From: Lorenzo Bianconi <lorenzo.bianc...@redhat.com>
Date: Thu, 8 Mar 2018 17:00:02 +0100
> Fix the following slab-out-of-bounds kasan report in
> ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not
> linear and the accessed data are not in the linear data region of orig_skb.
...
> The test scenario to trigger the issue consists of 4 devices:
> - H0: data sender, connected to LAN0
> - H1: data receiver, connected to LAN1
> - GW0 and GW1: routers between LAN0 and LAN1. Both of them have an
> ethernet connection on LAN0 and LAN1
> On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for
> data from LAN0 to LAN1.
> Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent
> data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send
> buffer size is set to 16K). While data streams are active flush the route
> cache on HA multiple times.
> I have not been able to identify a given commit that introduced the issue
> since, using the reproducer described above, the kasan report has been
> triggered from 4.14 and I have not gone back further.
>
> Reported-by: Jianlin Shi <ji...@redhat.com>
> Reviewed-by: Stefano Brivio <sbri...@redhat.com>
> Reviewed-by: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianc...@redhat.com>
Applied and queued up for -stable, thanks!
