On 3/8/22 10:18, David Ahern wrote:
alloclen = 1480 alloc_extra = 136 datalen = 64095 fragheaderlen = 1480 fraglen = 65575 transhdrlen = 0 mtu = 1480
Does this solve the problem (whitespace damaged on paste, but it is just a code move and removing fraglen getting set twice):
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index e69fac576970..59f036241f1b 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1589,6 +1589,15 @@ static int __ip6_append_data(struct sock *sk,
if (datalen > (cork->length <= mtu &&!(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen) datalen = maxfraglen - fragheaderlen - rt->dst.trailer_len;
if (datalen != length + fraggap) {/** this is not the last fragment, thetrailer
* space is regarded as data space.*/datalen += rt->dst.trailer_len;}fraglen = datalen + fragheaderlen; pagedlen = 0;@@ -1615,16 +1624,6 @@ static int __ip6_append_data(struct sock *sk, } alloclen += alloc_extra;
if (datalen != length + fraggap) {/** this is not the last fragment, thetrailer
* space is regarded as data space.*/datalen += rt->dst.trailer_len;}fraglen = datalen + fragheaderlen;copy = datalen - transhdrlen - fraggap - pagedlen; if (copy < 0) { err = -EINVAL;
That fails in the same way:
skbuff: skb_over_panic: text:ffffffff83e7b48b len:65575 put:65575 head:ffff888101f8a000 data:ffff888101f8a088 tail:0x100af end:0x6c0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1852 Comm: repro Not tainted 5.17.0-rc7-00020-gea4424be1688-dirty #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 RIP: 0010:skb_panic+0x173/0x175
I'm not sure how it supposed to help since it doesn't change the alloclen at all. I think the problem here is that the size of the allocated skb is too small.