• Eric Dumazet's avatar
    udplite: call proper backlog handlers · 30c7be26
    Eric Dumazet authored
    In commits 93821778 ("udp: Fix rcv socket locking") and
    f7ad74fe ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into
    __udpv6_queue_rcv_skb") UDP backlog handlers were renamed, but UDPlite
    was forgotten.
    
    This leads to crashes if UDPlite header is pulled twice, which happens
    starting from commit e6afc8ac ("udp: remove headers from UDP packets
    before queueing")
    
    Bug found by syzkaller team, thanks a lot guys !
    
    Note that backlog use in UDP/UDPlite is scheduled to be removed starting
    from linux-4.10, so this patch is only needed up to linux-4.9
    
    Fixes: 93821778 ("udp: Fix rcv socket locking")
    Fixes: f7ad74fe ("net/ipv6/udp: UDP encapsulation: break backlog_rcv into __udpv6_queue_rcv_skb")
    Fixes: e6afc8ac ("udp: remove headers from UDP packets before queueing")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
    Cc: Benjamin LaHaise <bcrl@kvack.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    30c7be26
udp.c 63.9 KB