Description: net: a BUG() statement can be hit in net/ipv4/tcp_input.c References: http://www.spinics.net/lists/stable/msg150470.html http://www.spinics.net/lists/netdev/msg403701.html http://marc.info/?l=linux-netdev&m=147878925724283&w=2 http://marc.info/?t=147878927800005&r=1&w=2 # the whole thread https://bugzilla.redhat.com/show_bug.cgi?id=1393904 http://marc.info/?l=linux-netdev&m=147881188232264&w=2 http://marc.info/?t=147881111500001&r=1&w=2&n=2 # the whole thread http://marc.info/?l=linux-netdev&m=147881236332369&w=2 # patch v2 http://www.spinics.net/lists/netdev/msg403787.html http://www.spinics.net/lists/netdev/msg403789.html # patch v2 Notes: carnil> Issue introduced with the tcp-fastopen feature. Cf. carnil> http://www.openwall.com/lists/oss-security/2016/11/30/3 carnil> Introduced in 3.6-rc1 with cf60af03ca4e71134206809ea892e49b92a88896 bwh> Eric Dumazet disputes that tcp-fastopen introduced the issue. bwh> Only the specific case found by syzkaller seems to depend on it. Bugs: upstream: released (4.9-rc6) [ac6e780070e30e4c35bd395acfe9191e6268bdd3] 3.16-upstream-stable: released (3.16.40) [tcp-take-care-of-truncations-done-by-sk_filter.patch] 3.2-upstream-stable: released (3.2.85) [tcp-take-care-of-truncations-done-by-sk_filter.patch] sid: released (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98] 3.16-jessie-security: released (3.16.39-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch] 3.2-wheezy-security: released (3.2.84-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch]