Received: by 10.192.165.156 with SMTP id m28csp1090475imm;
        Wed, 11 Apr 2018 12:13:24 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+uGVqt1MQ6YTeh/0wAwCjn6VAE+EyEu+x0NhxhCCkZf25anDRkpJWzCRh20cBglmcoJguJ
X-Received: by 10.101.66.70 with SMTP id d6mr4328842pgq.234.1523474004679;
        Wed, 11 Apr 2018 12:13:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523474004; cv=none;
        d=google.com; s=arc-20160816;
        b=RgX8uttty5QrzXgM5aqTHOIku/+sJ9FsBxtmsZdyLZzhxHPpynNElZybFypUh64dmH
         86LxZ2384tvUQY8SQ08DazBitHJfjrba7+/GE63DIEAiA8iFosOCMBEUKjZHU/MCGDLP
         RnS4lGsXCqc3OJ6NgrZ/UrocMpLo+KKZSbfpMHlube4aWE0h2XshmHYehdni3T0Yl6J6
         QGVB10+LHiW0nX7th/oI7Rquj9dbqBbUa82xKq6eTTgvy7A3Udz36HExG5u9ECJIuvGU
         wq5Xa76EsZPmagaW++8na7WuI7XksdkjFVd/eQC1oR5jpQxp3kI6XHLrSZM3zZvdRO3Q
         Hd4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=1FO41nlChwpdBAxxhkQG8li8Flfa95FLxeaaAUJ7HtI=;
        b=Bqwj4asdkQ2uNcyl1wkAmhBCbTSJ7yoOzobwGiBES1d2etiG8t7C89m8NF4TWdBEIc
         6XunFRE2UdwvFhgQ6ZpikR7c2V+krXPhehJPg9WNIy8A15XHElfuMyOyP7tLi4Ox8UDB
         YkAcQiAit7CYTwGRNdVX44n2jhlg7sC89PlHYqLtYiBxx1R33wpd7cqzsy6HSm2Uief9
         etrBrlzXVixIVRmfuM50A2CqOGxVJV+QnLZ74XphT5oKUiM0ewBpOQoiNJeZIypMjNvw
         y5z2nQqPsQ2Xb5HJbKIrmSs7UEykf/HE3xx4Iw9s+J9nZz424iHsnrZ+KaYvb7Wo2eA7
         AmPg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e5-v6si1820143plk.730.2018.04.11.12.12.48;
        Wed, 11 Apr 2018 12:13:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756849AbeDKTIw (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 15:08:52 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:40926 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S935306AbeDKTGt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 15:06:49 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 25EBBD3F;
        Wed, 11 Apr 2018 19:06:49 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miguel Fadon Perlines <mfadon@teldat.com>,
        David Ahern <dsahern@gmail.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 310/310] vrf: Fix use after free and double free in vrf_finish_output
Date:   Wed, 11 Apr 2018 20:37:29 +0200
Message-Id: <20180411183635.987200356@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180411183622.305902791@linuxfoundation.org>
References: <20180411183622.305902791@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ahern <dsahern@gmail.com>

commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a upstream.

Miguel reported an skb use after free / double free in vrf_finish_output
when neigh_output returns an error. The vrf driver should return after
the call to neigh_output as it takes over the skb on error path as well.

Patch is a simplified version of Miguel's patch which was written for 4.9,
and updated to top of tree.

Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device")
Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and
  changed neigh_output to dst_neigh_output ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/vrf.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -585,13 +585,15 @@ static int vrf_finish_output(struct net
 	neigh = __ipv4_neigh_lookup_noref(dev, nexthop);
 	if (unlikely(!neigh))
 		neigh = __neigh_create(&arp_tbl, &nexthop, dev, false);
-	if (!IS_ERR(neigh))
+	if (!IS_ERR(neigh)) {
 		ret = dst_neigh_output(dst, neigh, skb);
+		rcu_read_unlock_bh();
+		return ret;
+	}
 
 	rcu_read_unlock_bh();
 err:
-	if (unlikely(ret < 0))
-		vrf_tx_error(skb->dev, skb);
+	vrf_tx_error(skb->dev, skb);
 	return ret;
 }