4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haishuang Yan yanhaishuang@cmss.chinamobile.com
[ Upstream commit b699d0035836f6712917a41e7ae58d84359b8ff9 ]
Since iptunnel_pull_header() can call pskb_may_pull(), we must reload any pointer that was related to skb->head.
Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") Signed-off-by: Haishuang Yan yanhaishuang@cmss.chinamobile.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/ipv6/sit.c | 1 + 1 file changed, 1 insertion(+)
--- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -690,6 +690,7 @@ static int ipip6_rcv(struct sk_buff *skb
if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6))) goto out; + iph = ip_hdr(skb);
err = IP_ECN_decapsulate(iph, skb); if (unlikely(err)) {