From: David Ahern <dsah...@gmail.com>
Date: Thu, 18 Jul 2019 08:21:01 -0600
> On 7/17/19 2:39 PM, Ido Schimmel wrote:
>> From: Ido Schimmel <ido...@mellanox.com>
>>
>> When a route needs to be appended to an existing multipath route,
>> fib6_add_rt2node() first appends it to the siblings list and increments
>> the number of sibling routes on each sibling.
>>
>> Later, the function notifies the route via call_fib6_entry_notifiers().
>> In case the notification is vetoed, the route is not unlinked from the
>> siblings list, which can result in a use-after-free.
>>
>> Fix this by unlinking the route from the siblings list before returning
>> an error.
>>
>> Audited the rest of the call sites from which the FIB notification chain
>> is called and could not find more problems.
>>
>> Fixes: 2233000cba40 ("net/ipv6: Move call_fib6_entry_notifiers up for route
>> adds")
>> Signed-off-by: Ido Schimmel <ido...@mellanox.com>
>> Reported-by: Alexander Petrovskiy <ale...@mellanox.com>
>> ---
>> Dave, this will not apply cleanly to stable trees due to recent changes
>> in net-next. I can prepare another patch for stable if needed.
>> ---
>> net/ipv6/ip6_fib.c | 18 +++++++++++++++++-
>> 1 file changed, 17 insertions(+), 1 deletion(-)
>>
>
> Thanks for the fix, Ido. I can help with the ports as well.
>
> Reviewed-by: David Ahern <dsah...@gmail.com>
Applied and queued up for -stable.
Since I've done a bunch of ipv6 routing fix backports through David's
refactoring and cleanups, I'll give this one a try too :-) If I run
into problems I'll ask for help.
Thanks.
