Hi David, On 3/7/22 18:58, David Laight wrote:
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4788f6b37053..622345af323e 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1629,6 +1629,13 @@ static int __ip6_append_data(struct sock *sk, err = -EINVAL; goto error; } + if (unlikely(alloclen < fraglen)) { + if (printk_ratelimit()) + pr_warn("%s: wrong alloclen: %d, fraglen: %d", + __func__, alloclen, fraglen); + alloclen = fraglen; + } +Except that is a valid case, see a few lines higher: alloclen = min_t(int, fraglen, MAX_HEADER); pagedlen = fraglen - alloclen; You need to report the input values that cause the problem later on.
OK, but in this case it falls into the first if block: https://elixir.bootlin.com/linux/v5.17-rc7/source/net/ipv6/ip6_output.c#L1606 where alloclen is assigned the value of mtu. The values in this case are just before the alloc_skb() are: alloclen = 1480 alloc_extra = 136 datalen = 64095 fragheaderlen = 1480 fraglen = 65575 transhdrlen = 0 mtu = 1480 -- Thanks, Tadeusz
