kernel panic with time-stamping in phy devices (monitor mode)

kernel panic with time-stamping in phy devices (monitor mode)

[Andrew Watts]

Hi.

The 'time stamping in phy devices' code introduced in 2.6.36
(c1f19b51d1d87f3e3bb7e6648f43f7d57ed2da6b et al.) triggers
kernel panics when wireless devices are placed in monitor mode
(tested with b43 and ath5k devices on a 32-bit system).

To reproduce, set CONFIG_NETWORK_PHY_TIMESTAMPING=y and put a
wireless device into monitor mode:

 # ifconfig wlan0 down
 # iwconfig wlan0 mode monitor 
 # ifconfig wlan0 up

~ Andy

==============

 [<c14455ad>] ? __alloc_skb+0x53/0xf8
 [<f92fdd57>] ? b43_dma_rx+0x18a/0x342 [b43]
 [<f92e8475>] ? b43_do_interrupt_thread+0x420/0x92e [b43]
 [<c1027731>] ? __dequeue_entity+0x31/0x35
 [<c1027a44>] ? set_next_entity+0xad/0xbb
 [<f92e899b>] ? b43_interrupt_thread_handler+0x18/0x2b [b43]
 [<c107c378>] ? irq_thread+0xb6/0x19e
 [<c15625a0>] ? schedule+0x254/0x566
 [<c107c2c2>] ? irq_thread+0x0/0x19e
 [<c10448b1>] ? kthread+0x67/0x69
 [<c104484a>] ? kthread+0x0/0x69
 [<c100323e>] ? kernel_thread_helper+0x6/0x18
Code: 4c 24 14 8b 88 a8 00 00 00 89 4c 24 10 89 54 24 0c 8b
40 50 89 44 24 08 8b 45 04 89 44 24 04 c7 04 24 30 74 7a c1
e8 b5 d2 11 00 <0f> 0b eb fe 55 89 e5 56 53 83 ec 24 8b 88
a0 00 00 00 8b 58 54
EIP: [<c1444ea0>] skb_push+0x7d/0x81 SS:ESP 0068:cee01d78
---[ end trace af1c99818e62b195 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Pid: 6674, comm: irq/18-b43 Tainted: G     D     2.6.36.1
Call Trace:
 [<c156217d>] ? printk+0x28/0x2a
 [<c156205c>] panic+0x57/0x150
 [<c1564adf>] oops_begin+0x0/0x40
 [<c1004e36>] die+0x49/0x5d
 [<c1564304>] do_trap+0x84/0xad
 [<c10037e5>] ? do_invalid_op+0x0/0x93
 [<c100386b>] do_invalid_op+0x86/0x93
 [<c1444ea0>] ? skb_push+0x7d/0x81
 [<c15640b9>] error_code+0x65/0x6c
 [<c1444ea0>] ? skb_push+0x7d/0x81
 [<c145f721>] ? skb_defer_rx_timestamp+0x12/0x5a
 [<c145f721>] skb_defer_rx_timestamp+0x12/0x5a
 [<c144d23c>] netif_receive_skb+0x1f/0x47
 [<c153a6e8>] ieee80211_rx+0x661/0x8e1
 [<f85daca2>] ? ssb_pci_read32+0x19/0x31 [ssb]
 [<f92e54cf>] ? b43_tsf_read+0x2a/0x47 [b43]
 [<f92f8d42>] b43_rx+0x24c/0x5eb [b43]
 [<c14455ad>] ? __alloc_skb+0x53/0xf8
 [<f92fdd57>] b43_dma_rx+0x18a/0x342 [b43]
 [<f92e8475>] b43_do_interrupt_thread+0x420/0x92e [b43]
 [<c1027731>] ? __dequeue_entity+0x31/0x35
 [<c1027a44>] ? set_next_entity+0xad/0xbb
 [<f92e899b>] b43_interrupt_thread_handler+0x18/0x2b [b43]
 [<c107c378>] irq_thread+0xb6/0x19e
 [<c15625a0>] ? schedule+0x254/0x566
 [<c107c2c2>] ? irq_thread+0x0/0x19e
 [<c10448b1>] kthread+0x67/0x69
 [<c104484a>] ? kthread+0x0/0x69
 [<c100323e>] kernel_thread_helper+0x6/0x18



