From patchwork Tue Apr 2 06:53:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 1073960 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="v4EHr1g6"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44YKgF20Ptz9sSG for ; Tue, 2 Apr 2019 17:53:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729190AbfDBGxo (ORCPT ); Tue, 2 Apr 2019 02:53:44 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:36690 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726582AbfDBGxn (ORCPT ); Tue, 2 Apr 2019 02:53:43 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x326mqZN164145; Tue, 2 Apr 2019 06:53:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2018-07-02; bh=rOdUUjOe42WqAyJzSpywfSkoroe17YvwuBf3L4wkSSo=; b=v4EHr1g6r7JLkMZWIHTZs6dD4wt+5FuJESz/aeI9wt1b1h5m7crxWUgaUamfwk0NbbKk yZH9i6Hfqw2dyZ1snDLiEN1neJqXkUKHRhLLgBBG0TlAgKHRD4E8W5r0rm8MGBM6lemG eKeIDpZkkSwvb5hou5hLEweVxDGRXPW58IkB0b0EdDp14j5HF3L///VCj+ZlgJT3m8kx Z6dLU79KWaoD6lF/vaw8+xoRO6NEINxAbDMUGci3evRRdWCK9kkPIC3wCviz8yI6QM5t T9IK0pNbNU2PVvyXqiGtdE0pXz8RHplRXoNijV3PDKCf2m/rxnwGEgNljE9gYN2BwH5C Aw== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2rj13q31xa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 02 Apr 2019 06:53:28 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x326rSbL002818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Apr 2019 06:53:28 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x326rMrg014414; Tue, 2 Apr 2019 06:53:23 GMT Received: from kadam (/41.202.241.37) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 01 Apr 2019 23:53:22 -0700 Date: Tue, 2 Apr 2019 09:53:14 +0300 From: Dan Carpenter To: Pravin B Shelar , Yi-Hung Wei Cc: "David S. Miller" , netdev@vger.kernel.org, dev@openvswitch.org, kernel-janitors@vger.kernel.org Subject: [PATCH net-next] openvswitch: use after free in __ovs_ct_free_action() Message-ID: <20190402065314.GA14444@kadam> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9214 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904020050 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We free "ct_info->ct" and then use it on the next line when we pass it to nf_ct_destroy_timeout(). This patch swaps the order to avoid the use after free. Fixes: 06bd2bdf19d2 ("openvswitch: Add timeout support to ct action") Signed-off-by: Dan Carpenter Acked-by: Yi-Hung Wei --- net/openvswitch/conntrack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 121b01d4a3c0..0be3ab5bde26 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1804,9 +1804,9 @@ static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) if (ct_info->helper) nf_conntrack_helper_put(ct_info->helper); if (ct_info->ct) { - nf_ct_tmpl_free(ct_info->ct); if (ct_info->timeout[0]) nf_ct_destroy_timeout(ct_info->ct); + nf_ct_tmpl_free(ct_info->ct); } }