Re: [syzbot] [net?] WARNING in __ip6_append_data

From: David Howells
Date: Mon Sep 18 2023 - 06:05:13 EST

Next message: Andy Shevchenko: "Re: [RFC 2/2] iio: imu: Add driver for BMI323 IMU"
Previous message: Vadim Fedorenko: "Re: [PATCH 2/2] Documentation: dpll: wrap DPLL_CMD_PIN_GET output in a code block"
Next in thread: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Howells <dhowells@xxxxxxxxxx> wrote:

> I think the attached is probably an equivalent cleaned up reproducer. Note
> that if the length given to sendfile() is less than 65536, it fails with
> EINVAL before it gets into __ip6_append_data().

Actually, it only fails with EINVAL if the size is not a multiple of the block
size of the source file because it's open O_DIRECT so, say, 65536-512 is fine
(and works).

But thinking more on this further, is this even a bug in my code, I wonder?
The length passed is 65536 - but a UDP packet can't carry that, so it
shouldn't it have errored out before getting that far? (which is what it
seems to do when I try it).

I don't see how we get past the length check in ip6_append_data() with the
reproducer we're given unless the MTU is somewhat bigger than 65536 (is that
even possible?)

David

Next message: Andy Shevchenko: "Re: [RFC 2/2] iio: imu: Add driver for BMI323 IMU"
Previous message: Vadim Fedorenko: "Re: [PATCH 2/2] Documentation: dpll: wrap DPLL_CMD_PIN_GET output in a code block"
Next in thread: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]