On Wed, Jan 30, 2019 at 02:26:32PM -0800, Ivan Babrou wrote:
> Hey,
>
> Continuing from this thread earlier today:
>
> * https://marc.info/?t=154886729100001&r=1&w=2
>
> We fired up KASAN enabled kernel one one of those machine and this is
> what we saw:
...
> This commit from 4.19.14 seems relevant:
>
> *
> https://github.com/torvalds/linux/commit/d5f9565c8d5ad3cf94982223cfcef1169b0bb60f
>
> As a reminder, we upgraded from 4.19.13 and started seeing crashes.
Unfortunately I'm on vacation this week so that my capability to look
deeper into this is limited but there seems to be one obvious problem
with the 4.19.y backport: in mainline, there is
err = -EINVAL;
right on top of the "Find out where to put this fragment." comment which
had been added by commit 0ff89efb5246 ("ip: fail fast on IP defrag
errors"). In 4.19.y backport of the commit, this assignment is missing
so that the value of err at this point comes from earlier
pskb_trim_rcsum() call so that it must be zero and if we take any of the
"goto err" added by commit d5f9565c8d5a, we drop the packet by calling
kfree_skb() but return zero so that caller doesn't know about it.
Michal Kubecek