      

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Eric Dumazet]

Le jeudi 02 décembre 2010 à 08:05 -0800, Andrew Watts a écrit :
> Hi.
> 
> The 'time stamping in phy devices' code introduced in 2.6.36
> (c1f19b51d1d87f3e3bb7e6648f43f7d57ed2da6b et al.) triggers
> kernel panics when wireless devices are placed in monitor mode
> (tested with b43 and ath5k devices on a 32-bit system).
> 
> To reproduce, set CONFIG_NETWORK_PHY_TIMESTAMPING=y and put a
> wireless device into monitor mode:
> 
>  # ifconfig wlan0 down
>  # iwconfig wlan0 mode monitor 
>  # ifconfig wlan0 up
> 
> ~ Andy
> 
> ==============
> 
>  [<c14455ad>] ? __alloc_skb+0x53/0xf8
>  [<f92fdd57>] ? b43_dma_rx+0x18a/0x342 [b43]
>  [<f92e8475>] ? b43_do_interrupt_thread+0x420/0x92e [b43]
>  [<c1027731>] ? __dequeue_entity+0x31/0x35
>  [<c1027a44>] ? set_next_entity+0xad/0xbb
>  [<f92e899b>] ? b43_interrupt_thread_handler+0x18/0x2b [b43]
>  [<c107c378>] ? irq_thread+0xb6/0x19e
>  [<c15625a0>] ? schedule+0x254/0x566
>  [<c107c2c2>] ? irq_thread+0x0/0x19e
>  [<c10448b1>] ? kthread+0x67/0x69
>  [<c104484a>] ? kthread+0x0/0x69
>  [<c100323e>] ? kernel_thread_helper+0x6/0x18
> Code: 4c 24 14 8b 88 a8 00 00 00 89 4c 24 10 89 54 24 0c 8b
> 40 50 89 44 24 08 8b 45 04 89 44 24 04 c7 04 24 30 74 7a c1
> e8 b5 d2 11 00 <0f> 0b eb fe 55 89 e5 56 53 83 ec 24 8b 88
> a0 00 00 00 8b 58 54
> EIP: [<c1444ea0>] skb_push+0x7d/0x81 SS:ESP 0068:cee01d78
> ---[ end trace af1c99818e62b195 ]---
> Kernel panic - not syncing: Fatal exception in interrupt
> Pid: 6674, comm: irq/18-b43 Tainted: G     D     2.6.36.1
> Call Trace:
>  [<c156217d>] ? printk+0x28/0x2a
>  [<c156205c>] panic+0x57/0x150
>  [<c1564adf>] oops_begin+0x0/0x40
>  [<c1004e36>] die+0x49/0x5d
>  [<c1564304>] do_trap+0x84/0xad
>  [<c10037e5>] ? do_invalid_op+0x0/0x93
>  [<c100386b>] do_invalid_op+0x86/0x93
>  [<c1444ea0>] ? skb_push+0x7d/0x81
>  [<c15640b9>] error_code+0x65/0x6c
>  [<c1444ea0>] ? skb_push+0x7d/0x81
>  [<c145f721>] ? skb_defer_rx_timestamp+0x12/0x5a
>  [<c145f721>] skb_defer_rx_timestamp+0x12/0x5a
>  [<c144d23c>] netif_receive_skb+0x1f/0x47
>  [<c153a6e8>] ieee80211_rx+0x661/0x8e1
>  [<f85daca2>] ? ssb_pci_read32+0x19/0x31 [ssb]
>  [<f92e54cf>] ? b43_tsf_read+0x2a/0x47 [b43]
>  [<f92f8d42>] b43_rx+0x24c/0x5eb [b43]
>  [<c14455ad>] ? __alloc_skb+0x53/0xf8
>  [<f92fdd57>] b43_dma_rx+0x18a/0x342 [b43]
>  [<f92e8475>] b43_do_interrupt_thread+0x420/0x92e [b43]
>  [<c1027731>] ? __dequeue_entity+0x31/0x35
>  [<c1027a44>] ? set_next_entity+0xad/0xbb
>  [<f92e899b>] b43_interrupt_thread_handler+0x18/0x2b [b43]
>  [<c107c378>] irq_thread+0xb6/0x19e
>  [<c15625a0>] ? schedule+0x254/0x566
>  [<c107c2c2>] ? irq_thread+0x0/0x19e
>  [<c10448b1>] kthread+0x67/0x69
>  [<c104484a>] ? kthread+0x0/0x69
>  [<c100323e>] kernel_thread_helper+0x6/0x18
> 
> 

