On Wed, Apr 11, 2018 at 11:12:54AM -0400, David Miller wrote:
From: David Ahern dsahern@gmail.com Date: Wed, 11 Apr 2018 08:10:03 -0700
[ upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ]
Miguel reported an skb use after free / double free in vrf_finish_output when neigh_output returns an error. The vrf driver should return after the call to neigh_output as it takes over the skb on error path as well.
Patch is a simplified version of Miguel's patch which was written for 4.9, and updated to top of tree.
Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device") Signed-off-by: Miguel Fadon Perlines mfadon@teldat.com Signed-off-by: David Ahern dsahern@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and changed neigh_output to dst_neigh_output ]
note to stable: this patch applies to both 4.9 and 4.4 (the latter has an offset but still applies cleanly
Stable folks, please queue this up.
Now applied, thanks!
greg k-h