Max Krasnyansky wrote:
> Hi Stephen,
> 
>> Looks like a something wrong with tun driver on 2.6.11
> 
> Thanks for forwarding this. I'll take a look at it.
> As far as I remember nothing really changed in the TUN write logic.
> Must be some other changes broke it.

This check is wrong, gcc optimizes it away:

                if ((len -= sizeof(pi)) > len)
			return -EINVAL;

This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI
isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or
1 byte. skb_reserve tries to reserve 2 bytes and things explode in
skb_put.

Regards
Patrick