Thanks for the report

Please try following patch.

diff --git a/net/core/timestamping.c b/net/core/timestamping.c
index dac7ed6..a710ab0 100644
--- a/net/core/timestamping.c
+++ b/net/core/timestamping.c
@@ -96,7 +96,10 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
 	struct phy_device *phydev;
 	unsigned int type;
 
-	skb_push(skb, ETH_HLEN);
+	if (skb->data - ETH_HLEN < skb->head)
+		return false;
+
+	__skb_push(skb, ETH_HLEN);
 
 	type = classify(skb);
 

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Andrew Watts]

--- On Thu, 12/2/10, Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Le jeudi 02 décembre 2010 à 08:05
> -0800, Andrew Watts a écrit :
> > Hi.
> > 
> > The 'time stamping in phy devices' code introduced in
> 2.6.36
> > (c1f19b51d1d87f3e3bb7e6648f43f7d57ed2da6b et al.)
> triggers
> > kernel panics when wireless devices are placed in
> monitor mode
> > (tested with b43 and ath5k devices on a 32-bit
> system).
> > 
> > To reproduce, set CONFIG_NETWORK_PHY_TIMESTAMPING=y
> and put a
> > wireless device into monitor mode:
> > 
> >  # ifconfig wlan0 down
> >  # iwconfig wlan0 mode monitor 
> >  # ifconfig wlan0 up
> > 
> > ~ Andy
> > 
> > ==============
> > 
> >  [<c14455ad>] ? __alloc_skb+0x53/0xf8
> >  [<f92fdd57>] ? b43_dma_rx+0x18a/0x342
> [b43]
> >  [<f92e8475>] ?
> b43_do_interrupt_thread+0x420/0x92e [b43]
> >  [<c1027731>] ? __dequeue_entity+0x31/0x35
> >  [<c1027a44>] ? set_next_entity+0xad/0xbb
> >  [<f92e899b>] ?
> b43_interrupt_thread_handler+0x18/0x2b [b43]
> >  [<c107c378>] ? irq_thread+0xb6/0x19e
> >  [<c15625a0>] ? schedule+0x254/0x566
> >  [<c107c2c2>] ? irq_thread+0x0/0x19e
> >  [<c10448b1>] ? kthread+0x67/0x69
> >  [<c104484a>] ? kthread+0x0/0x69
> >  [<c100323e>] ?
> kernel_thread_helper+0x6/0x18
> > Code: 4c 24 14 8b 88 a8 00 00 00 89 4c 24 10 89 54 24
> 0c 8b
> > 40 50 89 44 24 08 8b 45 04 89 44 24 04 c7 04 24 30 74
> 7a c1
> > e8 b5 d2 11 00 <0f> 0b eb fe 55 89 e5 56 53 83
> ec 24 8b 88
> > a0 00 00 00 8b 58 54
> > EIP: [<c1444ea0>] skb_push+0x7d/0x81 SS:ESP
