2010/12/29 Johannes Berg <johannes@xxxxxxxxxxxxxxxx>: > On Thu, 2010-12-16 at 14:11 +0200, Tomas Winkler wrote: >> Will be happy if someone can give me some more insight. (kernel 2.6.37-rc5) > > Tomas looked into it a bit more and told me that it happens on IPv6 > packets. To recap, he gets > > kernel BUG at include/linux/skbuff.h:1178! > with > EIP: [<f83edd65>] br_multicast_rcv+0xc95/0xe1c [bridge] > > Also remember that the packets are almost fully nonlinear, when they get > here they likely have almost no data in the skb header. > > I then looked at br_multicast_ipv6_rcv(), and it looks fishy: > > Up to: > Â Â Â Âskb2 = skb_clone(skb, GFP_ATOMIC); > > everything's fine, since ipv6_skip_exthdr() will use > skb_header_pointer(). At this point, offset is the result of > ipv6_skip_exthdr(). Remember that skb_clone() is not skb_copy(). So far I can confirm that switching to sbk_copy fixes the crash. Thanks Tomas -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
