From: linas@austin.ibm.com (Linas Vepstas)
To: David Miller <davem@davemloft.net>
Cc: linuxppc-dev@ozlabs.org, netdev@vger.kernel.org, mingo@elte.hu,
tglx@linutronix.de
Subject: Re: RT patches expose netdev race [was Re: [RFC] [patch 2/2] powerpc 2.6.21-rt1: fix kernel hang and/or panic
Date: Thu, 17 May 2007 18:52:47 -0500 [thread overview]
Message-ID: <20070517235247.GJ4325@austin.ibm.com> (raw)
In-Reply-To: <20070516.174101.45179259.davem@davemloft.net>
On Wed, May 16, 2007 at 05:41:01PM -0700, David Miller wrote:
> From: linas@austin.ibm.com (Linas Vepstas)
> Date: Wed, 16 May 2007 19:18:02 -0500
>
> > Since this is a long email; let me put a summary up front:
> > I think the RT/premption patches are exposing some sort
> > of race in the ip header handling code. The rest of the
> > note is forensics pointing to this.
>
> skb->head should never ever be NULL.
The stack trace from Owa-san showed a null pointer deref at
ip_hdr(skb)->protocol for an skb passed in via hard_start_xmit()
I dunno, memory corruption?
Tsutomu, can you reproduce this with something similr to the following
patch?
--linas
drivers/net/spider_net.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
Index: linux-2.6.22-rc1/drivers/net/spider_net.c
===================================================================
--- linux-2.6.22-rc1.orig/drivers/net/spider_net.c 2007-05-17 18:31:40.000000000 -0500
+++ linux-2.6.22-rc1/drivers/net/spider_net.c 2007-05-17 18:51:49.000000000 -0500
@@ -720,7 +720,19 @@ spider_net_prepare_tx_descr(struct spide
SPIDER_NET_DESCR_CARDOWNED | SPIDER_NET_DMAC_NOCS;
spin_unlock_irqrestore(&chain->lock, flags);
- if (skb->protocol == htons(ETH_P_IP) && skb->ip_summed == CHECKSUM_PARTIAL)
+ if (skb->protocol == htons(ETH_P_IP) && skb->ip_summed == CHECKSUM_PARTIAL) {
+ struct iphdr *hp=ip_hdr(skb);
+ if (((unsigned long) hp < 0x100000) ||
+ ((unsigned long)hp > 0xffff000000000000UL)) {
+ printk(KERN_ERROR "spidernet: bad ip header! "
+ "skb=%p ip_hdr=%p head=%p data=%p net=%x\n", skb, hp,
+ skb->head, skb->data, skb->network_header);
+ int i;
+ unsinged long *s=(unsigned long*) skb;
+ for (i=0; i<20; i++) {
+ printk("%d %lx %lx\n", i, s[2*i],s[2*i+1]);
+ }
+ } else {
switch (ip_hdr(skb)->protocol) {
case IPPROTO_TCP:
hwdescr->dmac_cmd_status |= SPIDER_NET_DMAC_TCP;
@@ -728,6 +740,8 @@ spider_net_prepare_tx_descr(struct spide
case IPPROTO_UDP:
hwdescr->dmac_cmd_status |= SPIDER_NET_DMAC_UDP;
break;
+ }
+ }
}
/* Chain the bus address, so that the DMA engine finds this descr. */
next prev parent reply other threads:[~2007-05-17 23:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-15 8:35 [RFC] [patch 0/2] powerpc 2.6.21-rt1: fix kernel hang and/or panic Tsutomu OWA
2007-05-15 8:44 ` [RFC] [patch 1/2] " Tsutomu OWA
2007-05-15 8:47 ` [RFC] [patch 2/2] " Tsutomu OWA
2007-05-15 10:09 ` Benjamin Herrenschmidt
2007-05-17 0:18 ` RT patches expose netdev race [was " Linas Vepstas
2007-05-17 0:41 ` David Miller
2007-05-17 23:52 ` Linas Vepstas [this message]
2007-05-18 5:36 ` Tsutomu OWA
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070517235247.GJ4325@austin.ibm.com \
--to=linas@austin.ibm.com \
--cc=davem@davemloft.net \
--cc=linuxppc-dev@ozlabs.org \
--cc=mingo@elte.hu \
--cc=netdev@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).