Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2263456imu;
        Thu, 29 Nov 2018 02:06:27 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Uh48r23+Imy+v56vxYnLw2HJnDTkkmQTn7WdO8qhaQkwd6XnAbvoj6Jbr0vsOyvw7Jy5PW
X-Received: by 2002:a63:a002:: with SMTP id r2mr681442pge.212.1543485986982;
        Thu, 29 Nov 2018 02:06:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543485986; cv=none;
        d=google.com; s=arc-20160816;
        b=bkAdX0Yue3DPuKG+gOnxw9baL6SiS/3lPvXsIuORwba5/9ndemUW01nCSGFwsHiWx8
         eN5K/WRxE6BtnF16DnUK7kD/9ZiH7fUwOzeHwVY62a+tfWrKV2TaO+pa+iqgjyej+3Jg
         r1vrRzvU74icw8WLIuti0+LdvgC5oEyMv6kTcPDyul3VUOEyGNLSqR1D0dwuEqriEu0O
         bYNMMhCMBrzxWG6JER2zZtIgY/nhZ6j2vs1OUeOgfAu9Nfd6kSr1eVBmlbLQ2nPpQb2i
         rgjKMiPkcTeTam3kq6impABiyJZ3ktWBz47PIK2ew9YQuNwovER0ENStOYuHHTZWvWhB
         OuHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:references:cc:to:from:subject
         :dkim-signature;
        bh=KWE/R9lrV4PmO9vXTDjK1gVj25RR7siKl8PBSwBuFD8=;
        b=CVyojaDIJYkbaaMVklPKqymei+mfgvkhPz27HhQr7EoV9tNZV+wafcHYAs62V+9miy
         ra0Wy+pYn7lEvJ6V/WIkSiQHrtSSPxTPw0Pfj4qViSl/k64aqV4CQO8S5CKNVWLtl1YZ
         aMd19P5uvYDULd82BT2omk4j/FI7A+kRL9tZq9POafHuyOD1pzwUg8RWjuxE+yVAd/fX
         g63Q0w8To7g1cVxLg13UjXQLnxnYlO8SfkiOFRGwlA1IoQ7O0uEDo2sfI9hjdRWwuQod
         BZ7m2VA8fzP3nexoCivOTjZz/0vHsMTbx+pVgBUtI+hQlunrWF+DFzdwNnRowSN7hPU7
         7TSA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@cogentembedded-com.20150623.gappssmtp.com header.s=20150623 header.b=SHWCnTXn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c2si1692987plb.152.2018.11.29.02.06.11;
        Thu, 29 Nov 2018 02:06:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@cogentembedded-com.20150623.gappssmtp.com header.s=20150623 header.b=SHWCnTXn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727151AbeK2VJn (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Thu, 29 Nov 2018 16:09:43 -0500
Received: from mail-lf1-f65.google.com ([209.85.167.65]:41210 "EHLO
        mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726818AbeK2VJn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Nov 2018 16:09:43 -0500
Received: by mail-lf1-f65.google.com with SMTP id c16so973651lfj.8
        for <linux-kernel@vger.kernel.org>; Thu, 29 Nov 2018 02:04:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cogentembedded-com.20150623.gappssmtp.com; s=20150623;
        h=subject:from:to:cc:references:organization:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=KWE/R9lrV4PmO9vXTDjK1gVj25RR7siKl8PBSwBuFD8=;
        b=SHWCnTXn/qPRDpf+cKNKv2wnjJbv/SaujUEzX27Uaivs5v7KARLI/mfaG3F7Sehdlf
         Qn2zWMIxStNdiRupuhTVPHJCRtLsEVzJyvrTIvUI6Ie7plKrTeaMk9F7NsyELtuWBEFU
         x7ggsr9BiLhjBdVXCuKpQFq+h0QNnDN1CM5/0eqGPHlo2g4zT7Eu4B++KBzmHeQaF2TT
         OndvobzX+mV8iTDLZuGHTI03QqGlLRehL5eHtTlxdcKF3jQffFc5VnrX0Kp5stAKobg2
         faIV+eeefyOlSzB1H3j0IqV4u27v83rnNCPpwcDN8f5nMsYoZVWdWUELUeamTMScFDaS
         jZew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:from:to:cc:references:organization
         :message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=KWE/R9lrV4PmO9vXTDjK1gVj25RR7siKl8PBSwBuFD8=;
        b=hFY2KNGl/eMG7gOSrZijx7dvAOiZjBOhg+8iqp2GB0l6y+LGWntRIocLLLjW6b1362
