Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
release lwstate after getting rid of dst, which causes a use-after-free
trying to access dst->lwstate.
Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Sasha Levin <[email protected]>
---
net/core/dst.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/dst.c b/net/core/dst.c
index 50dcdbb..477035e 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -262,11 +262,12 @@ again:
if (dst->dev)
dev_put(dst->dev);
+ lwtstate_put(dst->lwtstate);
+
if (dst->flags & DST_METADATA)
kfree(dst);
else
kmem_cache_free(dst->ops->kmem_cachep, dst);
- lwtstate_put(dst->lwtstate);
dst = child;
if (dst) {
--
1.7.10.4
On 08/25/15 at 02:25pm, Sasha Levin wrote:
> Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
> release lwstate after getting rid of dst, which causes a use-after-free
> trying to access dst->lwstate.
>
> Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
> Signed-off-by: Sasha Levin <[email protected]>
Acked-by: Thomas Graf <[email protected]>
On Tue, 25 Aug 2015 14:25:14 -0400, Sasha Levin wrote:
> Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
> release lwstate after getting rid of dst, which causes a use-after-free
> trying to access dst->lwstate.
>
> Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
> Signed-off-by: Sasha Levin <[email protected]>
Already fixed by e252b3d1a174 in net-next.
Jiri
--
Jiri Benc