From: David Miller <davem@davemloft.net>
To: mingo@elte.hu
Cc: vegard.nossum@gmail.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, penberg@cs.helsinki.fi, rjw@sisk.pl
Subject: Re: [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten
Date: Thu, 17 Jul 2008 19:13:37 -0700 (PDT) [thread overview]
Message-ID: <20080717.191337.76211017.davem@davemloft.net> (raw)
In-Reply-To: <20080717235254.GA6833@elte.hu>
From: Ingo Molnar <mingo@elte.hu>
Date: Fri, 18 Jul 2008 01:52:54 +0200
> kmemcheck: Caught 8-bit read from uninitialized memory (f653ad24)
> iiiiiiiiiiiiiiiiuuuuuuuuuuuuuuuuuuuuuiuuuuuuuuuuuuuuuuuuuuuuuuuu
> ^
>
> Pid: 2484, comm: arping Not tainted (2.6.26-tip #20187)
> EIP: 0060:[<c05e973c>] EFLAGS: 00010282 CPU: 0
> EIP is at __copy_skb_header+0x7c/0x100
> EAX: 00000000 EBX: f653acc0 ECX: f653ac00 EDX: f653ac00
> ESI: f653ac50 EDI: f653ad10 EBP: c09b9e84 ESP: c09ddaa8
> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> CR0: 8005003b CR2: f71c2700 CR3: 36513000 CR4: 000006d0
> DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> DR6: ffff4ff0 DR7: 00000400
> [<c05e97e7>] __skb_clone+0x27/0xe0
> [<c05eb101>] skb_clone+0x41/0x60
> [<c065cbf1>] packet_rcv+0xc1/0x290
> [<c05f07ad>] netif_receive_skb+0x20d/0x400
> [<c03b2aa7>] e1000_receive_skb+0x47/0x180
> [<c03b3983>] e1000_clean_rx_irq+0x223/0x2e0
> [<c03b225b>] e1000_clean+0x5b/0x200
> [<c05f29db>] net_rx_action+0xfb/0x160
> [<c0129092>] __do_softirq+0x82/0xf0
> [<c0105b8a>] call_on_stack+0x1a/0x30
>
> false positive? Find below the quick hacks i did to pre-initialize skb
> allocations that have RX DMA into them.
Maybe. Every SKB object allocated is fully initialized
in __alloc_skb():
/*
* Only clear those fields we need to clear, not those that we will
* actually initialise below. Hence, don't put any more fields after
* the tail pointer in struct sk_buff!
*/
memset(skb, 0, offsetof(struct sk_buff, tail));
That leaves the following trailing members of struct sk_buff:
/* These elements must be at the end, see alloc_skb() for details. */
sk_buff_data_t tail;
sk_buff_data_t end;
unsigned char *head,
*data;
unsigned int truesize;
atomic_t users;
which are the explicitly initialized right after the quotes memset().
skb->truesize = size + sizeof(struct sk_buff);
atomic_set(&skb->users, 1);
skb->head = data;
skb->data = data;
skb_reset_tail_pointer(skb);
skb->end = skb->tail + size;
When we clone, there are probably some fields we don't copy over
explicitly. And we usually do that because they don't matter or
if they do the caller will take care of it.
next prev parent reply other threads:[~2008-07-18 2:13 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-17 21:42 [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten Ingo Molnar
2008-07-17 21:45 ` David Miller
2008-07-17 22:06 ` Ingo Molnar
2008-07-17 22:09 ` David Miller
2008-07-17 22:43 ` Ingo Molnar
2008-07-17 23:15 ` Vegard Nossum
2008-07-17 23:35 ` Vegard Nossum
2008-07-17 23:52 ` Ingo Molnar
2008-07-18 0:01 ` Ingo Molnar
2008-07-18 0:05 ` Vegard Nossum
2008-07-18 0:16 ` Ingo Molnar
2008-07-18 2:13 ` David Miller [this message]
2008-07-18 2:03 ` David Miller
2008-07-18 7:03 ` Vegard Nossum
2008-07-18 7:12 ` David Miller
2008-07-18 9:05 ` Ingo Molnar
2008-07-18 19:10 ` [bug] Attempt to release alive inet socket f6fac040 Ingo Molnar
2008-07-18 19:55 ` Ingo Molnar
2008-07-17 23:27 ` [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten Vegard Nossum
2008-07-17 23:56 ` Ingo Molnar
2008-07-21 11:41 ` Vegard Nossum
2008-07-18 5:46 ` Evgeniy Polyakov
2008-07-18 9:02 ` Pekka Enberg
2008-07-18 9:09 ` Ingo Molnar
2008-07-18 9:15 ` Pekka Enberg
2008-07-18 10:16 ` Evgeniy Polyakov
2008-07-18 14:44 ` Pekka Enberg
2008-07-18 14:48 ` Christoph Lameter
2008-07-18 16:07 ` Evgeniy Polyakov
2008-07-18 9:00 ` Pekka J Enberg
2008-07-18 9:11 ` Ingo Molnar
2008-07-18 9:16 ` Pekka Enberg
2008-07-18 13:54 ` Christoph Lameter
2008-07-21 9:41 ` Ingo Molnar
2008-07-21 9:52 ` Pekka Enberg
2008-07-21 10:06 ` Evgeniy Polyakov
2008-07-21 10:50 ` Ingo Molnar
2008-07-21 11:03 ` Vegard Nossum
2008-07-21 11:13 ` Ingo Molnar
2008-07-21 16:19 ` Christoph Lameter
2008-07-21 20:23 ` Vegard Nossum
2008-07-21 11:25 ` Evgeniy Polyakov
2008-07-21 11:55 ` Ingo Molnar
2008-07-21 12:57 ` Evgeniy Polyakov
2008-07-21 14:01 ` Ingo Molnar
2008-07-21 19:21 ` Ingo Molnar
2008-07-21 21:24 ` Evgeniy Polyakov
2008-07-21 23:33 ` David Miller
2008-07-22 7:50 ` Ingo Molnar
2008-07-22 13:34 ` Ingo Molnar
2008-07-23 22:31 ` David Miller
2008-07-23 22:40 ` Jeff Kirsher
2008-07-21 16:22 ` Christoph Lameter
2008-07-21 19:57 ` Evgeniy Polyakov
2008-07-21 20:05 ` Ingo Molnar
2008-07-21 20:22 ` Vegard Nossum
2008-07-18 13:55 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080717.191337.76211017.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=netdev@vger.kernel.org \
--cc=penberg@cs.helsinki.fi \
--cc=rjw@sisk.pl \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).