> 0068:cee01d78
> > ---[ end trace af1c99818e62b195 ]---
> > Kernel panic - not syncing: Fatal exception in
> interrupt
> > Pid: 6674, comm: irq/18-b43 Tainted: G 
>    D     2.6.36.1
> > Call Trace:
> >  [<c156217d>] ? printk+0x28/0x2a
> >  [<c156205c>] panic+0x57/0x150
> >  [<c1564adf>] oops_begin+0x0/0x40
> >  [<c1004e36>] die+0x49/0x5d
> >  [<c1564304>] do_trap+0x84/0xad
> >  [<c10037e5>] ? do_invalid_op+0x0/0x93
> >  [<c100386b>] do_invalid_op+0x86/0x93
> >  [<c1444ea0>] ? skb_push+0x7d/0x81
> >  [<c15640b9>] error_code+0x65/0x6c
> >  [<c1444ea0>] ? skb_push+0x7d/0x81
> >  [<c145f721>] ?
> skb_defer_rx_timestamp+0x12/0x5a
> >  [<c145f721>]
> skb_defer_rx_timestamp+0x12/0x5a
> >  [<c144d23c>] netif_receive_skb+0x1f/0x47
> >  [<c153a6e8>] ieee80211_rx+0x661/0x8e1
> >  [<f85daca2>] ? ssb_pci_read32+0x19/0x31
> [ssb]
> >  [<f92e54cf>] ? b43_tsf_read+0x2a/0x47
> [b43]
> >  [<f92f8d42>] b43_rx+0x24c/0x5eb [b43]
> >  [<c14455ad>] ? __alloc_skb+0x53/0xf8
> >  [<f92fdd57>] b43_dma_rx+0x18a/0x342 [b43]
> >  [<f92e8475>]
> b43_do_interrupt_thread+0x420/0x92e [b43]
> >  [<c1027731>] ? __dequeue_entity+0x31/0x35
> >  [<c1027a44>] ? set_next_entity+0xad/0xbb
> >  [<f92e899b>]
> b43_interrupt_thread_handler+0x18/0x2b [b43]
> >  [<c107c378>] irq_thread+0xb6/0x19e
> >  [<c15625a0>] ? schedule+0x254/0x566
> >  [<c107c2c2>] ? irq_thread+0x0/0x19e
> >  [<c10448b1>] kthread+0x67/0x69
> >  [<c104484a>] ? kthread+0x0/0x69
> >  [<c100323e>]
> kernel_thread_helper+0x6/0x18
> > 
> > 
> 
> Thanks for the report
> 
> Please try following patch.
> 
> diff --git a/net/core/timestamping.c
> b/net/core/timestamping.c
> index dac7ed6..a710ab0 100644
> --- a/net/core/timestamping.c
> +++ b/net/core/timestamping.c
> @@ -96,7 +96,10 @@ bool skb_defer_rx_timestamp(struct
> sk_buff *skb)
>      struct phy_device *phydev;
>      unsigned int type;
>  
> -    skb_push(skb, ETH_HLEN);
> +    if (skb->data - ETH_HLEN <
> skb->head)
> +        return false;
> +
> +    __skb_push(skb, ETH_HLEN);
>  
>      type = classify(skb);
>   

