>>> On 05.07.13 at 16:53, Wei Liu <wei.liu2@xxxxxxxxxx> wrote: > On Fri, Jul 05, 2013 at 10:32:41AM +0100, Jan Beulich wrote: >> --- a/drivers/net/xen-netfront.c >> +++ b/drivers/net/xen-netfront.c >> @@ -831,6 +831,15 @@ static RING_IDX xennet_fill_frags(struct >> RING_GET_RESPONSE(&np->rx, ++cons); >> skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; >> >> + if (nr_frags == MAX_SKB_FRAGS) { >> + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; >> + >> + BUG_ON(pull_to <= skb_headlen(skb)); >> + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); > > skb_headlen is in fact "skb->len - skb->data_len". Looking at the > caller code: > > while loop { > skb_shinfo(skb)->frags[0].page_offset = rx->offset; > skb_frag_size_set(&skb_shinfo(skb)->frags[0], rx->status); > skb->data_len = rx->status; > > i = xennet_fill_frags(np, skb, &tmpq); > > /* > > * Truesize is the actual allocation size, even if the > > * allocation is only partially used. > > */ > skb->truesize += PAGE_SIZE * skb_shinfo(skb)->nr_frags; > skb->len += skb->data_len; > } > > handle_incoming_packet(); > > You seem to be altering the behavior of the original code, because in > your patch the skb->len is incremented before use, while in the original > code (which calls skb_headlen in handle_incoming_packet) the skb->len is > correctly set. Right. So I basically need to keep skb->len up-to-date along with ->data_len. Just handed a patch to Dion with that done; I'll defer sending a v2 for the upstream code until I know the change works for our kernel. Jan -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html