From: Jakub Sitnicki <jakub@cloudflare.com>
Date: Wed, 21 Aug 2019 12:17:20 +0000 (+0200)
Subject: flow_dissector: Fix potential use-after-free on BPF_PROG_DETACH
X-Git-Tag: v5.2.17~62
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=5e0251d82954b488c652befe3f330bacfe0fadce;p=users%2Fdwmw2%2Flinux.git

flow_dissector: Fix potential use-after-free on BPF_PROG_DETACH

[ Upstream commit db38de39684dda2bf307f41797db2831deba64e9 ]

Call to bpf_prog_put(), with help of call_rcu(), queues an RCU-callback to
free the program once a grace period has elapsed. The callback can run
together with new RCU readers that started after the last grace period.
New RCU readers can potentially see the "old" to-be-freed or already-freed
pointer to the program object before the RCU update-side NULLs it.

Reorder the operations so that the RCU update-side resets the protected
pointer before the end of the grace period after which the program will be
freed.

Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Reported-by: Lorenz Bauer <lmb@cloudflare.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: Petar Penkov <ppenkov@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index edd622956083d..b15c0c0f6e557 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -138,8 +138,8 @@ int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr)
 		mutex_unlock(&flow_dissector_mutex);
 		return -ENOENT;
 	}
-	bpf_prog_put(attached);
 	RCU_INIT_POINTER(net->flow_dissector_prog, NULL);
+	bpf_prog_put(attached);
 	mutex_unlock(&flow_dissector_mutex);
 	return 0;
 }