)]}'
{
  "commit": "eb48730bb827d1550401a5d391903f9d90b493c8",
  "tree": "57bf2d7b12047d8546ad9375e5fae4b07cc871c8",
  "parents": [
    "e9096a5a170e7ecd6467bc2e08668ec39897cda7"
  ],
  "author": {
    "name": "Zhenghang Xiao",
    "email": "kipreyyy@gmail.com",
    "time": "Tue May 26 18:53:28 2026 +0800"
  },
  "committer": {
    "name": "Steffen Klassert",
    "email": "steffen.klassert@secunet.com",
    "time": "Tue Jun 02 12:21:50 2026 +0200"
  },
  "message": "xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload\n\n__input_process_payload() stores first_skb into xtfs-\u003era_newskb under\ndrop_lock when starting partial reassembly, then unlocks and breaks out\nof the processing loop. The post-loop check reads xtfs-\u003era_newskb\nwithout the lock to decide whether first_skb is still owned:\n\n    if (first_skb \u0026\u0026 first_iplen \u0026\u0026 !defer \u0026\u0026 first_skb !\u003d xtfs-\u003era_newskb)\n\nBetween spin_unlock and this read, a concurrent CPU running\niptfs_reassem_cont() (or the drop_timer hrtimer) can complete\nreassembly, NULL xtfs-\u003era_newskb, and free the skb. The check then\nevaluates first_skb !\u003d NULL as true, and pskb_trim/ip_summed/consume_skb\noperate on the freed skb — a use-after-free in skbuff_head_cache.\n\nReplace the unlocked read with a local bool that records whether\nfirst_skb was handed to the reassembly state in the current call. The\nflag is set after the existing spin_unlock, before the break, using the\npointer equality that is stable at that point (first_skb \u003d\u003d skb iff\nfirst_skb was stored in ra_newskb).\n\nFixes: 3f3339885fb3 (\"xfrm: iptfs: add reusing received skb for the tunnel egress packet\")\nSigned-off-by: Zhenghang Xiao \u003ckipreyyy@gmail.com\u003e\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "62ba828632f19a73f66a4b3366c557509be185d8",
      "old_mode": 33188,
      "old_path": "net/xfrm/xfrm_iptfs.c",
      "new_id": "aea63a000d1dfcc0cc7e4035d3a4a37d8348e480",
      "new_mode": 33188,
      "new_path": "net/xfrm/xfrm_iptfs.c"
    }
  ]
}