From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D1FE369D7E; Wed, 20 May 2026 17:49:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779299396; cv=none; b=hW/ISobgrvQn3RGPQVv+/296rGfHPmQnBtnvQ4/6hTaWBXlubvirpXr0mLUW/W5vkbgAfRk6nF0pnuTO4o7pigW1jMytjbHrNDqglYRI7X0g9iHS/rnGDtDqyUnylMcm8qihMqAWBiEhzq4ya54FTykRsAVZjByPk+/4GMPXvwA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779299396; c=relaxed/simple; bh=VEIY6gedS+okHb51t0yr5cTIR3CeGrhg1MDUUsVipaU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YGl0FIL7b9E69drEdT/KcuWVnmxX+W4gPrcmpurc9CA6mfVqhutcNiuo8zEoYFGZDBAQqUu7bpVWURg7kuXSO+mmJoXlp3/40yrkCJeYpJ5kP2zp9kt62a1nUjjyRIXl8l/W/cu+gWHtu6Y1/5GcO6gFeRs7o/j5GWHcexvCWEE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hqBjXHwL; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hqBjXHwL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C47DC1F00894; Wed, 20 May 2026 17:49:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779299395; bh=rKNFENsPhAZc+8ju3megy9+LCdK9PzbjmlHdEIzdamE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=hqBjXHwLW7tW9pesM4vyv/MTr8SutC41ZHIh906ZqlPxAVz2QND7zROrLtkcbf3jk lEwmRZuOl4sB1w8kdMmEKlvxpv+Jz4YHve4vJW5WmGx/jrxfMuWzCuNy2kAIe+TUBI S1zlgM08EZg++vg0YttHtO3P6HIzZ+5XQFQCMW1M= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Tung Nguyen , Lee Jones , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.18 714/957] tipc: fix double-free in tipc_buf_append() Date: Wed, 20 May 2026 18:19:57 +0200 Message-ID: <20260520162150.031427263@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260520162134.554764788@linuxfoundation.org> References: <20260520162134.554764788@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lee Jones [ Upstream commit d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a ] tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer. If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free. Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations. Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents") Suggested-by: Tung Nguyen Signed-off-by: Lee Jones Reviewed-by: Tung Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/tipc/msg.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/net/tipc/msg.c b/net/tipc/msg.c index 76284fc538ebd..b0bba0feef564 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c @@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) if (fragid == LAST_FRAGMENT) { TIPC_SKB_CB(head)->validated = 0; - if (unlikely(!tipc_msg_validate(&head))) + + /* If the reassembled skb has been freed in + * tipc_msg_validate() because of an invalid truesize, + * then head will point to a newly allocated reassembled + * skb, while *headbuf points to freed reassembled skb. + * In such cases, correct *headbuf for freeing the newly + * allocated reassembled skb later. + */ + if (unlikely(!tipc_msg_validate(&head))) { + if (head != *headbuf) + *headbuf = head; goto err; + } + *buf = head; TIPC_SKB_CB(head)->tail = NULL; *headbuf = NULL; -- 2.53.0