On Wed, Apr 26, 2017 at 1:08 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Wed, Apr 26, 2017 at 6:07 PM, Eric Dumazet <eric.duma...@gmail.com> wrote: >> From: Eric Dumazet <eduma...@google.com> >> >> Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in >> skb_try_coalesce() using syzkaller and a filter attached to a TCP >> socket. >> >> As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in >> pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(), >> via a call to skb_condense(). >> >> If all frags were freed, then skb->truesize can be recomputed. >> >> This call can be done if skb is not yet owned, or destructor is >> sock_edemux(). > > Hi Eric, > > I still see the warning even with your patch.
Can this happen if sk_trim_filter_cap trims the skb to free some, but not all, of the frags? If skb->data_len remains larger than skb->end - skb->tail, skb_condense will not adjust the truesize.