Re: [PATCH net v2] ipv6: account for fraggap on the paged allocation path

[Ido Schimmel <idosch@nvidia.com>]

+ Pavel, David, Willem

On Wed, Jun 10, 2026 at 12:32:03AM +0900, Wongi Lee wrote:
> In __ip6_append_data(), when the paged-allocation branch is taken
> (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
> computed as
> 
> 	alloclen = fragheaderlen + transhdrlen;
> 	pagedlen = datalen - transhdrlen;
> 
> datalen already includes fraggap (datalen = length + fraggap), but
> the fraggap bytes carried over from the previous skb are copied into
> the new skb's linear area at offset transhdrlen by the subsequent
> skb_copy_and_csum_bits(). The linear area is therefore undersized by
> fraggap bytes while pagedlen is overstated by the same amount, and
> the copy writes past skb->end into the trailing skb_shared_info.
> 
> An unprivileged user can trigger this via a UDPv6 socket using
> MSG_MORE together with MSG_SPLICE_PAGES.
> 
> The non-paged branch a few lines above sets
> alloclen = fraglen = datalen + fragheaderlen, which already accounts
> for fraggap because datalen does. Bring the paged branch in line by
> adding fraggap to alloclen and subtracting it from pagedlen.
> 
> Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")

I'm OK with this tag if we want to be defensive, but isn't the data
corruption only trigger-able since commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES") ?

AFAICT, before ce650a166335, a negative 'copy' would always result in
EINVAL being returned. I would at least mention this in the commit
message.

Speaking of a negative 'copy', I think Sashiko is correct [1] and the
comment regarding pagedlen>0 is now stale.

Finally, what about IPv4? It has the same code in commit 8eb77cc73977
("ipv4: avoid partial copy for zc").

[1] https://netdev-ai.bots.linux.dev/sashiko/#/patchset/aigx83czv%2BUJZA0d%40DESKTOP-19IMU7U.localdomain

> Assisted-by: Xint
> Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
> Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
> ---
> v2:
> - Fix mail format.
> - v1: https://lore.kernel.org/netdev/aibiIYMAwUErTw5U@DESKTOP-19IMU7U.localdomain
> ---
>  net/ipv6/ip6_output.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index c14adcdd4396..265502caa44b 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1668,8 +1668,8 @@ static int __ip6_append_data(struct sock *sk,
>  				  !(rt->dst.dev->features & NETIF_F_SG)))
>  				alloclen = fraglen;
>  			else {
> -				alloclen = fragheaderlen + transhdrlen;
> -				pagedlen = datalen - transhdrlen;
> +				alloclen = fragheaderlen + transhdrlen + fraggap;
> +				pagedlen = datalen - transhdrlen - fraggap;
>  			}
>  			alloclen += alloc_extra;
>  
> -- 
> 2.34.1