Hi.
[This is an automated email]
This commit has been processed by the -stable helper bot and determined
to be a high probability candidate for -stable trees. (score: 30.1120)
The bot has tested the following trees: v4.15.15, v4.14.32, v4.9.92, v4.4.126,
v4.15.15: Build OK!
v4.14.32: Build
From: Eric Dumazet
Date: Mon, 2 Apr 2018 18:48:37 -0700
> Once dst has been cached in socket via sk_setup_caps(),
> it is illegal to call ip_rt_put() (or dst_release()),
> since sk_setup_caps() did not change dst refcount.
>
> We can still dereference it since we hold
Once dst has been cached in socket via sk_setup_caps(),
it is illegal to call ip_rt_put() (or dst_release()),
since sk_setup_caps() did not change dst refcount.
We can still dereference it since we hold socket lock.
Caugth by syzbot :
BUG: KASAN: use-after-free in atomic_dec_return