Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3514866pxp; Tue, 8 Mar 2022 16:22:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJwYiYmflu0tWBjP0ef+kQyQ2XMmrN8T8NA1MhO77l56BBhp5rTzThP3Lox+JjqQhIMlD+jq X-Received: by 2002:a17:90a:2907:b0:1bf:a023:2362 with SMTP id g7-20020a17090a290700b001bfa0232362mr3288179pjd.114.1646785343617; Tue, 08 Mar 2022 16:22:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646785343; cv=none; d=google.com; s=arc-20160816; b=N7+njqSUSctIZBWqx1iTc9frAR4UGk8bi5+4QRzrSqRh5IHdpXLdoBJJYOQVN3iUFa v2f48sRUIA0AO6upilGq9diJIkUBBVZ3dNKFVa+96n4ZpTbgT9WD1+USjz+MBdFCJNXc lZa3ji5JFypbu2/dH9kZtFpIetcT4CX0M+KFVgakw7aTBI1PxmL3dmyMRYZN+ywjnnZ+ C4oAk4UXmnecafDYLqhlF9nGp9rcpVhYZa/TEORsDS9zNnlEMZ6sEbby0WEWrEA1xlp5 YtlKJgW1kgD6GMz0QEuAEvLZ0Q9qd0VKaPqbPs7pwkE+6dvBBEl7sJ4ZJoQr0ANeEtnV I7sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=bHQS21fo7rJF8A8D9YsCm/nb3uEruXx6UdaugBD/6Lo=; b=b8LVnD4KjDcmVomhGXoLsLNxCWgGY/EPUlwvBN9n10vw8Wi78iYdvGLImMHJTfoOWL hCh3B+Vg8XynKz+QeFO40CFMdqj2XJ0+ddKuUW3D4GwBktZqxhk+FRIktv/ECYUKKiID b5k5QShSm2hWmGGkVsdwpLSfMhHOEEq3fM+jLiimPfOKd4lPKpSQ6JC0r7Oo69EMKH0R m6Q5VoBNnBnICqeC5Szimc1Wd+PTHoIGsK8YxPmDqeu0f+c0z1yNa+g1vAzx6tHWnmP8 BdNKyYayFXVodJDwJSXCSdRqYr3PeRZpScT2DWHo04+nnxArBNFp3jBb4TXYqfa5hHPi GNAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OOvRCvAQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v16-20020a17090a899000b001bd24be2c41si3568101pjn.54.2022.03.08.16.22.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 16:22:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OOvRCvAQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1E738104A7F; Tue, 8 Mar 2022 15:46:31 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236303AbiCHTrK (ORCPT + 99 others); Tue, 8 Mar 2022 14:47:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239812AbiCHTrI (ORCPT ); Tue, 8 Mar 2022 14:47:08 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBA074F461 for ; Tue, 8 Mar 2022 11:46:08 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id w4so15332ply.13 for ; Tue, 08 Mar 2022 11:46:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=bHQS21fo7rJF8A8D9YsCm/nb3uEruXx6UdaugBD/6Lo=; b=OOvRCvAQU0PZwsr/DCMpdtfEjRxI9y3rMSDOceFJklWIfHv76w+j8r95EB5TSWnyxd 88J9R0SDhMVHnGNc4KcweWjfpD+vmQ+QUQrV9FDGJkAz+AOPtSLba+R3jA8CuAkGFB5E jQYQcDaW++IOaFIJ3l0p2xew8PflSUAhnTs3e0ICl4Nyhn2IrTu6u8tlUoWYfjchLLMo D52ukvQRjK7uhXUXe9MqU8nanoom8O4OsEF0xW/lR8FAtDIXiZ10vup4RxQuVil7gtVv BaCSB4CKXGpi9W2FUWm1i9UoxZuTzrTNdpMOn6T/nr6LCxusqbg+ssL5atLU8OFzcoFF mSgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=bHQS21fo7rJF8A8D9YsCm/nb3uEruXx6UdaugBD/6Lo=; b=wAVUtuqiBlEeM5gsFI+mzhVjIg7zQZKpmTIx98y++73oGbOAipSST98L5sJI8g0wOO tcKt+fNfpCMy8MsMyY3QzcXDZsQh0F5mJQMw4CptbaBi4iUvNybWUxPRxtv4eU4+tcJH Lvs1Ye5k2M9sZcLKTu6GawQifqdBaXY3pgvXy4Q0MdR4wI8X25Uo10nmgaaLitvFtcwI TSF9+OKv8ueXJmljA40o3iUtSVu1wLfD9gFijRbO61VOuLpYWZFVad+2wM4GS8twzizJ dEP4nUFGu3nV9FGPmYYa2iw4sEBReKJsY8SiALhSp1Mi3Q5UJ+RShrMeNq43EUMv1d8N Ijjw== X-Gm-Message-State: AOAM533CuC5UWMYsAWlz3wlUEvlX9JaVwuArcBTQbpjkl01lBf2NJy6N 37Zc9Ri+PsCPKABe2pIy8h45Ew== X-Received: by 2002:a17:90a:5302:b0:1b9:ba0a:27e5 with SMTP id x2-20020a17090a530200b001b9ba0a27e5mr6280388pjh.91.1646768768301; Tue, 08 Mar 2022 11:46:08 -0800 (PST) Received: from [192.168.254.17] ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id i15-20020a63b30f000000b003803aee35a2sm7644895pgf.31.2022.03.08.11.46.