Re: [syzbot] [tipc?] kernel BUG in __pskb_pull_tail
From: Hillf Danton
Date: Fri Dec 13 2024 - 18:09:18 EST
On Thu, 12 Dec 2024 14:20:26 -0800
> syzbot found the following issue on:
>
> HEAD commit: 96b6fcc0ee41 Merge branch 'net-dsa-cleanup-eee-part-1'
> git tree: net-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117844f8580000
Test fix (https://patchwork.kernel.org/project/netdevbpf/patch/20241212222247.724674-1-edumazet@xxxxxxxxxx/ )
#syz test
--- x/drivers/net/tun.c
+++ y/drivers/net/tun.c
@@ -1485,7 +1485,7 @@ static struct sk_buff *tun_napi_alloc_fr
skb->truesize += skb->data_len;
for (i = 1; i < it->nr_segs; i++) {
- const struct iovec *iov = iter_iov(it);
+ const struct iovec *iov = iter_iov(it) + i;
size_t fragsz = iov->iov_len;
struct page *page;
void *frag;
--