On 14/05/2021 22:49, Michał Mirosław wrote:
> On Fri, May 14, 2021 at 03:24:58PM +0100, Jon Hunter wrote:
>> Hello!
>>
>> I have been looking into some random crashes that appear to stem from
>> the stmmac_napi_poll_rx() function. There are two different panics I
>> have observed which are ...
> [...]
>> The bug being triggered in skbuff.h is the following ...
>>
>> void *skb_pull(struct sk_buff *skb, unsigned int len);
>> static inline void *__skb_pull(struct sk_buff *skb, unsigned int len)
>> {
>> skb->len -= len;
>> BUG_ON(skb->len < skb->data_len);
>> return skb->data += len;
>> }
>>
>> Looking into the above panic triggered in skbuff.h, when this occurs
>> I have noticed that the value of skb->data_len is unusually large ...
>>
>> __skb_pull: len 1500 (14), data_len 4294967274
> [...]
>
> The big value looks suspiciously similar to (unsigned)-EINVAL.
Yes it does and at first, I thought it was being set to -EINVAL.
However, from tracing the length variables I can see that this is not
the case.
>> I then added some traces to stmmac_napi_poll_rx() and
>> stmmac_rx_buf2_len() to trace the values of various various variables
>> and when the problem occurs I see ...
>>
>> stmmac_napi_poll_rx: stmmac_rx: count 0, len 1518, buf1 66, buf2 1452
>> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1518
>> stmmac_napi_poll_rx: stmmac_rx: count 1, len 1518, buf1 66, buf2 1452
>> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1536
>> stmmac_napi_poll_rx: stmmac_rx: count 2, len 1602, buf1 66, buf2 1536
>> stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 1602, plen 1518
>> stmmac_napi_poll_rx: stmmac_rx: count 2, len 1518, buf1 0, buf2 4294967212
>> stmmac_napi_poll_rx: stmmac_rx: dma_buf_sz 1536, buf1 0, buf2 4294967212
>
> And this one to (unsigned)-EILSEQ.
Yes but this simply comes from 1518-1602 = -84. So it is purely
coincidence.
Jon
--
nvpublic
