Received: by 10.223.176.46 with SMTP id f43csp1286576wra;
        Fri, 19 Jan 2018 09:20:35 -0800 (PST)
X-Google-Smtp-Source: ACJfBovAJLOcP89jfCJX0R1p1ejgn4p4PTIBzAHCCmkAj+gfO6lw9ygKf8+9Dby/VwZs4MpjsUpC
X-Received: by 2002:a17:902:bc47:: with SMTP id t7-v6mr1932383plz.344.1516382435077;
        Fri, 19 Jan 2018 09:20:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516382435; cv=none;
        d=google.com; s=arc-20160816;
        b=r8QT85HgFYOK8fRT5R6TZap3FjWBZ82RpJDQ+RQrhIGzhB/Cky200wImcXvCWrLmA4
         2bmQC9eAj6OozSqgJoW/vOnFSew2ycWGV9HnAN/u2NWfrj7PFn8EBFSVtrdR7BCD//33
         xXrzppb6SSImRhiGBt6adgu9D0zvvyTUXiYI15jBQ6X/RboFN2MTY5ur1vWRRKElKt7K
         /mryZTKChQya1scCtSYdm1RMIUQEN4l6+zitYKitrKdMmPrFNzp0bZIVzUkwkUqh0uwc
         uOl+Grrp7ql+DnDTCVCvMYugvUR2W/Ux8Xi6x0rXemS/cb1OxVvYdc29FZYuXnfI8WHi
         JsgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=0v1Rxnmy9mm3ukWd2CCqWxSI9R/xK4dSO06I/ww1cHE=;
        b=Npv2xlDYBdX9YXbBV94l63L9KoXZvg/NBfnNKJwcSp53xO5CjDo/OdVRRJQfhvaEn1
         SYWCq3EYmv2PkiGQ/bGf0rxsZq2SEeEEB1xV9+g1EOw7/iWtSbFZYWLvbkc4XWMrQbEm
         0aXh6EFZREhGO6xs4fnR8Zpv0w1S/HsN+lQjkJOoCCEn+t0mNJkUJQtWJh8N/qCk/GVg
         ERJAYauj1gGee8Xs9RnCxIrXFbW3NZU8HIXbuRqLNcyW83sMNk4xNdGnik1FOu9seCAf
         Hz2bpfWZAsf/2qF5vx9VfLFtlscYyUJeZGLr/xpAh0wffUTiOV4GMoYqVRLY0wZCTAbc
         jjyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n189si9521428pfn.40.2018.01.19.09.20.20;
        Fri, 19 Jan 2018 09:20:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932480AbeASRTe (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 19 Jan 2018 12:19:34 -0500
Received: from zimbra.alphalink.fr ([217.15.80.77]:58607 "EHLO
        zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1756192AbeASRTE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Jan 2018 12:19:04 -0500
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 0E2A02B52071;
        Fri, 19 Jan 2018 18:19:02 +0100 (CET)
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id 2cDJ747VfwYh; Fri, 19 Jan 2018 18:19:00 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id AD6472B52090;
        Fri, 19 Jan 2018 18:19:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id fAEOtzb5gaoh; Fri, 19 Jan 2018 18:19:00 +0100 (CET)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr [217.15.84.94])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 496452B52071;
        Fri, 19 Jan 2018 18:19:00 +0100 (CET)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
        id 29062601DD; Fri, 19 Jan 2018 18:19:00 +0100 (CET)
Date:   Fri, 19 Jan 2018 18:19:00 +0100
From:   Guillaume Nault <g.nault@alphalink.fr>
To:     Xin Long <lucien.xin@gmail.com>
Cc:     syzbot 
        <syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com>,
        davem <davem@davemloft.net>,
        Eric Dumazet <eric.dumazet@gmail.com>,
        kuznet <kuznet@ms2.inr.ac.ru>,
        LKML <linux-kernel@vger.kernel.org>, linux-sctp@vger.kernel.org,
        network dev <netdev@vger.kernel.org>,
        Neil Horman <nhorman@tuxdriver.com>,
        syzkaller-bugs@googlegroups.com,
        Vlad Yasevich <vyasevich@gmail.com>,
        =?iso-8859-1?Q?Am=E9rico?= Wang <xiyou.wangcong@gmail.com>,
        yoshfuji <yoshfuji@linux-ipv6.org>
Subject: Re: kernel BUG at net/core/skbuff.c:LINE! (2)
Message-ID: <20180119171900.GO1422@alphalink.fr>
References: <001a1149c712d56ccc055cc48e37@google.com>
 <001a113f6a6aea72c00562d65d39@google.com>
 <CADvbK_f8KVdqWMoFmhOxMxGD8OM5XxoCzMSiyxDv2d+F8sTa_w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CADvbK_f8KVdqWMoFmhOxMxGD8OM5XxoCzMSiyxDv2d+F8sTa_w@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 16, 2018 at 04:21:40PM +0800, Xin Long wrote:
> ipv4 tunnels don't  really set dev->hard_header_len properly,
> we may should fix it in pppoe by using needed_headroom,
> as what it doesn't in arp_create.
> 
I'm a bit in doubt about which device needs to be fixed. Should ip_gre
set ->hard_header_len? Or should pppoe take ->needed_headroom into
account in skb_reserve()? I'd favor the later option too, but I haven't
figured out the semantic of these fields precisely enough to justify
this choice.

> @@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock,
> struct msghdr *m,
>         if (total_len > (dev->mtu + dev->hard_header_len))
>                 goto end;
> 
> +       rlen = LL_RESERVED_SPACE(dev) + dev->needed_tailroom;
> 
> -       skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
> -                          0, GFP_KERNEL);
> +       skb = sock_wmalloc(sk, total_len + rlen + 32, 0, GFP_KERNEL);
>         if (!skb) {
>                 error = -ENOMEM;
>                 goto end;
>         }
> 
>         /* Reserve space for headers. */
> -       skb_reserve(skb, dev->hard_header_len);
> +       skb_reserve(skb, rlen);
Any reason why you include dev->needed_tailroom in skb_reserve()?
BTW, we also have to fix __pppoe_xmit.

What about this patch?


---- >8 ----
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4e1da1645b15..42518af53332 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	struct pppoe_hdr *ph;
 	struct net_device *dev;
 	char *start;
+	int hlen;
 
 	lock_sock(sk);
 	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	if (total_len > (dev->mtu + dev->hard_header_len))
 		goto end;
 
-
-	skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
-			   0, GFP_KERNEL);
+	hlen = LL_RESERVED_SPACE(dev);
+	skb = sock_wmalloc(sk, hlen + sizeof(struct pppoe_hdr) + total_len +
+			   dev->needed_tailroom, 0, GFP_KERNEL);
 	if (!skb) {
 		error = -ENOMEM;
 		goto end;
 	}
 
 	/* Reserve space for headers. */
-	skb_reserve(skb, dev->hard_header_len);
+	skb_reserve(skb, hlen);
 	skb_reset_network_header(skb);
 
 	skb->dev = dev;
@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
 	/* Copy the data if there is no space for the header or if it's
 	 * read-only.
 	 */
-	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+	if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
 		goto abort;
 
 	__skb_push(skb, sizeof(*ph));