I can confirm that I get no kernel panics after
applying that patch.

~ Andy



      

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Richard Cochran]

Date: Sat, 4 Dec 2010 08:55:04 +0100
From: Richard Cochran <richardcochran@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Watts <akwatts@ymail.com>, netdev@vger.kernel.org,
	David Miller <davem@davemloft.net>
Subject: Re: kernel panic with time-stamping in phy devices (monitor mode)
Message-ID: <20101204075503.GA3490@riccoc20.at.omicron.at>
References: <252997.92320.qm@web111013.mail.gq1.yahoo.com>
 <1291307884.2871.69.camel@edumazet-laptop>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1291307884.2871.69.camel@edumazet-laptop>
User-Agent: Mutt/1.5.20 (2009-06-14)

Ugh, new kernel code with no users is already causing trouble!

On Thu, Dec 02, 2010 at 05:38:04PM +0100, Eric Dumazet wrote:
> Thanks for the report
> 
> Please try following patch.

And thank you, Eric, for the quick patch.

Can this fix go into 2.6.37, please?

Thanks,
Richard

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Eric Dumazet]

Le samedi 04 décembre 2010 à 08:57 +0100, Richard Cochran a écrit :
> Date: Sat, 4 Dec 2010 08:55:04 +0100
> From: Richard Cochran <richardcochran@gmail.com>
> To: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Andrew Watts <akwatts@ymail.com>, netdev@vger.kernel.org,
> 	David Miller <davem@davemloft.net>
> Subject: Re: kernel panic with time-stamping in phy devices (monitor mode)
> Message-ID: <20101204075503.GA3490@riccoc20.at.omicron.at>
> References: <252997.92320.qm@web111013.mail.gq1.yahoo.com>
>  <1291307884.2871.69.camel@edumazet-laptop>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <1291307884.2871.69.camel@edumazet-laptop>
> User-Agent: Mutt/1.5.20 (2009-06-14)
> 
> Ugh, new kernel code with no users is already causing trouble!
> 
> On Thu, Dec 02, 2010 at 05:38:04PM +0100, Eric Dumazet wrote:
> > Thanks for the report
> > 
> > Please try following patch.
> 
> And thank you, Eric, for the quick patch.
> 
> Can this fix go into 2.6.37, please?

Sure, I'll submit to David today, thanks !

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Andrew Watts]

--- On Sat, 12/4/10, Eric Dumazet wrote:

> From: Eric Dumazet <eric.dumazet@gmail.com>
> Subject: Re: kernel panic with time-stamping in phy devices (monitor mode)
> To: "Richard Cochran" <richardcochran@gmail.com>
> Cc: "Andrew Watts" <akwatts@ymail.com>, netdev@vger.kernel.org, "David Miller" <davem@davemloft.net>
> Date: Saturday, December 4, 2010, 8:17 AM
> Le samedi 04 décembre 2010 à 08:57
> +0100, Richard Cochran a écrit :
> > Date: Sat, 4 Dec 2010 08:55:04 +0100
> > From: Richard Cochran <richardcochran@gmail.com>
> > To: Eric Dumazet <eric.dumazet@gmail.com>
> > Cc: Andrew Watts <akwatts@ymail.com>,
> netdev@vger.kernel.org,
> >     David Miller <davem@davemloft.net>
> > Subject: Re: kernel panic with time-stamping in phy
> devices (monitor mode)
> > Message-ID: <20101204075503.GA3490@riccoc20.at.omicron.at>
> > References: <252997.92320.qm@web111013.mail.gq1.yahoo.com>
> > 
> <1291307884.2871.69.camel@edumazet-laptop>
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > In-Reply-To:
> <1291307884.2871.69.camel@edumazet-laptop>
> > User-Agent: Mutt/1.5.20 (2009-06-14)
> > 
> > Ugh, new kernel code with no users is already causing
> trouble!
> > 
> > On Thu, Dec 02, 2010 at 05:38:04PM +0100, Eric Dumazet
> wrote:
> > > Thanks for the report
> > > 
> > > Please try following patch.
> > 
> > And thank you, Eric, for the quick patch.
> > 
> > Can this fix go into 2.6.37, please?
> 
> Sure, I'll submit to David today, thanks !
> 

Eric, I echo the thanks on the lightning patch.
Impressive turnaround!

There's an open bug report on the kernel's bugzilla
for 2.6.36 (#24102). What is the best way to tie these
together?

~ Andy



      

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Eric Dumazet]

Le samedi 04 décembre 2010 à 12:46 -0800, Andrew Watts a écrit :

> Eric, I echo the thanks on the lightning patch.
> Impressive turnaround!
> 
> There's an open bug report on the kernel's bugzilla
> for 2.6.36 (#24102). What is the best way to tie these
> together?

Thanks Andy, here is the official patch submission I am going to make.

[PATCH net-2.6] net: fix skb_defer_rx_timestamp()

After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
skb_defer_rx_timestamp() handles a packet without an ethernet header.

