zd1211 or mac80211: SKB invalid truesize

zd1211 or mac80211: SKB invalid truesize

[Michael Buesch]

I get dmesg spammed with the following message when
I connect to an open network with zd1211rw-mac80211.
I'm not sure if that's a bug in zd or mac80211.
Any idea how to debug this?

[  280.915811] SKB BUG: Invalid truesize (840) len=1440, sizeof(sk_buff)=168

The device keeps working fine while this spams dmesg.

Re: zd1211 or mac80211: SKB invalid truesize

[David Miller]

From: Michael Buesch <mb@bu3sch.de>
Date: Tue, 25 Sep 2007 22:42:11 +0200

> I get dmesg spammed with the following message when
> I connect to an open network with zd1211rw-mac80211.
> I'm not sure if that's a bug in zd or mac80211.
> Any idea how to debug this?
> 
> [  280.915811] SKB BUG: Invalid truesize (840) len=1440, sizeof(sk_buff)=168
> 
> The device keeps working fine while this spams dmesg.

For anyone who investigates this, the issue is that if there is a
socket associated with an skb (ie. skb->sk is non-NULL) you cannot
change the skb->truesize without also adjusting the memory accounted
to the socket.

Otherwise when the SKB gets freed, the wrong amount of socket buffer
memory allocation will be given back to the socket.

When the above message triggers, it means the skb->truesize is
smaller than skb->len plus the size of struct sk_buff which is
obviously completely bogus.

Re: zd1211 or mac80211: SKB invalid truesize

[Michael Buesch]

On Tuesday 25 September 2007 23:18:16 David Miller wrote:
> From: Michael Buesch <mb@bu3sch.de>
> Date: Tue, 25 Sep 2007 22:42:11 +0200
> 
> > I get dmesg spammed with the following message when
> > I connect to an open network with zd1211rw-mac80211.
> > I'm not sure if that's a bug in zd or mac80211.
> > Any idea how to debug this?
> > 
> > [  280.915811] SKB BUG: Invalid truesize (840) len=1440, sizeof(sk_buff)=168
> > 
> > The device keeps working fine while this spams dmesg.
> 
> For anyone who investigates this, the issue is that if there is a
> socket associated with an skb (ie. skb->sk is non-NULL) you cannot
> change the skb->truesize without also adjusting the memory accounted
> to the socket.
> 
> Otherwise when the SKB gets freed, the wrong amount of socket buffer
> memory allocation will be given back to the socket.
> 
> When the above message triggers, it means the skb->truesize is
> smaller than skb->len plus the size of struct sk_buff which is
> obviously completely bogus.

Yeah, well. But how can this happen? Someone assigning to skb->len?
zd1211 doesn't do this.
Any slight idea which (kind of) code could trigger this?

-- 
Greetings Michael.

Re: zd1211 or mac80211: SKB invalid truesize

[David Miller]

From: Michael Buesch <mb@bu3sch.de>
Date: Tue, 25 Sep 2007 23:25:02 +0200

> Yeah, well. But how can this happen? Someone assigning to skb->len?
> zd1211 doesn't do this.
> Any slight idea which (kind of) code could trigger this?

Anything which modifies skb->truesize directly would be
suspect.

Most modifications of skb->len go through the standard
interfaces like skb_put(), skb_pull() etc. and those
assert whether we go over and under the limits.

Therefore something that modifies skb->len directly would
be suspect as well.