On Fri, May 14, 2021 at 03:24:58PM +0100, Jon Hunter wrote:
> Hello!
>
> I have been looking into some random crashes that appear to stem from
> the stmmac_napi_poll_rx() function. There are two different panics I
> have observed which are ...
[...]
> The bug being triggered in skbuff.h is the following ...
>
> void *skb_pull(struct sk_buff *skb, unsigned int len);
> static inline void *__skb_pull(struct sk_buff *skb, unsigned int len)
> {
> skb->len -= len;
> BUG_ON(skb->len < skb->data_len);
> return skb->data += len;
> }
>
> Looking into the above panic triggered in skbuff.h, when this occurs
> I have noticed that the value of skb->data_len is unusually large ...
>
> __skb_pull: len 1500 (14), data_len 4294967274
[...]
The big value looks suspiciously similar to (unsigned)-EINVAL.
> I then added some traces to stmmac_napi_poll_rx() and
> stmmac_rx_buf2_len() to trace the values of various various variables
> and when the problem occurs I see ...
>
> stmmac_napi_poll_rx: stmmac_rx: count 0, len 1518, buf1 66, buf2 1452
> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1518
> stmmac_napi_poll_rx: stmmac_rx: count 1, len 1518, buf1 66, buf2 1452
> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1536
> stmmac_napi_poll_rx: stmmac_rx: count 2, len 1602, buf1 66, buf2 1536
> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 1602, plen 1518
> stmmac_napi_poll_rx: stmmac_rx: count 2, len 1518, buf1 0, buf2 4294967212
> stmmac_napi_poll_rx: stmmac_rx: dma_buf_sz 1536, buf1 0, buf2 4294967212
And this one to (unsigned)-EILSEQ.
> Note I added the above BUG_ON to trap unusually large buffers. Let
> me know if you have any thoughts.
Do above ring any bell?
Best Regards
Michał Mirosław
