From: Dave Jones <davej@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: __pskb_pull_tail oops from 2.6.35
Date: Mon, 3 Oct 2011 12:13:46 -0400 [thread overview]
Message-ID: <20111003161346.GA30201@redhat.com> (raw)
In-Reply-To: <1317155839.2472.5.camel@edumazet-laptop>
On Tue, Sep 27, 2011 at 10:37:19PM +0200, Eric Dumazet wrote:
> > > > It looks like it died in put_page..
> > > >
> > > > <1>[ 262.574991] IP: [<ffffffff810dca57>] put_page+0x10/0x7c
> > > >
> > > > which is only called in one place..
> > > >
> > > > 1267 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
> > > > 1268 if (skb_shinfo(skb)->frags[i].size <= eat) {
> > > > 1269 put_page(skb_shinfo(skb)->frags[i].page);
> > > > 1270 eat -= skb_shinfo(skb)->frags[i].size;
> > > > 1271 } else {
> > >
> > > That's a pretty serious corruption, all frag array entries from 0 to
> > > nr_frags should have valid, non-NULL page pointers.
> > >
> > > Maybe a LRO/GRO bug? There were a couple of those.
> >
> > I'll see if I can talk him into trying a self-built kernel, as we're not
> > rebasing f14 at this point in its life-cycle. If it turns out to still affect
> > 3.x, I'll bring it up again.
>
> This could be a struct skb_shared_info -> nr_frags corruption
>
> (Something was overflowing skb head and overflowing very beginning of
> skb_shared_info in rare circumstances)
>
> We had such bug in the past, I cant remember details right now.
Just to close this discussion, the user reported that he built a 3.1.0rc7 kernel,
and couldn't reproduce this bug any more, so it was something that got fixed
that didn't make it to the longterm stable releases.
Dave
next prev parent reply other threads:[~2011-10-03 16:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 20:03 __pskb_pull_tail oops from 2.6.35 Dave Jones
2011-09-27 20:08 ` David Miller
2011-09-27 20:15 ` Dave Jones
2011-09-27 20:18 ` David Miller
2011-09-27 20:24 ` Dave Jones
2011-09-27 20:37 ` Eric Dumazet
2011-09-28 7:30 ` Julian Anastasov
2011-10-03 16:13 ` Dave Jones [this message]
2011-10-03 16:20 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111003161346.GA30201@redhat.com \
--to=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).