On Tue, Aug 29, 2023 at 8:50 AM Mohamed Khalfella
[off-list ref] wrote:

On 2023-08-28 21:18:16 -0700, willemjdebruijn wrote:

quoted

Small point: nfrags is not the only state that needs to be refreshed
after a fags realloc, also frag.

I am new to this code. Can you help me understand why frag needs to be
updated too? My reading of this code is that frag points to frags array
in shared info. As long as shared info pointer remain the same frag
pointer should remain valid.

skb_copy_ubufs() could actually call skb_unclone() and thus skb->head
could be re-allocated.

I guess that if you run your patch (and a repro of the bug ?) with
KASAN enabled kernel, you should see a possible use-after-free ?

To force the skb_unclone() path, having a tcpdump catching all packets
would be enough I think.

Am I missing something?

quoted

Thanks for the report. I'm traveling likely without internet until the
weekend. Apologies if it takes a while for me to follow up.

No problem. Thanks for the quick response!