On Wed, Apr 11, 2018 at 11:12:54AM -0400, David Miller wrote:
> From: David Ahern <dsahern@xxxxxxxxx>
> Date: Wed, 11 Apr 2018 08:10:03 -0700
>
> > [ upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ]
> >
> > Miguel reported an skb use after free / double free in vrf_finish_output
> > when neigh_output returns an error. The vrf driver should return after
> > the call to neigh_output as it takes over the skb on error path as well.
> >
> > Patch is a simplified version of Miguel's patch which was written for 4.9,
> > and updated to top of tree.
> >
> > Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device")
> > Signed-off-by: Miguel Fadon Perlines <mfadon@xxxxxxxxxx>
> > Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> > [ backport to 4.4 and 4.9 dropped the sock_confirm_neigh and
> > changed neigh_output to dst_neigh_output ]
> > ---
> > note to stable: this patch applies to both 4.9 and 4.4 (the latter
> > has an offset but still applies cleanly
>
> Stable folks, please queue this up.
Now applied, thanks!
greg k-h