1 files changed, 38 insertions, 0 deletions

diff --git a/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
new file mode 100644
index 000000000..0b0ac04c6
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
@@ -0,0 +1,38 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 30 Apr 2024 10:03:38 -0400
+Subject: tipc: fix a possible memleak in tipc_buf_append
+Origin: https://git.kernel.org/linus/97bf6f81b29a8efaf5d0983251a7450e5794370d
+
+__skb_linearize() doesn't free the skb when it fails, so move
+'*buf = NULL' after __skb_linearize(), so that the skb can be
+freed on the err path.
+
+Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/tipc/msg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index 9a6e9bcbf694..76284fc538eb 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ 	if (fragid == FIRST_FRAGMENT) {
+ 		if (unlikely(head))
+ 			goto err;
+-		*buf = NULL;
+ 		if (skb_has_frag_list(frag) && __skb_linearize(frag))
+ 			goto err;
++		*buf = NULL;
+ 		frag = skb_unshare(frag, GFP_ATOMIC);
+ 		if (unlikely(!frag))
+ 			goto err;
+-- 
+2.43.0
+