4.4-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)
diff --git a/queue-4.4/series b/queue-4.4/series

index 9ccc9b6ed2d93c6b6e55bbc12b63d5681523a6bd..e4d0984fbdee024616c9c6c1f0e01d8e684e3633 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -187,3 +187,4 @@ r8169-fix-setting-driver_data-after-register_netdev.patch
  net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch
  net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch
  ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
+vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch
diff --git a/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch b/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch

new file mode 100644 (file)

index 0000000..5c14d47
--- /dev/null
+++ b/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch
@@ -0,0 +1,49 @@
+From 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Thu, 29 Mar 2018 12:49:52 -0700
+Subject: vrf: Fix use after free and double free in vrf_finish_output
+
+From: David Ahern <dsahern@gmail.com>
+
+commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a upstream.
+
+Miguel reported an skb use after free / double free in vrf_finish_output
+when neigh_output returns an error. The vrf driver should return after
+the call to neigh_output as it takes over the skb on error path as well.
+
+Patch is a simplified version of Miguel's patch which was written for 4.9,
+and updated to top of tree.
+
+Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device")
+Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and
+  changed neigh_output to dst_neigh_output ]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/vrf.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -550,13 +550,15 @@ static int vrf_finish_output(struct net
+       neigh = __ipv4_neigh_lookup_noref(dev, nexthop);
+       if (unlikely(!neigh))
+               neigh = __neigh_create(&arp_tbl, &nexthop, dev, false);
+-      if (!IS_ERR(neigh))
++      if (!IS_ERR(neigh)) {
+               ret = dst_neigh_output(dst, neigh, skb);
++              rcu_read_unlock_bh();
++              return ret;
++      }
+ 
+       rcu_read_unlock_bh();
+ err:
+-      if (unlikely(ret < 0))
+-              vrf_tx_error(skb->dev, skb);
++      vrf_tx_error(skb->dev, skb);
+       return ret;
+ }
+
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 11 Apr 2018 17:49:42 +0000 (19:49 +0200)
queue-4.4/series		patch \| blob \| blame \| history
queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch	[new file with mode: 0644]	patch \| blob