From: Willem de Bruijn <willemdebruijn.ker...@gmail.com>
Date: Mon, 7 Jan 2019 16:47:33 -0500
> From: Willem de Bruijn <will...@google.com>
>
> Commit 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call
> pskb_may_pull") avoided a read beyond the end of the skb linear
> segment by calling pskb_may_pull.
>
> That function can trigger a BUG_ON in pskb_expand_head if the skb is
> shared, which it is when when peeking. It can also return ENOMEM.
>
> Avoid both by switching to safer skb_header_pointer.
>
> Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Suggested-by: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Willem de Bruijn <will...@google.com>
Applied and queued up for -stable.
