From: Eric Dumazet <eric.duma...@gmail.com>
Date: Wed, 18 Oct 2017 14:20:30 -0700
> From: Eric Dumazet <eduma...@google.com>
>
> syn_data was allocated by sk_stream_alloc_skb(), meaning
> its destructor and _skb_refdst fields are mangled.
>
> We need to call tcp_skb_tsorted_anchor_cleanup() before
> calling kfree_skb() or kernel crashes.
>
> Bug was reported by syzkaller bot.
>
> Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK
> recovery")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
Applied.
