From: Alexander Aring <alex.aring@gmail.com>
To: Simon Vincent <simon.vincent@xsilon.com>
Cc: linux-wpan@vger.kernel.org
Subject: Re: Kernel crash when using multiple interfaces
Date: Fri, 15 May 2015 17:28:49 +0200 [thread overview]
Message-ID: <20150515152846.GC11157@omega> (raw)
In-Reply-To: <5555EC72.6060302@xsilon.com>
On Fri, May 15, 2015 at 01:54:10PM +0100, Simon Vincent wrote:
> I have found the Kernel crashes when multiple 802.15.4 interfaces are used
> at the same time.
> I have tracked it down in the kernel to net/mac802154/tx.c
> The problem is the ieee802154_xmit_cb is a global variable so after it has
> been assigned and added to the work queue it can be corrupted/changed by
> another interface transmitting a packet.
>
> I have fixed it by allocating the structure on the heap. If this is a
> satisfactory fix I can submit it as a patch.
>
> diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
> index c62e956..168d377 100644
> --- a/net/mac802154/tx.c
> +++ b/net/mac802154/tx.c
> @@ -39,8 +39,6 @@ struct ieee802154_xmit_cb {
> struct ieee802154_local *local;
> };
>
> -static struct ieee802154_xmit_cb ieee802154_xmit_cb;
> -
> static void ieee802154_xmit_worker(struct work_struct *work)
> {
> struct ieee802154_xmit_cb *cb =
> @@ -66,6 +64,7 @@ static void ieee802154_xmit_worker(struct work_struct
> *work)
> dev->stats.tx_bytes += skb->len;
>
> rtnl_unlock();
> + kfree(cb);
>
> return;
>
> @@ -74,6 +73,7 @@ err_tx:
> ieee802154_wake_queue(&local->hw);
> rtnl_unlock();
> kfree_skb(skb);
> + kfree(cb);
> netdev_dbg(dev, "transmission failed\n");
> }
>
> @@ -81,8 +81,8 @@ static netdev_tx_t
> ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
> {
> struct net_device *dev = skb->dev;
> + struct ieee802154_xmit_cb *ieee802154_xmit_cb_ptr;
put this at beginnging of else branch.
> int ret;
> -
> if (!(local->hw.flags & IEEE802154_HW_TX_OMIT_CKSUM)) {
> u16 crc = crc_ccitt(0, skb->data, skb->len);
>
> @@ -106,11 +106,11 @@ ieee802154_tx(struct ieee802154_local *local, struct
> sk_buff *skb)
> dev->stats.tx_packets++;
> dev->stats.tx_bytes += skb->len;
> } else {
struct ieee802154_xmit_cb *ieee802154_xmit_cb_ptr;
> - INIT_WORK(&ieee802154_xmit_cb.work, ieee802154_xmit_worker);
> - ieee802154_xmit_cb.skb = skb;
> - ieee802154_xmit_cb.local = local;
> -
> - queue_work(local->workqueue, &ieee802154_xmit_cb.work);
> + ieee802154_xmit_cb_ptr = kmalloc(sizeof(struct ieee802154_xmit_cb),
> GFP_ATOMIC);
The GFP_ATOMIC should match on the opening brackets of kmalloc.
Example:
ieee802154_xmit_cb_ptr = kmalloc(sizeof(struct ieee802154_xmit_cb),
GFP_ATOMIC);
and add an error handling here.
if (!ieee802154_xmit_cb_ptr) {
ieee802154_wake_queue(&local->hw);
goto err_tx;
}
- Alex
prev parent reply other threads:[~2015-05-15 15:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:54 Kernel crash when using multiple interfaces Simon Vincent
2015-05-15 14:20 ` Alexander Aring
2015-05-15 15:02 ` Simon Vincent
2015-05-15 15:23 ` Alexander Aring
2015-05-16 15:33 ` Alexander Aring
2015-05-18 10:57 ` Simon Vincent
2015-05-18 14:00 ` Alexander Aring
2015-05-18 15:05 ` Simon Vincent
2015-05-18 15:37 ` Alexander Aring
2015-05-18 16:27 ` Alexander Aring
2015-05-19 11:18 ` Simon Vincent
2015-05-15 15:28 ` Alexander Aring [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150515152846.GC11157@omega \
--to=alex.aring@gmail.com \
--cc=linux-wpan@vger.kernel.org \
--cc=simon.vincent@xsilon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox