Re: [syzbot] [net?] WARNING in __ip6_append_data
From: David Howells
Date: Mon Sep 18 2023 - 06:12:31 EST
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 65d6e954e378
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0665e8b09968..7978335c1fc4 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1517,8 +1517,10 @@ static int __ip6_append_data(struct sock *sk,
rt->rt6i_nfheader_len;
if (mtu <= fragheaderlen ||
- ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
+ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
+ }
maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
sizeof(struct frag_hdr);
@@ -1526,8 +1528,10 @@ static int __ip6_append_data(struct sock *sk,
/* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
* the first fragment
*/
- if (headersize + transhdrlen > mtu)
+ if (headersize + transhdrlen > mtu) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
+ }
if (cork->length + length > mtu - headersize && ipc6->dontfrag &&
(sk->sk_protocol == IPPROTO_UDP ||
@@ -1535,15 +1539,23 @@ static int __ip6_append_data(struct sock *sk,
sk->sk_protocol == IPPROTO_RAW)) {
ipv6_local_rxpmtu(sk, fl6, mtu - headersize +
sizeof(struct ipv6hdr));
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto emsgsize;
}
- if (ip6_sk_ignore_df(sk))
+ if (ip6_sk_ignore_df(sk)) {
maxnonfragsize = sizeof(struct ipv6hdr) + IPV6_MAXPLEN;
- else
+ printk("MAXPLEN\n");
+ } else {
maxnonfragsize = mtu;
+ printk("mtu\n");
+ }
+ printk("check %d %zd %d %d, %d %d\n",
+ cork->length, length, maxnonfragsize, headersize,
+ transhdrlen, mtu);
if (cork->length + length > maxnonfragsize - headersize) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
emsgsize:
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
@@ -1817,8 +1829,10 @@ static int __ip6_append_data(struct sock *sk,
if (!skb_can_coalesce(skb, i, pfrag->page,
pfrag->offset)) {
err = -EMSGSIZE;
- if (i == MAX_SKB_FRAGS)
+ if (i == MAX_SKB_FRAGS) {
+ printk("__%u__: EMSGSIZE\n", __LINE__);
goto error;
+ }
__skb_fill_page_desc(skb, i, pfrag->page,
pfrag->offset, 0);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index ed8ebb6f5909..daaaf60dce01 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -502,6 +502,8 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
int ulen;
int err;
+ printk("%s()\n", __func__);
+
/* Rough check on arithmetic overflow,
* better check is made in ip6_append_data().
*/