From: Andreas Steinmetz <ast@domdv.de>
Date: Sun, 30 Jun 2019 20:46:42 +0000 (+0200)
Subject: macsec: fix use-after-free of skb during RX
X-Git-Tag: v4.19.62~27
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=21252f49cddf9878e2eb4af65df64b399dd94496;p=platform%2Fkernel%2Flinux-rpi.git

macsec: fix use-after-free of skb during RX

[ Upstream commit 095c02da80a41cf6d311c504d8955d6d1c2add10 ]

Fix use-after-free of skb when rx_handler returns RX_HANDLER_PASS.

Signed-off-by: Andreas Steinmetz <ast@domdv.de>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 7de88b3..7a2dae9 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -1103,10 +1103,9 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
 	}
 
 	skb = skb_unshare(skb, GFP_ATOMIC);
-	if (!skb) {
-		*pskb = NULL;
+	*pskb = skb;
+	if (!skb)
 		return RX_HANDLER_CONSUMED;
-	}
 
 	pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
 	if (!pulled_sci) {