From: Paolo Abeni <pab...@redhat.com>
Date: Wed, 19 Sep 2018 15:02:07 +0200
> the ip6 tunnel xmit ndo assumes that the processed skb always
> contains an ip[v6] header, but syzbot has found a way to send
> frames that fall short of this assumption, leading to the following splat:
...
> This change addresses the issue adding the needed check before
> accessing the inner header.
>
> The ipv4 side of the issue is apparently there since the ipv4 over ipv6
> initial support, and the ipv6 side predates git history.
>
> Fixes: c4d3efafcc93 ("[IPV6] IP6TUNNEL: Add support to IPv4 over IPv6
> tunnel.")
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+3fde91d4d394747d6...@syzkaller.appspotmail.com
> Tested-by: Alexander Potapenko <gli...@google.com>
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
Applied and queued up for -stable.
