This is a note to let you know that I've just added the patch titled
hsr: Prevent use after free in prp_create_tagged_frame()
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 5c2d4bb89b1edb7484217c2e8c34064f8b2008fc
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Fri Oct 27 15:19:01 2023 +0300
hsr: Prevent use after free in prp_create_tagged_frame()
[ Upstream commit 876f8ab52363f649bcc74072157dfd7adfbabc0d ]
The prp_fill_rct() function can fail. In that situation, it frees the
skb and returns NULL. Meanwhile on the success path, it returns the
original skb. So it's straight forward to fix bug by using the returned
value.
Fixes: 451d8123f897 ("net: prp: add packet handling support")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Paolo Abeni <pabeni@xxxxxxxxxx>
Link: https://lore.kernel.org/r/57af1f28-7f57-4a96-bcd3-b7a0f2340845@moroto.mountain
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 12ba43023d30e..e31747d328e70 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -300,9 +300,7 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame,
skb = skb_copy_expand(frame->skb_std, 0,
skb_tailroom(frame->skb_std) + HSR_HLEN,
GFP_ATOMIC);
- prp_fill_rct(skb, frame, port);
-
- return skb;
+ return prp_fill_rct(skb, frame, port);
}
static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
