From: Eric Dumazet <[email protected]> Date: Sun, 05 Feb 2017 20:23:22 -0800
> From: Eric Dumazet <[email protected]> > > Dmitry reported use-after-free in ip6_datagram_recv_specific_ctl() > > A similar bug was fixed in commit 8ce48623f0cf ("ipv6: tcp: restore > IP6CB for pktoptions skbs"), but I missed another spot. > > tcp_v6_syn_recv_sock() can indeed set np->pktoptions from ireq->pktopts > > Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line > misses") > Signed-off-by: Eric Dumazet <[email protected]> > Reported-by: Dmitry Vyukov <[email protected]> APplied and queued up for -stable, thanks Eric.
