This is a note to let you know that I've just added the patch titled
team: Fix double free in error path
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: team-fix-double-free-in-error-path.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From foo@baz Wed Mar 28 18:38:30 CEST 2018
From: Arkadi Sharshevsky arkadis@mellanox.com Date: Thu, 8 Mar 2018 12:42:10 +0200 Subject: team: Fix double free in error path
From: Arkadi Sharshevsky arkadis@mellanox.com
[ Upstream commit cbcc607e18422555db569b593608aec26111cb0b ]
The __send_and_alloc_skb() receives a skb ptr as a parameter but in case it fails the skb is not valid: - Send failed and released the skb internally. - Allocation failed.
The current code tries to release the skb in case of failure which causes redundant freeing.
Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers") Signed-off-by: Arkadi Sharshevsky arkadis@mellanox.com Acked-by: Jiri Pirko jiri@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/team/team.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -2394,7 +2394,7 @@ send_done: if (!nlh) { err = __send_and_alloc_skb(&skb, team, portid, send_func); if (err) - goto errout; + return err; goto send_done; }
@@ -2680,7 +2680,7 @@ send_done: if (!nlh) { err = __send_and_alloc_skb(&skb, team, portid, send_func); if (err) - goto errout; + return err; goto send_done; }
Patches currently in stable-queue which might be from arkadis@mellanox.com are
queue-4.14/devlink-remove-redundant-free-on-error-path.patch queue-4.14/team-fix-double-free-in-error-path.patch