Re: [BUG] net: stmmac: Panic observed in stmmac_napi_poll_rx()
From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Date: 2021-05-14 21:49:31
Also in:
netdev
On Fri, May 14, 2021 at 03:24:58PM +0100, Jon Hunter wrote:
Hello! I have been looking into some random crashes that appear to stem from the stmmac_napi_poll_rx() function. There are two different panics I have observed which are ...
[...]
The bug being triggered in skbuff.h is the following ...
void *skb_pull(struct sk_buff *skb, unsigned int len);
static inline void *__skb_pull(struct sk_buff *skb, unsigned int len)
{
skb->len -= len;
BUG_ON(skb->len < skb->data_len);
return skb->data += len;
}
Looking into the above panic triggered in skbuff.h, when this occurs
I have noticed that the value of skb->data_len is unusually large ...
__skb_pull: len 1500 (14), data_len 4294967274[...] The big value looks suspiciously similar to (unsigned)-EINVAL.
I then added some traces to stmmac_napi_poll_rx() and stmmac_rx_buf2_len() to trace the values of various various variables and when the problem occurs I see ... stmmac_napi_poll_rx: stmmac_rx: count 0, len 1518, buf1 66, buf2 1452 stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1518 stmmac_napi_poll_rx: stmmac_rx: count 1, len 1518, buf1 66, buf2 1452 stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 66, plen 1536 stmmac_napi_poll_rx: stmmac_rx: count 2, len 1602, buf1 66, buf2 1536 stmmac_napi_poll_rx: stmmac_rx_buf2_len: len 1602, plen 1518 stmmac_napi_poll_rx: stmmac_rx: count 2, len 1518, buf1 0, buf2 4294967212 stmmac_napi_poll_rx: stmmac_rx: dma_buf_sz 1536, buf1 0, buf2 4294967212
And this one to (unsigned)-EILSEQ.
Note I added the above BUG_ON to trap unusually large buffers. Let me know if you have any thoughts.
Do above ring any bell? Best Regards Michał Mirosław