| Message ID | 1452565515.1223.11.camel@edumazet-glaptop2.roam.corp.google.com |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
On 12.01.2016 04:25, Eric Dumazet wrote: > On Mon, 2016-01-11 at 18:21 -0800, Eric Dumazet wrote: >> On Mon, 2016-01-11 at 17:19 -0800, Salam Noureddine wrote: >>> It must be that skb->dev was changed to NULL inside of >>> __netif_receive_skb_core, otherwise we would have crashed much >>> earlier. Also, orig_dev is saved at the beginning. Possibly a device >>> is layered on top of the original device. Exactly (skb->dev was changed to NULL ...). Do you think it makes sense to put printks in various places in __netif_receive_skb_core to see after which function call skb->dev turns into NULL? > > OK please try this fix : > > diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c > index 10d42f3220ab..f925753668a7 100644 > --- a/net/phonet/af_phonet.c > +++ b/net/phonet/af_phonet.c > @@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev, > struct sockaddr_pn sa; > u16 len; > > + skb = skb_share_check(skb, GFP_ATOMIC); > + if (!skb) > + return NET_RX_DROP; > + > /* check we have at least a full Phonet header */ > if (!pskb_pull(skb, sizeof(struct phonethdr))) > goto out; > > That one fixes the oops, though I wonder if your previous patch is needed (I reverted it before testing the current). Unfortunately I don't have SIM card around to test GPRS connection with, will do it as soon as I find one and will report. Thanks, Ivo
On Tue, 2016-01-12 at 09:16 +0200, Ivaylo Dimitrov wrote: > > On 12.01.2016 04:25, Eric Dumazet wrote: > > > > OK please try this fix : > > > > diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c > > index 10d42f3220ab..f925753668a7 100644 > > --- a/net/phonet/af_phonet.c > > +++ b/net/phonet/af_phonet.c > > @@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev, > > struct sockaddr_pn sa; > > u16 len; > > > > + skb = skb_share_check(skb, GFP_ATOMIC); > > + if (!skb) > > + return NET_RX_DROP; > > + > > /* check we have at least a full Phonet header */ > > if (!pskb_pull(skb, sizeof(struct phonethdr))) > > goto out; > > > > > > That one fixes the oops, though I wonder if your previous patch is > needed (I reverted it before testing the current). Unfortunately I don't > have SIM card around to test GPRS connection with, will do it as soon as > I find one and will report. Well, this bug in phonet_rcv() is rather obvious, I have no idea why nobody got crashes or corruptions before today. I'll send a formal patch. Thanks for your help !
On Mon, Jan 11, 2016 at 11:16 PM, Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com> wrote: >>> On Mon, 2016-01-11 at 17:19 -0800, Salam Noureddine wrote: >>>> >>>> It must be that skb->dev was changed to NULL inside of >>>> __netif_receive_skb_core, otherwise we would have crashed much >>>> earlier. Also, orig_dev is saved at the beginning. Possibly a device >>>> is layered on top of the original device. > > > Exactly (skb->dev was changed to NULL ...). Do you think it makes sense to > put printks in various places in __netif_receive_skb_core to see after which > function call skb->dev turns into NULL? > No need anymore since Eric found the culprit in phonet_rcv. Thanks for your help debugging this! Salam
diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c index 10d42f3220ab..f925753668a7 100644 --- a/net/phonet/af_phonet.c +++ b/net/phonet/af_phonet.c @@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev, struct sockaddr_pn sa; u16 len; + skb = skb_share_check(skb, GFP_ATOMIC); + if (!skb) + return NET_RX_DROP; + /* check we have at least a full Phonet header */ if (!pskb_pull(skb, sizeof(struct phonethdr))) goto out;