On Mon, 2017-09-25 at 15:28 -0400, Martin K. Petersen wrote: > Xin, > > > ChunYu found a kernel crash by syzkaller: > > [...] > > > It's caused by skb_shared_info at the end of sk_buff was overwritten by > > ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx. > > > > During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh), > > ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a > > new value to skb_shinfo(SKB)->nr_frags by ev->type. > > > > This patch is to fix it by checking nlh->nlmsg_len properly there to > > avoid over accessing sk_buff. > > Applied to 4.14/scsi-fixes. Thank you! >
Should this be considered for -stable? (Despite not being reproduced after 7f564528a4).
