From: Eric Dumazet <eric.duma...@gmail.com>
Date: Sun, 05 Feb 2017 20:23:22 -0800
> From: Eric Dumazet <eduma...@google.com>
>
> Dmitry reported use-after-free in ip6_datagram_recv_specific_ctl()
>
> A similar bug was fixed in commit 8ce48623f0cf ("ipv6: tcp: restore
> IP6CB for pktoptions skbs"), but I missed another spot.
>
> tcp_v6_syn_recv_sock() can indeed set np->pktoptions from ireq->pktopts
>
> Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line
> misses")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
APplied and queued up for -stable, thanks Eric.
