Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2259446imu; Thu, 29 Nov 2018 02:02:32 -0800 (PST) X-Google-Smtp-Source: AFSGD/Uja1L7mKoVwm0foOOuXAKSyaMdRL653muxromnuIz4nluxBvM7wUNYpGukEzT9tFqLVxlA X-Received: by 2002:a17:902:b093:: with SMTP id p19mr793549plr.135.1543485752076; Thu, 29 Nov 2018 02:02:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543485752; cv=none; d=google.com; s=arc-20160816; b=XwHqOArO21MUM51S4tFxNXDEm3pBk57fUEywsh/TUc04d+WQc4tO408OxE6DQoD6cZ RXaCD2f6PecMgTS5naYxU/LvKNt9qdZVUampY+H+naL3E9UEuHMcJZKWdEwyLpR5jpDz KsBWiCTx117hon9hVfarfjSB7GiZ/qvULXoX3/uwgcjuWUdDgYlI4+GlwepVdJ8HoB1m oEh2rkBu7VaNxEtUC2W4rZVYEDs2nMI8jlItocybuMAi6YuMeFH1iAJchxhcIMCXDK+r qujgTwba3fLd5bVSWdgLhotNdtm0gBGdfyPgpxGnWU5lLAeoSJEzkDF2gWiHg3snZPpl dKfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :dkim-signature; bh=HbxN6WX1QJU+9RRAsjsTRo1+u7xCCwC0lAnxCYOVPno=; b=Vulzkre2xssAWiWBam7g1hwZzhqtaydpSqi1NKOne1HokvSwBtQ2AkD3sGzLwK/bs2 ag7EkPn7IIrRtOYmbrULmcJbk0rkPLX6ozWkUr/DX2S1p9ro6UOHv/OEmcucBK1LfnFj QIOtN1v7mXKRJ00va7li6WKgy3HzKiEJ/Eo4kCSqeEslXumj1/vI3CoqN191uUwgvFYv pPiEfNMTcvx+xUMay6+4BNAashRzlYqw1q3w6ArqeTdscoXhkEID+jvsHdHk1Xd57Son 519srVlwDKwNI1huQ4yShGRY8h3Nhcgmjq+6493QiW+Jv035++NIKD4aENFVwiTxDpsj 8fKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cogentembedded-com.20150623.gappssmtp.com header.s=20150623 header.b=UnW5kO+1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11si1656196pgu.347.2018.11.29.02.02.16; Thu, 29 Nov 2018 02:02:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cogentembedded-com.20150623.gappssmtp.com header.s=20150623 header.b=UnW5kO+1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727699AbeK2VFW (ORCPT + 99 others); Thu, 29 Nov 2018 16:05:22 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:35852 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727248AbeK2VFO (ORCPT ); Thu, 29 Nov 2018 16:05:14 -0500 Received: by mail-lf1-f66.google.com with SMTP id a16so981251lfg.3 for ; Thu, 29 Nov 2018 02:00:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cogentembedded-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=HbxN6WX1QJU+9RRAsjsTRo1+u7xCCwC0lAnxCYOVPno=; b=UnW5kO+1LGKEgIz1lM+bDmzs96y8jKCjCFcKxUzegsbJYj73Dt7NSQ+WOunl97TzqO vJytSMHl0FdRHXxJZ6w7JaF3V7dsCifUMD/hp96ExHNWu1Q4UXHlJ3blhQn94UN+mexs g7TmqXEmRr6xAhX01/I7cxbKghQl/YM/9WIjufbdnJHmG+pGddJfee63eLqVOEblYC1l mbQaAT2CdfaqY5+opASBi30fBkqj2FJ+gUSFxuCAiO0FlCdZbYb63eUitIsi+L7VrTcr Oz4mnWPNOgK5QLyUUgt7IWcz53MTqeWyfM3bv0ozkqLsHCrQv7LVZxiumsl+VeqBbxpp TMGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=HbxN6WX1QJU+9RRAsjsTRo1+u7xCCwC0lAnxCYOVPno=; b=S5smKAtCcvnmLqHFJihI6JqPrqX6z3N8DtoiVN4XJW1r6doheOvYGmcj+nqdzcaWAF RtK/+QljQFLBgDksHWymOgeftcCiAxprsOPtqe5cTaRuSKHYDNvS1za+IIZKw8Nmwuaa lYEPdRoAr9NIWQK44uZQy1DIpoLFNXE2upAATtDWl+GfoDx3sYCFwlejQysx0lrXhQBf W57NpVo5KqBHpYAmgH0zqBjOhq0iAn0AAj371KeNz8nUKgAXnFPMnEgtlXFM7pUgHBl5 f+mponIKP5cIhuz4w94teixbcb9iR0rCial1PcdxaG/rHpTRaBQ/wVtPOyoZex4oKSrb rk0A== X-Gm-Message-State: AA+aEWbv4LZZpw3hqVRM7054hf9cg1ar6n8TYFfevax3VIEEJWGbPMuq p+uWIWG4JUb4Z1PaB6ZoGC7www== X-Received: by 2002:a19:4849:: with SMTP id v70mr587258lfa.62.1543485624886; Thu, 29 Nov 2018 02:00:24 -0800 (PST) Received: from wasted.cogentembedded.com ([31.173.83.97]) by smtp.gmail.com with ESMTPSA id u26-v6sm209609lji.22.2018.11.29.02.00.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Nov 2018 02:00:24 -0800 (PST) Subject: Re: [PATCH AUTOSEL 4.19 15/68] batman-adv: Expand merged fragment buffer for full packet To: Sasha Levin , stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Sven Eckelmann , Simon Wunderlich , netdev@vger.kernel.org References: <20181129055559.159228-1-sashal@kernel.org> <20181129055559.159228-15-sashal@kernel.org> From: Sergei Shtylyov Organization: Cogent Embedded Message-ID: Date: Thu, 29 Nov 2018 13:00:22 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20181129055559.159228-15-sashal@kernel.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-MW Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello! On 11/29/2018 08:55 AM, Sasha Levin wrote: > From: Sven Eckelmann > > [ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ] > > The complete size ("total_size") of the fragmented packet is stored in the > fragment header and in the size of the fragment chain. When the fragments > are ready for merge, the skbuff's tail of the first fragment is expanded to > have enough room after the data pointer for at least total_size. This means > that it gets expanded by total_size - first_skb->len. > > But this is ignoring the fact that after expanding the buffer, the fragment > header is pulled by from this buffer. Assuming that the tailroom of the Pulled by what? > buffer was already 0, the buffer after the data pointer of the skbuff is > now only total_size - len(fragment_header) large. When the merge function > is then processing the remaining fragments, the code to copy the data over > to the merged skbuff will cause an skb_over_panic when it tries to actually > put enough data to fill the total_size bytes of the packet. > > The size of the skb_pull must therefore also be taken into account when the > buffer's tailroom is expanded. > > Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") > Reported-by: Martin Weinelt > Co-authored-by: Linus Lüssing > Signed-off-by: Sven Eckelmann > Signed-off-by: Simon Wunderlich > Signed-off-by: Sasha Levin [...] MBR, Sergei