From: Wei Wang
Date: Thu, 4 Oct 2018 10:12:37 -0700
> From: Wei Wang
>
> In rawv6_send_hdrinc(), in order to avoid an extra dst_hold(), we
> directly assign the dst to skb and set passed in dst to NULL to avoid
> double free.
> However, in error case, we free skb and then do stats update with
From: Wei Wang
In rawv6_send_hdrinc(), in order to avoid an extra dst_hold(), we
directly assign the dst to skb and set passed in dst to NULL to avoid
double free.
However, in error case, we free skb and then do stats update with the
dst pointer passed in. This causes use-after-free on the dst.