[PATCH] route: put lwstate before freeing dst to avoid use after free

[PATCH] route: put lwstate before freeing dst to avoid use after free

[Sasha Levin]

Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
release lwstate after getting rid of dst, which causes a use-after-free
trying to access dst->lwstate.

Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
 net/core/dst.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/dst.c b/net/core/dst.c
index 50dcdbb..477035e 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -262,11 +262,12 @@ again:
 	if (dst->dev)
 		dev_put(dst->dev);
 
+	lwtstate_put(dst->lwtstate);
+
 	if (dst->flags & DST_METADATA)
 		kfree(dst);
 	else
 		kmem_cache_free(dst->ops->kmem_cachep, dst);
-	lwtstate_put(dst->lwtstate);
 
 	dst = child;
 	if (dst) {
-- 
1.7.10.4

Re: [PATCH] route: put lwstate before freeing dst to avoid use after free

[Thomas Graf]

On 08/25/15 at 02:25pm, Sasha Levin wrote:
> Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
> release lwstate after getting rid of dst, which causes a use-after-free
> trying to access dst->lwstate.
> 
> Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

Acked-by: Thomas Graf <tgraf@suug.ch>

Re: [PATCH] route: put lwstate before freeing dst to avoid use after free

[Jiri Benc]

On Tue, 25 Aug 2015 14:25:14 -0400, Sasha Levin wrote:
> Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
> release lwstate after getting rid of dst, which causes a use-after-free
> trying to access dst->lwstate.
> 
> Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

Already fixed by e252b3d1a174 in net-next.

 Jiri

-- 
Jiri Benc