_cleanup(struct tc_action *a, int bind) 
			else

				kfree(e->metaval);

		}

		module_put(e->ops->owner);

		kfree(e);

	}

}