From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] ipv6: fix possible use-after-free in ip6_xmit()
Date: Mon, 17 Sep 2018 07:58:46 -0700 (PDT)
Message-ID: <20180917.075846.179673509232119753.davem@davemloft.net>
References: <20180914190232.184779-1-edumazet@google.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com
To: edumazet@google.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([23.128.96.9]:45698 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726885AbeIQU03 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 17 Sep 2018 16:26:29 -0400
In-Reply-To: <20180914190232.184779-1-edumazet@google.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Eric Dumazet <edumazet@google.com>
Date: Fri, 14 Sep 2018 12:02:31 -0700

> In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
> we need to call skb_set_owner_w() before consuming original skb,
> otherwise we risk a use-after-free.
> 
> Bring IPv6 in line with what we do in IPv4 to fix this.
> 
> Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>

Applied and queued up for -stable.