projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 1d0a9062 GKH |
1 | From foo@baz Tue Apr 10 23:19:36 CEST 2018 |
| 2 | From: David Ahern <dsahern@gmail.com> | |
| 3 | Date: Thu, 29 Mar 2018 12:49:52 -0700 | |
| 4 | Subject: vrf: Fix use after free and double free in vrf_finish_output | |
| 5 | ||
| 6 | From: David Ahern <dsahern@gmail.com> | |
| 7 | ||
| 8 | ||
| 9 | [ Upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ] | |
| 10 | ||
| 11 | Miguel reported an skb use after free / double free in vrf_finish_output | |
| 12 | when neigh_output returns an error. The vrf driver should return after | |
| 13 | the call to neigh_output as it takes over the skb on error path as well. | |
| 14 | ||
| 15 | Patch is a simplified version of Miguel's patch which was written for 4.9, | |
| 16 | and updated to top of tree. | |
| 17 | ||
| 18 | Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device") | |
| 19 | Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com> | |
| 20 | Signed-off-by: David Ahern <dsahern@gmail.com> | |
| 21 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
| 22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 23 | --- | |
| 24 | drivers/net/vrf.c | 5 +++-- | |
| 25 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
| 26 | ||
| 27 | --- a/drivers/net/vrf.c | |
| 28 | +++ b/drivers/net/vrf.c | |
| 29 | @@ -578,12 +578,13 @@ static int vrf_finish_output(struct net | |
| 30 | if (!IS_ERR(neigh)) { | |
| 31 | sock_confirm_neigh(skb, neigh); | |
| 32 | ret = neigh_output(neigh, skb); | |
| 33 | + rcu_read_unlock_bh(); | |
| 34 | + return ret; | |
| 35 | } | |
| 36 | ||
| 37 | rcu_read_unlock_bh(); | |
| 38 | err: | |
| 39 | - if (unlikely(ret < 0)) | |
| 40 | - vrf_tx_error(skb->dev, skb); | |
| 41 | + vrf_tx_error(skb->dev, skb); | |
| 42 | return ret; | |
| 43 | } | |
| 44 |