[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3792062.1694791940@warthog.procyon.org.uk>
Date: Fri, 15 Sep 2023 16:32:20 +0100
From: David Howells <dhowells@...hat.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: dhowells@...hat.com,
syzbot <syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com>,
bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, pabeni@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data
Hi Eric,
> > WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
That would appear to be this:
if (WARN_ON_ONCE(copy > msg->msg_iter.count))
goto error;
However, I have a problem that the repro program errors out at this point
before it gets that far:
if (cork->length + length > maxnonfragsize - headersize) {
emsgsize:
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
return -EMSGSIZE;
}
Are you able to reproduce the issue?
The values in and around that point are:
cork->length 0
length 65540
maxnonfragsize 65575
headersize 40
transhdrlen 4
mtu 65536
ip6_sk_ignore_df(sk) true
with maxnonfragsize coming from 'sizeof(struct ipv6hdr) + IPV6_MAXPLEN'. Is
that even viable for the size of a packet?
David
Powered by blists - more mailing lists