Xin, > ChunYu found a kernel crash by syzkaller:
[...] > It's caused by skb_shared_info at the end of sk_buff was overwritten by > ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx. > > During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh), > ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a > new value to skb_shinfo(SKB)->nr_frags by ev->type. > > This patch is to fix it by checking nlh->nlmsg_len properly there to > avoid over accessing sk_buff. Applied to 4.14/scsi-fixes. Thank you! -- Martin K. Petersen Oracle Linux Engineering
