ddebac76ba109e1bec46dd70ce8260528fc79065 - third_party/kernel

commit	ddebac76ba109e1bec46dd70ce8260528fc79065	[log] [tgz]
author	Eric Dumazet <edumazet@google.com>	Wed Jan 07 21:22:50 2026 +0000
committer	Kevin Berry <kpberry@google.com>	Sat Jan 31 10:14:03 2026 -0800
tree	d33986b67a4ec4da07767d98381a867569374eaa
parent	2e47302873bbe22f983d4dc07b4f28fbbc6a5926 [diff]

arp: do not assume dev_hard_header() does not change skb->head

[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ]

arp_create() is the only dev_hard_header() caller
making assumption about skb->head being unchanged.

A recent commit broke this assumption.

Initialize @arp pointer after dev_hard_header() call.

BUG=b/478447023
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2026-22988 in the Linux kernel.

cos-patch: security-moderate
Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com
Change-Id: Ia26a02b5bcbf6a68a67a88ceb63f137d3bac5f49
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kernel CVE Triage Automation <cloud-image-kernel-cve-triage-automation@prod.google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/128023
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Chenglong Tang <chenglongtang@google.com>
Reviewed-by: Kevin Berry <kpberry@google.com>

net/ipv4/arp.c[diff]

1 file changed

tree: d33986b67a4ec4da07767d98381a867569374eaa