releases/3.16.60/net-initialize-skb-peeked-when-cloning.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Eric Dumazet <edumazet@google.com>
 Date: Sat, 7 Apr 2018 13:42:39 -0700
 Subject: net: initialize skb->peeked when cloning

 commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.

 syzbot reported __skb_try_recv_from_queue() was using skb->peeked
 while it was potentially unitialized.

 We need to clear it in __skb_clone()

 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: syzbot <syzkaller@googlegroups.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  net/core/skbuff.c | 1 +
  1 file changed, 1 insertion(+)

 --- a/net/core/skbuff.c
 +++ b/net/core/skbuff.c
 @@ -767,6 +767,7 @@ static struct sk_buff *__skb_clone(struc
  	n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
  	n->cloned = 1;
  	n->nohdr = 0;
 +	n->peeked = 0;
  	n->destructor = NULL;
  	C(tail);
  	C(end);
	From: Eric Dumazet <edumazet@google.com>
	Date: Sat, 7 Apr 2018 13:42:39 -0700
	Subject: net: initialize skb->peeked when cloning

	commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.

	syzbot reported __skb_try_recv_from_queue() was using skb->peeked
	while it was potentially unitialized.

	We need to clear it in __skb_clone()

	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reported-by: syzbot <syzkaller@googlegroups.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	net/core/skbuff.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/net/core/skbuff.c
	+++ b/net/core/skbuff.c
	@@ -767,6 +767,7 @@ static struct sk_buff *__skb_clone(struc
	n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
	n->cloned = 1;
	n->nohdr = 0;
	+ n->peeked = 0;
	n->destructor = NULL;
	C(tail);
	C(end);