From: Miquel Raynal miquel.raynal@bootlin.com
stable inclusion from stable-v4.19.228 commit d6a44feb2f28d71a7e725f72d09c97c81561cd9a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA71ZX CVE: CVE-2022-48722
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 621b24b09eb61c63f262da0c9c5f0e93348897e5 upstream.
Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. We then leak the skb structure.
Free the skb structure upon error before returning.
Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") Signed-off-by: Miquel Raynal miquel.raynal@bootlin.com Acked-by: Alexander Aring aahringo@redhat.com Link: https://lore.kernel.org/r/20220125121426.848337-5-miquel.raynal@bootlin.com Signed-off-by: Stefan Schmidt stefan@datenfreihafen.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Liu Shixin liushixin2@huawei.com --- drivers/net/ieee802154/ca8210.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c index 324ce317b864..3f581dcc7e6b 100644 --- a/drivers/net/ieee802154/ca8210.c +++ b/drivers/net/ieee802154/ca8210.c @@ -1769,6 +1769,7 @@ static int ca8210_async_xmit_complete( status ); if (status != MAC_TRANSACTION_OVERFLOW) { + dev_kfree_skb_any(priv->tx_skb); ieee802154_wake_queue(priv->hw); return 0; }