On Mon, 2016-11-28 at 20:34 +0100, Dmitry Vyukov wrote: > On Mon, Nov 28, 2016 at 8:04 PM, 'Andrey Konovalov' via syzkaller
> > Hi Eric, > > > > As far as I can see, skb_network_offset() becomes negative after > > pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data) in nf_ct_frag6_queue(). > > At least I'm able to detect that with a BUG_ON(). > > > > Also it seems that the issue is only reproducible (at least with the > > poc I provided) for a short time after boot. > > > Eric, > > Is it enough to debug? Or maybe Andrey can trace some values for you. Well, now we are talking, if you tell me how many modules you load, it might help ;) nf_ct_frag6_queue is nowhere to be seen in my kernels, that might explain why I could not reproduce the bug. Let me try ;)
