From: Eric Dumazet <eric.duma...@gmail.com>
Date: Wed, 01 Mar 2017 14:45:06 -0800
> From: Eric Dumazet <eduma...@google.com>
>
> Andrey reported a use-after-free in IPv6 stack.
>
> Issue here is that we free the socket while it still has skb
> in TX path and in some queues.
>
> It happens here because IPv6 reassembly unit messes skb->truesize,
> breaking skb_set_owner_w() badly.
>
> We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag:
> Always orphan skbs inside ip_defrag()")
...
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
Applied and queued up for -stable.
Thanks.
