On Wed, Apr 26, 2017 at 6:07 PM, Eric Dumazet <eric.duma...@gmail.com> wrote:
> From: Eric Dumazet <eduma...@google.com>
>
> Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
> skb_try_coalesce() using syzkaller and a filter attached to a TCP
> socket.
>
> As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in
> pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(),
> via a call to skb_condense().
>
> If all frags were freed, then skb->truesize can be recomputed.
>
> This call can be done if skb is not yet owned, or destructor is
> sock_edemux().Hi Eric, I still see the warning even with your patch. Thanks! > > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: Andrey Konovalov <andreyk...@google.com> > Cc: Willem de Bruijn <will...@google.com> > --- > net/core/skbuff.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index > f86bf69cfb8d8bc17262cdba5d9f57a4726cd476..f1d04592ace02f32efa6e05df89c9a5e0023157f > 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -1576,6 +1576,8 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len) > skb_set_tail_pointer(skb, len); > } > > + if (!skb->sk || skb->destructor == sock_edemux) > + skb_condense(skb); > return 0; > } > EXPORT_SYMBOL(___pskb_trim); > >
