[patch] forcedeth: work around NULL skb dereference crash

From: Ingo Molnar
Date: Mon Mar 26 2007 - 04:59:33 EST

Next message: Andrew Morton: "Re: [patch 1/3] fix illogical behavior in balance_dirty_pages()"
Previous message: Thomas Gleixner: "Re: Linux 2.6.21-rc5"
In reply to: Ingo Molnar: "Re: Linux 2.6.21-rc5"
Next in thread: Ayaz Abdulla: "Re: Linux 2.6.21-rc5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Ingo Molnar <mingo@xxxxxxx> wrote:

> > my first quick guess was to extend np->priv locking to the whole of
> > nv_start_xmit/nv_start_xmit_optimized - while that appeared to make
> > the crash a bit less likely, it did not prevent it. So there must be
> > some other, more fundamental problem be left as well. At first
> > glance the SMP locking looks OK, so maybe the ring indices are
> > messed up somehow and we got into a 'ring head bites the tail'
> > scenario?
>
> to be specific, the patch below is what i tried - but it didnt
> completely fix the crash.

the patch below works the crash around. It does not seem to be a 'tx
ring head bits the tail' scenario:

get_tx: 55, put_tx: 57
get_tx: 80, put_tx: 86
get_tx: 88, put_tx: 97
get_tx: 97, put_tx: 109
get_tx: 97, put_tx: 109
get_tx: 111, put_tx: 117
get_tx: 117, put_tx: 125
get_tx: 127, put_tx: 137
get_tx: 137, put_tx: 147
get_tx: 147, put_tx: 149

Ingo

------------>
From: Ingo Molnar <mingo@xxxxxxx>
Subject: [patch] forcedeth: work around NULL skb dereference crash

work around a NULL skb dereference crash that occurs during high load.

Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
---
drivers/net/forcedeth.c | 10 ++++++++++
1 file changed, 10 insertions(+)

Index: linux/drivers/net/forcedeth.c
===================================================================
--- linux.orig/drivers/net/forcedeth.c
+++ linux/drivers/net/forcedeth.c
@@ -1902,6 +1902,11 @@ static void nv_tx_done(struct net_device
np->stats.tx_carrier_errors++;
np->stats.tx_errors++;
} else {
+ if (!np->get_tx_ctx->skb) {
+ printk("get_tx: %ld, put_tx: %ld\n", np->get_tx_ctx - np->first_tx_ctx, np->put_tx_ctx - np->first_tx_ctx);
+ WARN_ON(1);
+ break;
+ }
np->stats.tx_packets++;
np->stats.tx_bytes += np->get_tx_ctx->skb->len;
}
@@ -1917,6 +1922,11 @@ static void nv_tx_done(struct net_device
np->stats.tx_carrier_errors++;
np->stats.tx_errors++;
} else {
+ if (!np->get_tx_ctx->skb) {
+ printk("get_tx: %ld, put_tx: %ld\n", np->get_tx_ctx - np->first_tx_ctx, np->put_tx_ctx - np->first_tx_ctx);
+ WARN_ON(1);
+ break;
+ }
np->stats.tx_packets++;
np->stats.tx_bytes += np->get_tx_ctx->skb->len;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [patch 1/3] fix illogical behavior in balance_dirty_pages()"
Previous message: Thomas Gleixner: "Re: Linux 2.6.21-rc5"
In reply to: Ingo Molnar: "Re: Linux 2.6.21-rc5"
Next in thread: Ayaz Abdulla: "Re: Linux 2.6.21-rc5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]