From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out1-smtp.messagingengine.com ([66.111.4.25]:52815 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752646AbeDKRuz (ORCPT ); Wed, 11 Apr 2018 13:50:55 -0400 Date: Wed, 11 Apr 2018 19:50:42 +0200 From: Greg KH To: David Miller Cc: dsahern@gmail.com, stable@vger.kernel.org, mfadon@teldat.com Subject: Re: [PATCH] vrf: Fix use after free and double free in vrf_finish_output Message-ID: <20180411175042.GA21729@kroah.com> References: <1523435661162160@kroah.com> <20180411151003.7216-1-dsahern@gmail.com> <20180411.111254.899190774974818612.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180411.111254.899190774974818612.davem@davemloft.net> Sender: stable-owner@vger.kernel.org List-ID: On Wed, Apr 11, 2018 at 11:12:54AM -0400, David Miller wrote: > From: David Ahern > Date: Wed, 11 Apr 2018 08:10:03 -0700 > > > [ upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ] > > > > Miguel reported an skb use after free / double free in vrf_finish_output > > when neigh_output returns an error. The vrf driver should return after > > the call to neigh_output as it takes over the skb on error path as well. > > > > Patch is a simplified version of Miguel's patch which was written for 4.9, > > and updated to top of tree. > > > > Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device") > > Signed-off-by: Miguel Fadon Perlines > > Signed-off-by: David Ahern > > Signed-off-by: David S. Miller > > [ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and > > changed neigh_output to dst_neigh_output ] > > --- > > note to stable: this patch applies to both 4.9 and 4.4 (the latter > > has an offset but still applies cleanly > > Stable folks, please queue this up. Now applied, thanks! greg k-h