Patchwork 3.9.5+: Crash in tcp_input.c:4810.

login
register
mail settings
Submitter Eric Dumazet
Date July 8, 2013, 8:10 p.m.
Message ID <1373314235.4979.121.camel@edumazet-glaptop>
Download mbox | patch
Permalink /patch/257600/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Eric Dumazet - July 8, 2013, 8:10 p.m.
On Mon, 2013-07-08 at 12:59 -0700, Ben Greear wrote:

> > There is this thing in ath9k about aggregating two frags
> >
> > drivers/net/wireless/ath/ath9k/recv.c line 1298 contains :
> >
> > RX_STAT_INC(rx_frags);
> >
> > Could you check these stats (I do not know if they are reported by
> > ethtool -S or another debugging facility) and check if rx_frags is ever
> > increasing ?
> 
> They are in debugfs, and they appear to increase fairly often, for
> instance:
> 
> [root@lec2010-ath9k-1 lanforge]# cat /debug/ieee80211/wiphy0/ath9k/recv|tail -5
>             RX-Pkts-All :  288009442
>            RX-Bytes-All : 4067932166
>              RX-Beacons :   14826735
>                RX-Frags :       3944
>             RX-Spectral :          0
> 
> I don't have the stats from the system that reproduced the bug
> (it has been rebooted), but if I do see the bug again, I'll
> grab the rx-frags and other stats just in case it shows
> some anomaly.
> 

Reading this code again, I believe following patch is needed.

Could you test it ?

Thanks



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ben Greear - July 8, 2013, 8:17 p.m.
On 07/08/2013 01:10 PM, Eric Dumazet wrote:
> On Mon, 2013-07-08 at 12:59 -0700, Ben Greear wrote:
>
>>> There is this thing in ath9k about aggregating two frags
>>>
>>> drivers/net/wireless/ath/ath9k/recv.c line 1298 contains :
>>>
>>> RX_STAT_INC(rx_frags);
>>>
>>> Could you check these stats (I do not know if they are reported by
>>> ethtool -S or another debugging facility) and check if rx_frags is ever
>>> increasing ?
>>
>> They are in debugfs, and they appear to increase fairly often, for
>> instance:
>>
>> [root@lec2010-ath9k-1 lanforge]# cat /debug/ieee80211/wiphy0/ath9k/recv|tail -5
>>              RX-Pkts-All :  288009442
>>             RX-Bytes-All : 4067932166
>>               RX-Beacons :   14826735
>>                 RX-Frags :       3944
>>              RX-Spectral :          0
>>
>> I don't have the stats from the system that reproduced the bug
>> (it has been rebooted), but if I do see the bug again, I'll
>> grab the rx-frags and other stats just in case it shows
>> some anomaly.
>>
>
> Reading this code again, I believe following patch is needed.
>
> Could you test it ?

Sure, will do.  Adding the linux-wireless mailing list as well.

Thanks,
Ben

>
> Thanks
>
> diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
> index 8be2b5d..f642f04 100644
> --- a/drivers/net/wireless/ath/ath9k/recv.c
> +++ b/drivers/net/wireless/ath/ath9k/recv.c
> @@ -1317,7 +1317,8 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
>   		if (sc->rx.frag) {
>   			int space = skb->len - skb_tailroom(hdr_skb);
>
> -			if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
> +			if (space > 0 &&
> +			    pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
>   				dev_kfree_skb(skb);
>   				RX_STAT_INC(rx_oom_err);
>   				goto requeue_drop_frag;
>

Patch

diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 8be2b5d..f642f04 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -1317,7 +1317,8 @@  int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
 		if (sc->rx.frag) {
 			int space = skb->len - skb_tailroom(hdr_skb);
 
-			if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
+			if (space > 0 &&
+			    pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
 				dev_kfree_skb(skb);
 				RX_STAT_INC(rx_oom_err);
 				goto requeue_drop_frag;