nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

net: adjust skb->truesize in ___pskb_trim()

Browse source 
Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
skb_try_coalesce() using syzkaller and a filter attached to a TCP
socket.

As we did recently in commit 158f323b98 ("net: adjust skb->truesize in
pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(),
via a call to skb_condense().

If all frags were freed, then skb->truesize can be recomputed.

This call can be done if skb is not yet owned, or destructor is
sock_edemux().

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2017-04-26 09:07:46 -07:00 committed by David S. Miller
parent 7162fb242c
commit c21b48cc1b
1 changed files with 2 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

2
net/core/skbuff.c
View file

@ -1576,6 +1576,8 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len)
skb_set_tail_pointer(skb, len); skb_set_tail_pointer(skb, len);
} }
if (!skb->sk || skb->destructor == sock_edemux)
skb_condense(skb);
return 0; return 0;
} }
EXPORT_SYMBOL(___pskb_trim); EXPORT_SYMBOL(___pskb_trim);