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Mar 2022 11:46:08 -0800 (PST) Message-ID: <45522c89-a3b4-4b98-232b-9c69470124a3@linaro.org> Date: Tue, 8 Mar 2022 11:46:07 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Content-Language: en-US To: David Ahern , David Laight , "davem@davemloft.net" Cc: Hideaki YOSHIFUJI , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , "syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com" References: <20220308000146.534935-1-tadeusz.struk@linaro.org> <14626165dad64bbaabed58ba7d59e523@AcuMS.aculab.com> <6155b68c-161b-0745-b303-f7e037b56e28@linaro.org> <66463e26-8564-9f58-ce41-9a2843891d1a@kernel.org> From: Tadeusz Struk Subject: Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data In-Reply-To: <66463e26-8564-9f58-ce41-9a2843891d1a@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/8/22 10:18, David Ahern wrote: >> alloclen = 1480 >> alloc_extra = 136 >> datalen = 64095 >> fragheaderlen = 1480 >> fraglen = 65575 >> transhdrlen = 0 >> mtu = 1480 >> > Does this solve the problem (whitespace damaged on paste, but it is just > a code move and removing fraglen getting set twice): > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index e69fac576970..59f036241f1b 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -1589,6 +1589,15 @@ static int __ip6_append_data(struct sock *sk, > > if (datalen > (cork->length <= mtu && > !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen) > datalen = maxfraglen - fragheaderlen - > rt->dst.trailer_len; > + > + if (datalen != length + fraggap) { > + /* > + * this is not the last fragment, the > trailer > + * space is regarded as data space. > + */ > + datalen += rt->dst.trailer_len; > + } > + > fraglen = datalen + fragheaderlen; > pagedlen = 0; > > @@ -1615,16 +1624,6 @@ static int __ip6_append_data(struct sock *sk, > } > alloclen += alloc_extra; > > - if (datalen != length + fraggap) { > - /* > - * this is not the last fragment, the > trailer > - * space is regarded as data space. > - */ > - datalen += rt->dst.trailer_len; > - } > - > - fraglen = datalen + fragheaderlen; > - > copy = datalen - transhdrlen - fraggap - pagedlen; > if (copy < 0) { > err = -EINVAL; That fails in the same way: skbuff: skb_over_panic: text:ffffffff83e7b48b len:65575 put:65575 head:ffff888101f8a000 data:ffff888101f8a088 tail:0x100af end:0x6c0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1852 Comm: repro Not tainted 5.17.0-rc7-00020-gea4424be1688-dirty #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 RIP: 0010:skb_panic+0x173/0x175 I'm not sure how it supposed to help since it doesn't change the alloclen at all. I think the problem here is that the size of the allocated skb is too small. -- Thanks, Tadeusz