Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757346AbcKXUcv (ORCPT <rfc822;w@1wt.eu>);
        Thu, 24 Nov 2016 15:32:51 -0500
Received: from shards.monkeyblade.net ([184.105.139.130]:40830 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757128AbcKXUcu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 Nov 2016 15:32:50 -0500
Date: Thu, 24 Nov 2016 15:32:42 -0500 (EST)
Message-Id: <20161124.153242.718978368287315233.davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: edumazet@google.com, herbert@gondor.apana.org.au, bcrl@kvack.org,
        willemb@google.com, andreyknvl@google.com, samanthakumar@google.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] udplite: call proper backlog handlers
From: David Miller <davem@davemloft.net>
In-Reply-To: <1479834405.8455.437.camel@edumazet-glaptop3.roam.corp.google.com>
References: <CAAeHK+zZSc28e4LMg-YvEztKO4X0VVxqCStkZW8LL4ZA_rYyMQ@mail.gmail.com>
        <CANn89iKewy1iMa=dUGpE=8UjHUi4o=s=6P_-ngLr_S_ZDByTwg@mail.gmail.com>
        <1479834405.8455.437.camel@edumazet-glaptop3.roam.corp.google.com>
X-Mailer: Mew version 6.7 on Emacs 25.1 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 24 Nov 2016 11:33:24 -0800 (PST)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1119
Lines: 26

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 22 Nov 2016 09:06:45 -0800

> From: Eric Dumazet <edumazet@google.com>
> 
> In commits 93821778def10 ("udp: Fix rcv socket locking") and
> f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into
> __udpv6_queue_rcv_skb") UDP backlog handlers were renamed, but UDPlite
> was forgotten.
> 
> This leads to crashes if UDPlite header is pulled twice, which happens
> starting from commit e6afc8ace6dd ("udp: remove headers from UDP packets
> before queueing")
> 
> Bug found by syzkaller team, thanks a lot guys !
> 
> Note that backlog use in UDP/UDPlite is scheduled to be removed starting
> from linux-4.10, so this patch is only needed up to linux-4.9
> 
> Fixes: 93821778def1 ("udp: Fix rcv socket locking")
> Fixes: f7ad74fef3af ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into __udpv6_queue_rcv_skb")
> Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Andrey Konovalov <andreyknvl@google.com>

Applied and queued up for -stable, thanks Eric.