[PATCH] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
patchwork-bot+netdevbpf at kernel.org
patchwork-bot+netdevbpf at kernel.org
Mon Dec 29 18:40:05 UTC 2025
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni at redhat.com>:
On Fri, 19 Dec 2025 10:36:37 -0700 you wrote:
> There exists a kernel oops caused by a BUG_ON(nhead < 0) at
> net/core/skbuff.c:2232 in pskb_expand_head().
> This bug is triggered as part of the calipso_skbuff_setattr()
> routine when skb_cow() is passed headroom > INT_MAX
> (i.e. (int)(skb_headroom(skb) + len_delta) < 0).
>
> The root cause of the bug is due to an implicit integer cast in
> __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
> that delta = headroom - skb_headroom(skb) is never negative, otherwise
> we will trigger a BUG_ON in pskb_expand_head(). However, if
> headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
> becomes negative, and pskb_expand_head() is passed a negative value for
> nhead.
>
> [...]
Here is the summary with links:
- ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
https://git.kernel.org/netdev/net/c/58fc7342b529
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
More information about the Linux-security-module-archive
mailing list