On 3/8/22 10:18, David Ahern wrote:
alloclen = 1480
alloc_extra = 136
datalen = 64095
fragheaderlen = 1480
fraglen = 65575
transhdrlen = 0
mtu = 1480
Does this solve the problem (whitespace damaged on paste, but it is just
a code move and removing fraglen getting set twice):
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index e69fac576970..59f036241f1b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1589,6 +1589,15 @@ static int __ip6_append_data(struct sock *sk,
if (datalen > (cork->length <= mtu &&
!(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
datalen = maxfraglen - fragheaderlen -
rt->dst.trailer_len;
+
+ if (datalen != length + fraggap) {
+ /*
+ * this is not the last fragment, the
trailer
+ * space is regarded as data space.
+ */
+ datalen += rt->dst.trailer_len;
+ }
+
fraglen = datalen + fragheaderlen;
pagedlen = 0;
@@ -1615,16 +1624,6 @@ static int __ip6_append_data(struct sock *sk,
}
alloclen += alloc_extra;
- if (datalen != length + fraggap) {
- /*
- * this is not the last fragment, the
trailer
- * space is regarded as data space.
- */
- datalen += rt->dst.trailer_len;
- }
-
- fraglen = datalen + fragheaderlen;
-
copy = datalen - transhdrlen - fraggap - pagedlen;
if (copy < 0) {
err = -EINVAL;
That fails in the same way:
skbuff: skb_over_panic: text:ffffffff83e7b48b len:65575 put:65575
head:ffff888101f8a000 data:ffff888101f8a088 tail:0x100af end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1852 Comm: repro Not tainted 5.17.0-rc7-00020-gea4424be1688-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35
RIP: 0010:skb_panic+0x173/0x175
I'm not sure how it supposed to help since it doesn't change the alloclen at all.
I think the problem here is that the size of the allocated skb is too small.
--
Thanks,
Tadeusz
