[PATCH 3.16 199/305] netfilter: nf_tables: fix use-after-free when deleting compat expressions

3.16.63-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal fw@strlen.de

commit 29e3880109e357fdc607b4393f8308cef6af9413 upstream.

nft_compat ops do not have static storage duration, unlike all other expressions.

When nf_tables_expr_destroy() returns, expr->ops might have been free'd already, so we need to store next address before calling expression destructor.

For same reason, we can't deref match pointer after nft_xt_put().

This can be easily reproduced by adding msleep() before nft_match_destroy() returns.

Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Reported-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netfilter/nf_tables_api.c | 5 +++-- net/netfilter/nft_compat.c | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-)

--- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1682,7 +1682,7 @@ err: static void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) { - struct nft_expr *expr; + struct nft_expr *expr, *next;

/* * Careful: some expressions might not be initialized in case this @@ -1690,8 +1690,9 @@ static void nf_tables_rule_destroy(const */ expr = nft_expr_first(rule); while (expr != nft_expr_last(rule) && expr->ops) { + next = nft_expr_next(expr); nf_tables_expr_destroy(ctx, expr); - expr = nft_expr_next(expr); + expr = next; } kfree(rule); } --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -398,6 +398,7 @@ nft_match_destroy(const struct nft_ctx * { struct xt_match *match = expr->ops->data; void *info = nft_expr_priv(expr); + struct module *me = match->me; struct xt_mtdtor_param par;

par.net = ctx->net; @@ -407,7 +408,7 @@ nft_match_destroy(const struct nft_ctx * if (par.match->destroy != NULL) par.match->destroy(&par);

- module_put(match->me); + module_put(me); }

static int