From: Sabrina Dubroca Date: Mon, 16 Nov 2015 21:44:53 +0000 (+0100) Subject: ipvlan: fix use after free of skb X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a534dc529853c69e94994aa47c1d80a03ce2c11d;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git ipvlan: fix use after free of skb ipvlan_handle_frame is a rx_handler, and when it returns a value other than RX_HANDLER_CONSUMED (here, NET_RX_DROP aka RX_HANDLER_ANOTHER), __netif_receive_skb_core expects that the skb still exists and will process it further, but we just freed it. Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller --- diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index a9148e46dad0..8c48bb2a94ea 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -653,5 +653,5 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb) WARN_ONCE(true, "ipvlan_handle_frame() called for mode = [%hx]\n", port->mode); kfree_skb(skb); - return NET_RX_DROP; + return RX_HANDLER_CONSUMED; }