Commit 3cd16d87 authored by YueHaibing's avatar YueHaibing Committed by Xie XiuQi
Browse files

ipvs: Fix use-after-free in ip_vs_in 



hulk inclusion
category: bugfix
bugzilla: 15741
CVE: NA

-------------------------------------------------

while unregistering ipvs module, ops_free_list calls
nf_unregister_net_hooks to do cleanup ipvs resource,
it need a RCU period. Howerver ip_vs_in is still hooked
the LOCALOUT chain, which dereference freed ipvs pointer
triggers use-after-free.

Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
Reviewed-by: default avatarMao Wenan <maowenan@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent cf7ea3bc

net/netfilter/ipvs/ip_vs_core.c

+1 −0
Original line number Diff line number Diff line
@@ -2288,6 +2288,7 @@ static void __net_exit __ip_vs_cleanup(struct net *net) 
	ip_vs_control_net_cleanup(ipvs);

	ip_vs_estimator_net_cleanup(ipvs);

	IP_VS_DBG(2, "ipvs netns %d released\n", ipvs->gen);

	rcu_barrier();

	net->ipvs = NULL;

}