Re: [PATCH net] ipv6: rpl: expand skb head when recompressed SRH grows, not only on last segment

[Greg KH]

On Tue, Apr 21, 2026 at 07:50:45AM +0200, Greg KH wrote:
> On Tue, Apr 21, 2026 at 04:52:52AM +0000, Kuniyuki Iwashima wrote:
> > From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > Date: Mon, 20 Apr 2026 21:32:25 +0200
> > > ipv6_rpl_srh_rcv() processes a Routing Protocol for LLNs Source Routing
> > > Header by decompressing it, swapping the next segment address into
> > > ipv6_hdr->daddr, recompressing, and pushing the new header back. The
> > > recompressed header can be larger than the original when the
> > > address-elision opportunities are worse after the swap.
> > > 
> > > The function pulls (hdr->hdrlen + 1) << 3 bytes (the old header) and
> > > pushes (chdr->hdrlen + 1) << 3 + sizeof(ipv6hdr) bytes (the new header
> > > plus the IPv6 header).  pskb_expand_head() is called to guarantee
> > > headroom only when segments_left == 0.
> > > 
> > > A crafted SRH that loops back to the local host (each segment is a local
> > > address, so ip6_route_input() delivers it back to ipv6_rpl_srh_rcv())
> > > with chdr growing on each pass exhausts headroom over several
> > > iterations.
> > 
> > How could this occur.. ?  Did AI generate a repro or just
> > flagged the possibility ?
> 
> It generated a reproducer which caused a crash which made me have to
> create this patch.  I'll dig it out of the huge pile of mess that was
> sent to me and get it into a form that I can reply here to.

Ok, got the reproducer working, and it turns out that this patch does
NOT fix the issue, I should have tested it better.  Let me work some
more on this thing, sorry for the broken submission.

thanks,

greg k-h