On Wed, Apr 26, 2017 at 1:08 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Wed, Apr 26, 2017 at 6:07 PM, Eric Dumazet <eric.duma...@gmail.com> wrote:
>> From: Eric Dumazet <eduma...@google.com>
>>
>> Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
>> skb_try_coalesce() using syzkaller and a filter attached to a TCP
>> socket.
>>
>> As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in
>> pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(),
>> via a call to skb_condense().
>>
>> If all frags were freed, then skb->truesize can be recomputed.
>>
>> This call can be done if skb is not yet owned, or destructor is
>> sock_edemux().
>
> Hi Eric,
>
> I still see the warning even with your patch.Can this happen if sk_trim_filter_cap trims the skb to free some, but not all, of the frags? If skb->data_len remains larger than skb->end - skb->tail, skb_condense will not adjust the truesize.
