[PATCH] route: put lwstate before freeing dst to avoid use after free

Sasha Levin Tue, 25 Aug 2015 11:27:43 -0700

Commit 61adedf3 ("route: move lwtunnel state to dst_entry") is trying to
release lwstate after getting rid of dst, which causes a use-after-free
trying to access dst->lwstate.


Fixes: 61adedf3 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Sasha Levin <sasha.le...@oracle.com>
---
 net/core/dst.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/dst.c b/net/core/dst.c
index 50dcdbb..477035e 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -262,11 +262,12 @@ again:
        if (dst->dev)
                dev_put(dst->dev);
 
+       lwtstate_put(dst->lwtstate);
+
        if (dst->flags & DST_METADATA)
                kfree(dst);
        else
                kmem_cache_free(dst->ops->kmem_cachep, dst);
-       lwtstate_put(dst->lwtstate);
 
        dst = child;
        if (dst) {
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] route: put lwstate before freeing dst to avoid use after free

Reply via email to