From 3cd16d87d28fa243d390c9cc1820ff41fb4e5119 Mon Sep 17 00:00:00 2001
From: YueHaibing <yuehaibing@huawei.com>
Date: Sun, 12 May 2019 18:24:28 +0800
Subject: [PATCH] ipvs: Fix use-after-free in ip_vs_in

hulk inclusion
category: bugfix
bugzilla: 15741
CVE: NA

-------------------------------------------------

while unregistering ipvs module, ops_free_list calls
nf_unregister_net_hooks to do cleanup ipvs resource,
it need a RCU period. Howerver ip_vs_in is still hooked
the LOCALOUT chain, which dereference freed ipvs pointer
triggers use-after-free.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 net/netfilter/ipvs/ip_vs_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 3f963ea22277..2f5850295d62 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -2288,6 +2288,7 @@ static void __net_exit __ip_vs_cleanup(struct net *net)
 	ip_vs_control_net_cleanup(ipvs);
 	ip_vs_estimator_net_cleanup(ipvs);
 	IP_VS_DBG(2, "ipvs netns %d released\n", ipvs->gen);
+	rcu_barrier();
 	net->ipvs = NULL;
 }
 
-- 
GitLab