From: Eric Dumazet <[email protected]>
Date: Fri, 4 Jan 2019 11:00:00 -0800
> syzbot was able to crash one host with the following stack trace :
...
> This is because a RX packet found socket owned by user and
> was stored into socket backlog. Before leaving RCU protected section,
> skb->dev was cleared in __sk_receive_skb(). When socket backlog
> was finally handled at release_sock() time, skb was fed to
> smack_socket_sock_rcv_skb() then icmp6_send()
>
> We could fix the bug in smack_socket_sock_rcv_skb(), or simply
> make icmp6_send() more robust against such possibility.
>
> In the future we might provide to icmp6_send() the net pointer
> instead of infering it.
>
> Fixes: d66a8acbda92 ("Smack: Inform peer that IPv6 traffic has been blocked")
> Signed-off-by: Eric Dumazet <[email protected]>
> Cc: Piotr Sawicki <[email protected]>
> Cc: Casey Schaufler <[email protected]>
> Reported-by: syzbot <[email protected]>
Applied and queued up for -stable, thanks.
