net: ipv6: fix use after free of struct seg6_pernet_data

sdata->tun_src should be freed before sdata is freed
because sdata->tun_src is allocated after sdata allocation.
So, kfree(sdata) and kfree(rcu_dereference_raw(sdata->tun_src)) are
changed code order.

Fixes: f04ed7d277e8 ("net: ipv6: check return value of rhashtable_init")
Signed-off-by: MichelleJin <shjy180909@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index 65744f2d38da3507232046ab44afeca38452a8cb..5daa1c3ed83ba87d847db6e42878603824a84ed5 100644 (file)
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -375,8 +375,8 @@ static int __net_init seg6_net_init(struct net *net)
 
 #ifdef CONFIG_IPV6_SEG6_HMAC
        if (seg6_hmac_net_init(net)) {
-               kfree(sdata);
                kfree(rcu_dereference_raw(sdata->tun_src));
+               kfree(sdata);
                return -ENOMEM;
        };
 #endif