         TpLEheS78r3Z/66IH8T1MtDMnfsCYd4PlLTe2YPSm6sXR99b5HzCNtFBEG97BfGxoX8B
         9BfK8A0UHy2jSRXDvy1zZnepPbKSLkRobXUSQBXL+Aua/zqk43h0TR53aevv922fYhl7
         JCd8pJildmBp06gYZCCbeCckUjSvDYdGTi5OWX7fd+TOyywruxxeA797SbwCoYf5oUyl
         JWJv8qyp6XJxosGJD+cOYzi+YiBjK5FAAXGwXcPuCF79fouA/ZBqqIEyR7FG6qBcO6F0
         0BZA==
X-Gm-Message-State: AA+aEWbnOVqUS+PYd1+h93VlyzKMDvuGh7wLj/s2oiTmnr6tRAQTPUEA
        dw6848ull5SvhNSa85N7WIz6oQ==
X-Received: by 2002:a19:5349:: with SMTP id h70mr606996lfb.50.1543485893120;
        Thu, 29 Nov 2018 02:04:53 -0800 (PST)
Received: from wasted.cogentembedded.com ([31.173.83.97])
        by smtp.gmail.com with ESMTPSA id z64sm222355lff.39.2018.11.29.02.04.44
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 29 Nov 2018 02:04:46 -0800 (PST)
Subject: Re: [PATCH AUTOSEL 4.19 15/68] batman-adv: Expand merged fragment
 buffer for full packet
From:   Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
To:     Sasha Levin <sashal@kernel.org>, stable@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     Sven Eckelmann <sven@narfation.org>,
        Simon Wunderlich <sw@simonwunderlich.de>,
        netdev@vger.kernel.org
References: <20181129055559.159228-1-sashal@kernel.org>
 <20181129055559.159228-15-sashal@kernel.org>
 <cad9ec40-5125-9bef-0e9e-5c70783a5cb7@cogentembedded.com>
Organization: Cogent Embedded
Message-ID: <3da190f1-254a-28d8-3219-1a129c5b8fda@cogentembedded.com>
Date:   Thu, 29 Nov 2018 13:04:42 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <cad9ec40-5125-9bef-0e9e-5c70783a5cb7@cogentembedded.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-MW
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 11/29/2018 01:00 PM, Sergei Shtylyov wrote:

>> From: Sven Eckelmann <sven@narfation.org>
>>
>> [ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ]
>>
>> The complete size ("total_size") of the fragmented packet is stored in the
>> fragment header and in the size of the fragment chain. When the fragments
>> are ready for merge, the skbuff's tail of the first fragment is expanded to
>> have enough room after the data pointer for at least total_size. This means
>> that it gets expanded by total_size - first_skb->len.
>>
>> But this is ignoring the fact that after expanding the buffer, the fragment
>> header is pulled by from this buffer. Assuming that the tailroom of the
> 
>    Pulled by what?

   Oops, this was a -stable patch! Nevermind then. :-)

>> buffer was already 0, the buffer after the data pointer of the skbuff is
>> now only total_size - len(fragment_header) large. When the merge function
>> is then processing the remaining fragments, the code to copy the data over
>> to the merged skbuff will cause an skb_over_panic when it tries to actually
>> put enough data to fill the total_size bytes of the packet.
>>
>> The size of the skb_pull must therefore also be taken into account when the
>> buffer's tailroom is expanded.
>>
>> Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
>> Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
>> Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
>> Signed-off-by: Sven Eckelmann <sven@narfation.org>
>> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
> [...]
 
MBR, Sergei