Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3530511pxp; Tue, 8 Mar 2022 16:45:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJyrQPj0wlPHpyOAJ9FberwJbaiz27JRKi4lh4YNMAhq0EMRiUXTGe1wOsuhdEZGFc6YBoIm X-Received: by 2002:a63:6949:0:b0:380:94ab:9333 with SMTP id e70-20020a636949000000b0038094ab9333mr4148974pgc.199.1646786707067; Tue, 08 Mar 2022 16:45:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646786707; cv=none; d=google.com; s=arc-20160816; b=KjxM0K4ExkkOWW9kn3PPhvu2Re8kcUZVeFHc9++QowMTmpJhxBxCWyRg9MRktMGN8j onURs8DbjraGtJHGevkGbZo0qn8NqTgKY1g207pyIhoRIvAa2gOnBWhgmsAH8ZaA9aS5 zK+s8rlG4+96Gzj1YWdJVw5NNTwnmjWoXKbKTqJdvCyQOWN9DnYte6XmybKaxw566NIK cfQnJUW4YXaqrExeBCTOW8C/m8lvXoXYDVnuDSpWG4tbbUj/MNXl9UBhCQgySOBBmf8E zwGPdgZLjUs6SgL9oyNa9qemcJ4IIg4YtgAXCtqcLmlQ2I47KHHup7MxltzkIUKtgOiZ 4xBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=NKwIWMJN7+i0XAg6jLVO6Lxt5C5EwTCBUXnqdpcor6s=; b=Tlfno6RTRhzUnGQZm6IgkZomXekDv3Q8zEbI+l3BSvJGMjzGaypLedRhPBRsLD75oj atIw5iopG/0r5HueRemXl9thq1r7VqWAPyGJ5eHnocUOUfHqhcAFJLTVtbxHco9l0YQ3 qePVovVCuRJy7x6C3mrTrWwvzzcsCVwKVdfisi+p1YjWIb4lNfVjhJzWMPKpdqgMmWUo 8JEk+ttdhRmwI6nlYnl2pm1bfeRwoi/SYMfjWj/m04W2JDeYCv+j2shoTTG7is+/qdrK g6D8M3dtwIA82p3z8MPh+q0eSSZt3drCHEQrVVRTek7nEMSsMBLc/9YDT4CPOdVVg3iv wE0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fnXsdHWH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v14-20020a170902e8ce00b0014ed70b92ccsi429719plg.279.2022.03.08.16.45.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 16:45:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fnXsdHWH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4D593CF3A0; Tue, 8 Mar 2022 16:01:05 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347881AbiCHPo2 (ORCPT + 99 others); Tue, 8 Mar 2022 10:44:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347936AbiCHPoZ (ORCPT ); Tue, 8 Mar 2022 10:44:25 -0500 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C54426244 for ; Tue, 8 Mar 2022 07:43:27 -0800 (PST) Received: by mail-pf1-x42a.google.com with SMTP id d187so17644117pfa.10 for ; Tue, 08 Mar 2022 07:43:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=NKwIWMJN7+i0XAg6jLVO6Lxt5C5EwTCBUXnqdpcor6s=; b=fnXsdHWHw7mUsqGMsNQNYtwM7WylTiW27BpmCbqF6a95dLCwqgprMTmy8V63gQPQbb NGmTURhW09sZZieeNdO1PTsTT3kfjlYZev9v2Dd8g788Zwc3ZQGO9PB8zjvRR1Y8lVkL RQADxtnVDXTyS93mSxYM8hZSMbuKYd+FvzHg5EeEXO8g8X0/x/QnHuForGl/gyKs1wyY Q0PefRyAz8WKQpft4VUqB1vEvNuVNJVXzAu3y5b6IvETnV1nwiSbOIqwEI0zDC1QO73+ ijFdkRVbtkV2OoxqTiGG2GGgcEdUUVidzsEIgV4wq79lVTUmkWahXHyR24x8SGfc8bv1 WgDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=NKwIWMJN7+i0XAg6jLVO6Lxt5C5EwTCBUXnqdpcor6s=; b=jCgPLBMkOZv101Y0rjcz5PuPVGb8qlQsUECh4v84BAiaNCHqAzTi1OWIC/lSBmZmnI HjIGZ9h9CtmpyCx1YK4Ufzm06zeYWBs/kGAuF7N7DDCFPAcDMn/Gik6UVyCBsqoAVMck Rd2fFqGQ5lvVRsOVM5absbA0eoS0GkJEtQRh9L5cLjY7i/iSI/MtsZQo5P+xK/kwCMdO hp5er5aIX1J/tG5GjQ3U3T8AZxcn6EtoEH1f1WV50zVBYZLrGlcCPRFh6JpwpxB046ik j4F6Gd1EK25koptSgNFW0BgQWJQu2J6kkpTXdFLH39YfZ7DrJAXugLINUVOvQQctaafo VZJQ== X-Gm-Message-State: AOAM532czlURWA3rM0OaY6cPicBAfxYatDrBbbstfI9lMl8ung+c693O dILYf/y5bBfShOdYgOGDSzJK+g== X-Received: by 2002:a63:d642:0:b0:378:a4c2:7b94 with SMTP id d2-20020a63d642000000b00378a4c27b94mr14559338pgj.218.1646754207291; Tue, 08 Mar 2022 07:43:27 -0800 (PST) Received: from [192.168.254.17] ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id nl9-20020a17090b384900b001bccf96588dsm3534648pjb.46.2022.03.08.07.43.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Mar 2022 07:43:27 -0800 (PST) Message-ID: <6155b68c-161b-0745-b303-f7e037b56e28@linaro.org> Date: Tue, 8 Mar 2022 07:43:25 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Content-Language: en-US To: David Laight , "davem@davemloft.net" Cc: Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , "syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com" References: <20220308000146.534935-1-tadeusz.struk@linaro.org> <14626165dad64bbaabed58ba7d59e523@AcuMS.aculab.com> From: Tadeusz Struk Subject: Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data In-Reply-To: <14626165dad64bbaabed58ba7d59e523@AcuMS.aculab.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, On 3/7/22 18:58, David Laight wrote: >> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c >> index 4788f6b37053..622345af323e 100644 >> --- a/net/ipv6/ip6_output.c >> +++ b/net/ipv6/ip6_output.c >> @@ -1629,6 +1629,13 @@ static int __ip6_append_data(struct sock *sk, >> err = -EINVAL; >> goto error; >> } >> + if (unlikely(alloclen < fraglen)) { >> + if (printk_ratelimit()) >> + pr_warn("%s: wrong alloclen: %d, fraglen: %d", >> + __func__, alloclen, fraglen); >> + alloclen = fraglen; >> + } >> + > Except that is a valid case, see a few lines higher: > > alloclen = min_t(int, fraglen, MAX_HEADER); > pagedlen = fraglen - alloclen; > > You need to report the input values that cause the problem later on. OK, but in this case it falls into the first if block: https://elixir.bootlin.com/linux/v5.17-rc7/source/net/ipv6/ip6_output.c#L1606 where alloclen is assigned the value of mtu. The values in this case are just before the alloc_skb() are: alloclen = 1480 alloc_extra = 136 datalen = 64095 fragheaderlen = 1480 fraglen = 65575 transhdrlen = 0 mtu = 1480 -- Thanks, Tadeusz