Re: [syzbot] [net?] WARNING in __ip6_append_data

From: David Howells
Date: Fri Sep 15 2023 - 11:33:28 EST

Next message: Matthew Wilcox: "Re: [PATCH 0/6] shmem: high order folios support in write path"
Previous message: Jonathan Cameron: "Re: [RFC PATCH v2 27/35] ACPICA: Add new MADT GICC flags fields [code first?]"
In reply to: Eric Dumazet: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Next in thread: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

> > WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800

That would appear to be this:

if (WARN_ON_ONCE(copy > msg->msg_iter.count))
goto error;

However, I have a problem that the repro program errors out at this point
before it gets that far:

if (cork->length + length > maxnonfragsize - headersize) {
emsgsize:
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
return -EMSGSIZE;
}

Are you able to reproduce the issue?

The values in and around that point are:

cork->length 0
length 65540
maxnonfragsize 65575
headersize 40
transhdrlen 4
mtu 65536
ip6_sk_ignore_df(sk) true

with maxnonfragsize coming from 'sizeof(struct ipv6hdr) + IPV6_MAXPLEN'. Is
that even viable for the size of a packet?

David

Next message: Matthew Wilcox: "Re: [PATCH 0/6] shmem: high order folios support in write path"
Previous message: Jonathan Cameron: "Re: [RFC PATCH v2 27/35] ACPICA: Add new MADT GICC flags fields [code first?]"
In reply to: Eric Dumazet: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Next in thread: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]