Patchwork Help: major pppoe regression since 2.6.35 (panic on first ppp conection)?

login
register
mail settings
Submitter Eric Dumazet
Date Dec. 22, 2010, 4:25 p.m.
Message ID <1293035100.3027.247.camel@edumazet-laptop>
Download mbox | patch
Permalink /patch/76431/
State RFC
Delegated to: David Miller
Headers show

Comments

Eric Dumazet - Dec. 22, 2010, 4:25 p.m.
Le mercredi 22 décembre 2010 à 17:00 +0100, Joel Soete a écrit :
> Hello Jarek,
> 
> Nice to read you :<)
> 
> On 12/22/2010 12:00 PM, Jarek Poplawski wrote:
> > On 2010-12-22 09:22, Andrew Morton wrote:
> >> (cc netdev)
> >>
> >> The bug is still present in 2.6.37-rc6.
> >>
> >> On Sat, 18 Dec 2010 11:33:14 +0000 Joel Soete<soete.joel@scarlet.be>  wrote:
> >>
> >>> Hello all,
> >
> > Hi,
> > Could you reproduce this bug with a vanilla kernel (without nvidia
> > patch)? If so, please include dmesg and .config to the next report.
> >
> Yes (it was already a vanilla kernel but 2.6.35 with my config, even thought same issue occurs some other distro stock 
> kernel 2.6.35), but here are some more dmesg with vanilla 2.6.37-rc6 and rc7 (I just added your debugging patch
> I found here, just because if I don't do it kernel is panicing immediately without letting any chance to capture dmesg (and 
> unfortunately I don't have any more chance to grab panic messages from serial console: no more rs232 on latest office laptop :<)
> 
> So you will find here attached personal config files of 2 kernels and respective dmesg.
> 
> If ever you need more details, don't hesitate to ask me.
> 
> Thanks a lot,
> 	J.

Something overwrites nr_frags in skb_shinfo(skb)

As skb_shinfo follows head portion of an skb, something overflows skb
head

Please try adding some room like in following patch ?



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Joel Soete - Dec. 23, 2010, 11:02 a.m.
Hello Eric,


On 12/22/2010 04:25 PM, Eric Dumazet wrote:
[snip]
>
> Something overwrites nr_frags in skb_shinfo(skb)
>
> As skb_shinfo follows head portion of an skb, something overflows skb
> head
>
> Please try adding some room like in following patch ?
>
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index e6ba898..adf2834 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -187,6 +187,7 @@ enum {
>    * the end of the header data, ie. at skb->end.
>    */
>   struct skb_shared_info {
> +	char		filler[64];
>   	unsigned short	nr_frags;
>   	unsigned short	gso_size;
>   	/* Warning: this field is not always filled in (UFO)! */
>
Sorry for delay but I have good news, I am sending this answer from:
$ uname -a
Linux sidh2 2.6.37-rc7-amd64-t1 #1 SMP Thu Dec 23 10:30:27 GMT 2010 x86_64 GNU/Linux

with your tips ;<) (without kernel had already died)

That said how can find stuff overflowing skb head? (all I say, is that this issue started with 2.6.34-git6???)

Thanks a lot,
	J.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet - Dec. 23, 2010, 12:12 p.m.
Le jeudi 23 décembre 2010 à 11:02 +0000, Joel Soete a écrit :
> Hello Eric,
> 
> 
> On 12/22/2010 04:25 PM, Eric Dumazet wrote:
> [snip]
> >
> > Something overwrites nr_frags in skb_shinfo(skb)
> >
> > As skb_shinfo follows head portion of an skb, something overflows skb
> > head
> >
> > Please try adding some room like in following patch ?
> >
> > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > index e6ba898..adf2834 100644
> > --- a/include/linux/skbuff.h
> > +++ b/include/linux/skbuff.h
> > @@ -187,6 +187,7 @@ enum {
> >    * the end of the header data, ie. at skb->end.
> >    */
> >   struct skb_shared_info {
> > +	char		filler[64];
> >   	unsigned short	nr_frags;
> >   	unsigned short	gso_size;
> >   	/* Warning: this field is not always filled in (UFO)! */
> >
> Sorry for delay but I have good news, I am sending this answer from:
> $ uname -a
> Linux sidh2 2.6.37-rc7-amd64-t1 #1 SMP Thu Dec 23 10:30:27 GMT 2010 x86_64 GNU/Linux
> 
> with your tips ;<) (without kernel had already died)
> 
> That said how can find stuff overflowing skb head? (all I say, is that this issue started with 2.6.34-git6???)
> 
> Thanks a lot,

You're welcome. At least we know were to search. Thanks !

I am taking holidays right now for about 5 days, I guess someone else
might find the bug before me ;)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index e6ba898..adf2834 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -187,6 +187,7 @@  enum {
  * the end of the header data, ie. at skb->end.
  */
 struct skb_shared_info {
+	char		filler[64];
 	unsigned short	nr_frags;
 	unsigned short	gso_size;
 	/* Warning: this field is not always filled in (UFO)! */