On Wed, Jan 29, 2014 at 09:12:57AM +0100, Arnaud Ebalard wrote:

Hi Herbert,

I wonder if you could share some knowledge on the behaviour of
skb_segment() as it is implemented in 3.13.0: when passed a GSO
packet to be segmented, can the skb result have skb->next == NULL?

One would expect the number of segments of the result to usually match
tcp_skb_pcount() of passed packet and hence having skb->next != NULL: 
AFAICT, this what usually happens when skb_segment() is called in
tcp_gso_segment() but I noticed some cases where the number of segments
(length of chained sk_buff) is lower than the expected value and also
have two backtraces resulting from a skb delivered with a NULL skb->next. 

Hi Arnaud:

This is definitely not expected.  You said that the crash is not
easily reproducible.  Are you able to easily reproduce the problem
where the number of segments produced is less than what is expected?

Can you print out the size of the segments produced in that case?

Thanks!
-- 
Email: Herbert Xu [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt