Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp1052737rdb;
        Tue, 19 Sep 2023 20:08:26 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEZFsT8kNfAqQykkQYU7uYNmv/dKJtzGuXskBezr3TI69B+qVCvwTcGuOuUe3ZGUXfBD1Qx
X-Received: by 2002:a54:4013:0:b0:3a7:45e0:c0eb with SMTP id x19-20020a544013000000b003a745e0c0ebmr1158666oie.24.1695179306249;
        Tue, 19 Sep 2023 20:08:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695179306; cv=none;
        d=google.com; s=arc-20160816;
        b=bBSdfwbyx0g/zpo9EPYpjVwKTvpQypSDfzrjWgws4GvGuDxr7Ga4TOWRN9JJqqPn6K
         qzuoBs9nxq5QM5SVc9XiiXAWSt84hQSNkZT57FR7vhzE/twzssyeKZZULpDw9OsksPTG
         MpSybaBcMkInv5kDmtngG4day0O4OG4bqCMHu6B79dk/5/UVJVKIMFiw8401ouJxNVn7
         +CJb1+xgt2ctQOr4OFKTV3xE9bOKPMot/HgZpPW1AZmdfPHP/JHeaOFvxAKwVfSj6TyV
         3fvwAizGOR85jNPAiUzgojx8j7qs4EBpqj0d/Va0vChXWo885YOnhZBfSyOGojVh/wxV
         IV7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=V6KdRxXe3NG2yUcHW7SlJlH2IMG9FBJD4N+pc6L0OCw=;
        fh=mUlfwFVCERdx0CgTaTYPxq8OvBR2+b8tdg+MFqDVlaE=;
        b=S0daS59vGLkx/ZjwSjtWvsE4uUInugbgzCHtA9enQClV44n4Okv1u88Bqu2lpCzZ9P
         hryc9+KDjpLbPLPYKmlZXDbfQzv5RMsEb0JBGtIOFe8UvZqphRANtcNue4E4exuYLfu8
         9i0I4PEIbOhQEh7trfpkqAK9KDgFlGzQShZyrQgKQnQSxXYEnC0QZciPjcYIOKTV5bNC
         SYyf5U4Eu59Qrd5v4Bg32AElLazQeG74LC9S3RT3+JHLI1aDvz0+CpceCpxlkwT8eHIB
         yh3hzB+empBvxMbe7dGzToElwlophF6N08qPf84oUZ8oZl7/v7ZiA3tZfOl0OFDbwbV5
         V/Pw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=W8lvLiZb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
        by mx.google.com with ESMTPS id b2-20020a63eb42000000b00573fbbb7803si10927830pgk.613.2023.09.19.20.08.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Sep 2023 20:08:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=W8lvLiZb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 5C2418099249;
	Tue, 19 Sep 2023 13:33:28 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229988AbjISUd0 (ORCPT <rfc822;bh1scw@gmail.com> + 99 others);
        Tue, 19 Sep 2023 16:33:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48994 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229627AbjISUdZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Sep 2023 16:33:25 -0400
Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFEA493;
        Tue, 19 Sep 2023 13:33:18 -0700 (PDT)
Received: by mail-vk1-xa30.google.com with SMTP id 71dfb90a1353d-4935f87ca26so2566645e0c.3;
        Tue, 19 Sep 2023 13:33:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695155598; x=1695760398; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=V6KdRxXe3NG2yUcHW7SlJlH2IMG9FBJD4N+pc6L0OCw=;
        b=W8lvLiZbE5UpJMMPRBtMDD0b2/hOsWLuEG0tAb32ycUmstVCAdZw97wlY5P3qiEIFc
         fvLXw3rCqEUfYOgGRXzj1y3UKAAbK3E2rPa4Y5tKOwyuFC2uqLczA5bBfKsPPfvWZH6C
         jmK/cv1QDqiknalBiiRrgwIOGAWYjkBUG4saftLefT+e7ZDgdXZI8Nr0L0Y2CjtM6dXm
         GWmd/lzfdgwkTKoe1O3V8/+e+xA/r5JRsK5Q8f1ndn1eph0QaQaalRMA1S4fa001fMO8
         OIbdQmvg4wpsGZUIEEFMbdvadLUaNiPI5f1KB9ElNSQIFFLX00gYndDGwQfhSxsIgGA4
         xU2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695155598; x=1695760398;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=V6KdRxXe3NG2yUcHW7SlJlH2IMG9FBJD4N+pc6L0OCw=;
        b=RkHlvU4BDHcOrT4tzwbOG4Z7j46Fd4SASyyNoEziVCvUsgXuYgdntxXhlgMTmwKBGA
         1XieNZVgtC3AJIkxfvLNEmXCbmsUk3peO6JipsuZU2TlQo+yS7d4iXQ54xPeeWWTH0da
         q8xOKAr0WBT4d/ZkfeB7i1JDb1KltVW4QNvyxwXCfNTTP45BjCe5eGgLFevO4bskvG57
         uFdzklYZGGQKGSw1No7W219D3do9inkecJN6NuV3PdybMCbWmuhEqng1yQ+mSoKAf3e+
         pRyjWXCTtFnkV+eKu/nTXUKKulweblCFQdPGY1fegLjF9ap7cZKfas8VCB4wpvU7Bj/H
         jWvQ==
X-Gm-Message-State: AOJu0Yxj3RoEsCL+iuNFWTZVW/5FW/Qgf3w4lv8vrf3vNzyUlASpU9Tg
        uaMOPLu9zX4g3XhHYZRKOrRPiD7vywDplsbJDlE=
X-Received: by 2002:a1f:d502:0:b0:495:dc43:7440 with SMTP id
 m2-20020a1fd502000000b00495dc437440mr1012432vkg.9.1695155597814; Tue, 19 Sep
 2023 13:33:17 -0700 (PDT)
MIME-Version: 1.0
References: <75315.1695139973@warthog.procyon.org.uk>
In-Reply-To: <75315.1695139973@warthog.procyon.org.uk>
From:   Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date:   Tue, 19 Sep 2023 16:32:41 -0400
Message-ID: <CAF=yD-+kRXmwuKHVrUUL6oBPhWiPKucm_5-Y+YM==9Bp3DQiGQ@mail.gmail.com>
Subject: Re: [PATCH net] ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
To:     David Howells <dhowells@redhat.com>
Cc:     netdev@vger.kernel.org,
        syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com,
        Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>,
        David Ahern <dsahern@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Jakub Kicinski <kuba@kernel.org>, bpf@vger.kernel.org,
        syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 19 Sep 2023 13:33:28 -0700 (PDT)

