On 05/14/2018 04:30 PM, Willem de Bruijn wrote:
> I don't quite follow. The reported crash happens in the protocol layer,
> because of this check. With pagedlen we have not allocated
> sufficient space for the skb_put.
>
> if (!(rt->dst.dev->features&NETIF_F_SG)) {
> unsigned int off;
>
> off = skb->len;
> if (getfrag(from, skb_put(skb, copy),
> offset, copy, off, skb) < 0) {
> __skb_trim(skb, off);
> err = -EFAULT;
> goto error;
> }
> } else {
> int i = skb_shinfo(skb)->nr_frags;
>
> Are you referring to a separate potential issue in the gso layer?
> If a bonding device advertises SG, but a slave does not, then
> skb_segment on the slave should build linear segs? I have not
> tested that.
Given that the device attribute could change under us, we need to not
crash, even if initially we thought NETIF_F_SG was available.
Unless you want to hold RTNL in UDP xmit :)
Ideally, GSO should be always on, as we did for TCP.
Otherwise, I can guarantee syzkaller will hit again.