Fixes kernel bugzilla #24102

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
Reported-and-tested-by: Andrew Watts <akwatts@ymail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: stable@kernel.org
---
 net/core/timestamping.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/timestamping.c b/net/core/timestamping.c
index 0ae6c22..c4fbf85 100644
--- a/net/core/timestamping.c
+++ b/net/core/timestamping.c
@@ -96,11 +96,13 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
 	struct phy_device *phydev;
 	unsigned int type;
 
-	skb_push(skb, ETH_HLEN);
+	if (skb->data - ETH_HLEN < skb->head)
+		return false;
+	__skb_push(skb, ETH_HLEN);
 
 	type = classify(skb);
 
-	skb_pull(skb, ETH_HLEN);
+	__skb_pull(skb, ETH_HLEN);
 
 	switch (type) {
 	case PTP_CLASS_V1_IPV4:

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Changli Gao]

On Sun, Dec 5, 2010 at 8:24 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le samedi 04 décembre 2010 à 12:46 -0800, Andrew Watts a écrit :
>
>> Eric, I echo the thanks on the lightning patch.
>> Impressive turnaround!
>>
>> There's an open bug report on the kernel's bugzilla
>> for 2.6.36 (#24102). What is the best way to tie these
>> together?
>
> Thanks Andy, here is the official patch submission I am going to make.
>
> [PATCH net-2.6] net: fix skb_defer_rx_timestamp()
>
> After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
> kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
> skb_defer_rx_timestamp() handles a packet without an ethernet header.
>
> Fixes kernel bugzilla #24102
>
> Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
> Reported-and-tested-by: Andrew Watts <akwatts@ymail.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Richard Cochran <richardcochran@gmail.com>
> Cc: stable@kernel.org
> ---
>  net/core/timestamping.c |    6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/timestamping.c b/net/core/timestamping.c
> index 0ae6c22..c4fbf85 100644
> --- a/net/core/timestamping.c
> +++ b/net/core/timestamping.c
> @@ -96,11 +96,13 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
>        struct phy_device *phydev;
>        unsigned int type;
>
> -       skb_push(skb, ETH_HLEN);
> +       if (skb->data - ETH_HLEN < skb->head)
> +               return false;

How about using skb_headroom(skb) < ETH_HLEN ?

And I checked the code of skb_push(). If the headroom of a skb is less
than the requested, Linux will panic with a message titled
"skb_under_panic()". But I can't find this info in the Oops. Maybe the
Oops isn't complete.


-- 
Regards,
Changli Gao(xiaosuo@gmail.com)

Re: kernel panic with time-stamping in phy devices (monitor mode)

[Eric Dumazet]

Le lundi 06 décembre 2010 à 08:01 +0800, Changli Gao a écrit :

> How about using skb_headroom(skb) < ETH_HLEN ?
> 

Yes, good idea, thanks !

[PATCH net-2.6] net: fix skb_defer_rx_timestamp()

After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
skb_defer_rx_timestamp() handles a packet without an ethernet header.

Fixes kernel bugzilla #24102

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
Reported-and-tested-by: Andrew Watts <akwatts@ymail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Changli Gao <xiaosuo@gmail.com>
Cc: stable@kernel.org
---
 net/core/timestamping.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/timestamping.c b/net/core/timestamping.c
index 0ae6c22..c19bb4e 100644
--- a/net/core/timestamping.c
+++ b/net/core/timestamping.c
@@ -96,11 +96,13 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
 	struct phy_device *phydev;
 	unsigned int type;
 
-	skb_push(skb, ETH_HLEN);
+	if (skb_headroom(skb) < ETH_HLEN)
+		return false;
+	__skb_push(skb, ETH_HLEN);
 
 	type = classify(skb);
 
-	skb_pull(skb, ETH_HLEN);
+	__skb_pull(skb, ETH_HLEN);
 
 	switch (type) {
 	case PTP_CLASS_V1_IPV4:


_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable

Re: kernel panic with time-stamping in phy devices (monitor mode)

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 06 Dec 2010 05:50:32 +0100

> Le lundi 06 décembre 2010 à 08:01 +0800, Changli Gao a écrit :
> 
>> How about using skb_headroom(skb) < ETH_HLEN ?
>> 
> 
> Yes, good idea, thanks !
> 
> [PATCH net-2.6] net: fix skb_defer_rx_timestamp()
> 
> After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
> kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
> skb_defer_rx_timestamp() handles a packet without an ethernet header.
> 
> Fixes kernel bugzilla #24102
> 
> Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
> Reported-and-tested-by: Andrew Watts <akwatts@ymail.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Applied and queued up for -stable, thanks!