With this patch, the crash can’t be reproduced with the syz-repro and crash log0/log1.
The auto-generated reproducers are here: https://github.com/dotweiba/skb_clone_atomic_inc_bug Thanks, Wei > On 28 Oct 2017, at 6:06 AM, David Miller <[email protected]> wrote: > > From: Jason Wang <[email protected]> > Date: Fri, 27 Oct 2017 11:05:44 +0800 > >> An unaligned alloc_frag->offset caused by previous allocation will >> result an unaligned skb->head. This will lead unaligned >> skb_shared_info and then unaligned dataref which requires to be >> aligned for accessing on some architecture. Fix this by aligning >> alloc_frag->offset before the frag refilling. >> >> Fixes: 0bbd7dad34f8 ("tun: make tun_build_skb() thread safe") >> Cc: Eric Dumazet <[email protected]> >> Cc: Willem de Bruijn <[email protected]> >> Cc: Wei Wei <[email protected]> >> Cc: Dmitry Vyukov <[email protected]> >> Cc: Mark Rutland <[email protected]> >> Reported-by: Wei Wei <[email protected]> >> Signed-off-by: Jason Wang <[email protected]> > > Applied and queued up for -stable, thanks Jason.
