From: Eric Dumazet <eduma...@google.com>
Date: Wed, 29 May 2019 15:36:10 -0700
> If a network driver provides to napi_gro_frags() an
> skb with a page fragment of exactly 14 bytes, the call
> to gro_pull_from_frag0() will 'consume' the fragment
> by calling skb_frag_unref(skb, 0), and the page might
> be freed and reused.
>
> Reading eth->h_proto at the end of napi_frags_skb() might
> read mangled data, or crash under specific debugging features.
...
> Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
Applied and queued up for -stable, thanks.
