From ac18be4b2bba3b3a0e76c5f3695c8a508f8c2b22 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 11 Apr 2018 19:49:42 +0200 Subject: [PATCH] 4.4-stable patches added patches: vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch --- queue-4.4/series | 1 + ...and-double-free-in-vrf_finish_output.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch diff --git a/queue-4.4/series b/queue-4.4/series index 9ccc9b6ed2d..e4d0984fbde 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -187,3 +187,4 @@ r8169-fix-setting-driver_data-after-register_netdev.patch net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch +vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch diff --git a/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch b/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch new file mode 100644 index 00000000000..5c14d47a404 --- /dev/null +++ b/queue-4.4/vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch @@ -0,0 +1,49 @@ +From 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Thu, 29 Mar 2018 12:49:52 -0700 +Subject: vrf: Fix use after free and double free in vrf_finish_output + +From: David Ahern + +commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a upstream. + +Miguel reported an skb use after free / double free in vrf_finish_output +when neigh_output returns an error. The vrf driver should return after +the call to neigh_output as it takes over the skb on error path as well. + +Patch is a simplified version of Miguel's patch which was written for 4.9, +and updated to top of tree. + +Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device") +Signed-off-by: Miguel Fadon Perlines +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +[ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and + changed neigh_output to dst_neigh_output ] +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/vrf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -550,13 +550,15 @@ static int vrf_finish_output(struct net + neigh = __ipv4_neigh_lookup_noref(dev, nexthop); + if (unlikely(!neigh)) + neigh = __neigh_create(&arp_tbl, &nexthop, dev, false); +- if (!IS_ERR(neigh)) ++ if (!IS_ERR(neigh)) { + ret = dst_neigh_output(dst, neigh, skb); ++ rcu_read_unlock_bh(); ++ return ret; ++ } + + rcu_read_unlock_bh(); + err: +- if (unlikely(ret < 0)) +- vrf_tx_error(skb->dev, skb); ++ vrf_tx_error(skb->dev, skb); + return ret; + } + -- 2.47.3