On Tue, Sep 19, 2023 at 12:12=E2=80=AFPM David Howells <dhowells@redhat.com=
> wrote:
>
>
> Including the transhdrlen in length is a problem when the packet is
> partially filled (e.g. something like send(MSG_MORE) happened previously)
> when appending to an IPv4 or IPv6 packet as we don't want to repeat the
> transport header or account for it twice.  This can happen under some
> circumstances, such as splicing into an L2TP socket.
>
> The symptom observed is a warning in __ip6_append_data():
>
>     WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_=
data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
>
> that occurs when MSG_SPLICE_PAGES is used to append more data to an alrea=
dy
> partially occupied skbuff.  The warning occurs when 'copy' is larger than
> the amount of data in the message iterator.  This is because the requeste=
d
> length includes the transport header length when it shouldn't.  This can =
be
> triggered by, for example:
>
>         sfd =3D socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
>         bind(sfd, ...); // ::1
>         connect(sfd, ...); // ::1 port 7
>         send(sfd, buffer, 4100, MSG_MORE);
>         sendfile(sfd, dfd, NULL, 1024);
>
> Fix this by pushing the addition of transhdrlen into length down into
> __ip_append_data() and __ip6_append_data(), making it conditional on the
> write queue being empty (otherwise we just clear transhdrlen).

I'm afraid that we might start to dig an ever deeping hole.

The proposed fix is non-trivial, and changes not just the new path
that observes the issue (MSG_SPLICE_PAGES), but also the other more
common paths that exercise __ip6_append_data.

There is significant risk to introduce an unintended side effect
requiring a follow-up fix. Because this function is notoriously
complex, multiplexing a lot of behavior: with and without transport
headers, edge cases like fragmentation, MSG_MORE, absence of
scatter-gather, ....

Does the issue discovered only affect MSG_SPLICE_PAGES or can it
affect other paths too? If the first, it possible to create a more
targeted fix that can trivially be seen to not affect code prior to
introduction of splice pages?