Re: [PATCH net] ipv6: rpl: expand skb head when recompressed SRH grows, not only on last segment

Next message: Youngjun Park: "[PATCH v6 4/4] mm: swap: filter swap allocation by memcg tier mask"
Previous message: Youngjun Park: "[PATCH v6 0/4] mm/swap, memcg: Introduce swap tiers for cgroup based swap control"
In reply to: Kuniyuki Iwashima: "Re: [PATCH net] ipv6: rpl: expand skb head when recompressed SRH grows, not only on last segment"
Next in thread: Greg KH: "Re: [PATCH net] ipv6: rpl: expand skb head when recompressed SRH grows, not only on last segment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Tue Apr 21 2026 - 01:53:48 EST

On Tue, Apr 21, 2026 at 04:52:52AM +0000, Kuniyuki Iwashima wrote:
> From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Date: Mon, 20 Apr 2026 21:32:25 +0200
> > ipv6_rpl_srh_rcv() processes a Routing Protocol for LLNs Source Routing
> > Header by decompressing it, swapping the next segment address into
> > ipv6_hdr->daddr, recompressing, and pushing the new header back. The
> > recompressed header can be larger than the original when the
> > address-elision opportunities are worse after the swap.
> >
> > The function pulls (hdr->hdrlen + 1) << 3 bytes (the old header) and
> > pushes (chdr->hdrlen + 1) << 3 + sizeof(ipv6hdr) bytes (the new header
> > plus the IPv6 header). pskb_expand_head() is called to guarantee
> > headroom only when segments_left == 0.
> >
> > A crafted SRH that loops back to the local host (each segment is a local
> > address, so ip6_route_input() delivers it back to ipv6_rpl_srh_rcv())
> > with chdr growing on each pass exhausts headroom over several
> > iterations.
>
> How could this occur.. ? Did AI generate a repro or just
> flagged the possibility ?

It generated a reproducer which caused a crash which made me have to
create this patch. I'll dig it out of the huge pile of mess that was
sent to me and get it into a form that I can reply here to.

thanks,

greg k-h