With this patch, the crash can’t be reproduced with the syz-repro and crash log0/log1.
The auto-generated reproducers are here: https://github.com/dotweiba/skb_clone_atomic_inc_bug Thanks, Wei > On 28 Oct 2017, at 6:06 AM, David Miller <da...@redhat.com> wrote: > > From: Jason Wang <jasow...@redhat.com> > Date: Fri, 27 Oct 2017 11:05:44 +0800 > >> An unaligned alloc_frag->offset caused by previous allocation will >> result an unaligned skb->head. This will lead unaligned >> skb_shared_info and then unaligned dataref which requires to be >> aligned for accessing on some architecture. Fix this by aligning >> alloc_frag->offset before the frag refilling. >> >> Fixes: 0bbd7dad34f8 ("tun: make tun_build_skb() thread safe") >> Cc: Eric Dumazet <eduma...@google.com> >> Cc: Willem de Bruijn <willemdebruijn.ker...@gmail.com> >> Cc: Wei Wei <dotwe...@gmail.com> >> Cc: Dmitry Vyukov <dvyu...@google.com> >> Cc: Mark Rutland <mark.rutl...@arm.com> >> Reported-by: Wei Wei <dotwe...@gmail.com> >> Signed-off-by: Jason Wang <jasow...@redhat.com> > > Applied and queued up for -stable, thanks Jason.
