On Mon, Aug 21, 2017 at 6:40 PM, Eric Dumazet <eric.duma...@gmail.com> wrote: > On Mon, 2017-08-21 at 17:39 -0400, Willem de Bruijn wrote: >> From: Willem de Bruijn <will...@google.com> >> >> When peeking, if a bad csum is discovered, the skb is unlinked from >> the queue with __sk_queue_drop_skb and the peek operation restarted. >> >> __sk_queue_drop_skb only drops packets that match the queue head. With >> sk_peek_off, the skb need not be at head, causing the call to fail and >> the same skb to be found again on restart. >> >> Walk the queue to find the correct skb. Limit the walk to sk_peek_off, >> to bound cycle cost to at most twice the original skb_queue_walk in >> __skb_try_recv_from_queue. >> >> The operation may race with updates to sk_peek_off. As the operation >> is retried, it will eventually succeed. >> >> Signed-off-by: Willem de Bruijn <will...@google.com> > > You forgot the Fixes: tag, that such a bug fix deserves.
Indeed, sorry. I'm looking into that now. It should be the patch that introduced peeking at offset, but need to verify. I should also add that this bug was discovered by syzkaller. > I am not a big fan of your patch and would prefer a solution without the > loop. Agreed.
