From: David Ahern <dsahern@xxxxxxxxx>
Date: Wed, 11 Apr 2018 08:10:03 -0700
> [ upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ]
>
> Miguel reported an skb use after free / double free in vrf_finish_output
> when neigh_output returns an error. The vrf driver should return after
> the call to neigh_output as it takes over the skb on error path as well.
>
> Patch is a simplified version of Miguel's patch which was written for 4.9,
> and updated to top of tree.
>
> Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device")
> Signed-off-by: Miguel Fadon Perlines <mfadon@xxxxxxxxxx>
> Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> [ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and
> changed neigh_output to dst_neigh_output ]
> ---
> note to stable: this patch applies to both 4.9 and 4.4 (the latter
> has an offset but still applies cleanly
Stable folks, please queue this up.