From patchwork Wed May 26 20:19:07 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Arce, Abraham" <x0066660@ti.com>
X-Patchwork-Id: 53658
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id B0A32B7D17
	for <patchwork-incoming@ozlabs.org>;
	Thu, 27 May 2010 06:19:42 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757134Ab0EZUTP (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 26 May 2010 16:19:15 -0400
Received: from comal.ext.ti.com ([198.47.26.152]:33180 "EHLO
	comal.ext.ti.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756300Ab0EZUTO convert rfc822-to-8bit (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 26 May 2010 16:19:14 -0400
Received: from dlep33.itg.ti.com ([157.170.170.112])
	by comal.ext.ti.com (8.13.7/8.13.7) with ESMTP id o4QKJ84N001311
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 26 May 2010 15:19:08 -0500
Received: from dlep26.itg.ti.com (localhost [127.0.0.1])
	by dlep33.itg.ti.com (8.13.7/8.13.7) with ESMTP id o4QKJ7qa020609;
	Wed, 26 May 2010 15:19:08 -0500 (CDT)
Received: from dlee75.ent.ti.com (localhost [127.0.0.1])
	by dlep26.itg.ti.com (8.13.8/8.13.8) with ESMTP id o4QKJ7fU023150;
	Wed, 26 May 2010 15:19:07 -0500 (CDT)
Received: from dlee03.ent.ti.com ([157.170.170.18]) by dlee75.ent.ti.com
	([157.170.170.72]) with mapi; Wed, 26 May 2010 15:19:07 -0500
From: "Arce, Abraham" <x0066660@ti.com>
To: Eric Dumazet <eric.dumazet@gmail.com>, David Miller <davem@davemloft.net>
CC: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"linux-omap@vger.kernel.org" <linux-omap@vger.kernel.org>,
	"tony@atomide.com" <tony@atomide.com>,
	"Shilimkar, Santosh" <santosh.shilimkar@ti.com>,
	"Ha, Tristram" <Tristram.Ha@micrel.com>
Date: Wed, 26 May 2010 15:19:07 -0500
Subject: RE: NULL Pointer Deference: NFS & Telnet
Thread-Topic: NULL Pointer Deference: NFS & Telnet
Thread-Index: Acr8lF/cPinIP0UTTv+z/WKkPBr2OQAeDyCQ
Message-ID: <27F9C60D11D683428E133F85D2BB4A53043E3EE6A3@dlee03.ent.ti.com>
References: <27F9C60D11D683428E133F85D2BB4A53043E33A997@dlee03.ent.ti.com>
	<27F9C60D11D683428E133F85D2BB4A53043E3EDFE6@dlee03.ent.ti.com>
	<20100525.185236.193707791.davem@davemloft.net>
	<27F9C60D11D683428E133F85D2BB4A53043E3EDFF1@dlee03.ent.ti.com>
	<1274851741.25136.16.camel@edumazet-laptop>
In-Reply-To: <1274851741.25136.16.camel@edumazet-laptop>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Thanks Eric, David,

[..]

> > > > -		if (skb_shinfo(skb)->nr_frags) {
> > > > +		if (skb_shinfo(skb)->nr_frags && skb_has_frags(skb)) {
> > > >  			int i;
> > > >  			for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
> > > >  				put_page(skb_shinfo(skb)->frags[i].page);
> > >
> > > skb_shinfo(skb)->nr_frags counts the number of entries contained
> > > in the skb_shinfo(skb)->frags[] array.
> > >
> > > This has nothing to do with the frag list pointer,
> > > skb_shinfo(skb)->frag_list, which is what skb_has_frags()
> > > tests.
> > >
> > > You've got some kind of memory corruption going on and it
> > > appears to have nothing to do with the code paths you're
> > > playing with here.
> >
> > Do you have any recommendation on debugging technique/tool for this memory
> corruption issue?

[..]

> It seems quite strange. You have a skb->nr_frags > 0 value, but a
> frags[i].page = 0 value
> 
> You might add following function :
> 
> shinfo_check(struct sk_buff *skb)
> {
> 	struct skb_shared_info *shinfo = skb_shinfo(skb);
> 	int i;
> 
> 	WARN_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
> 	for (i = 0; i < shinfo->nr_frags; i++)
> 		WARN_ON(!shinfo->frags[i].page);
> }
> 
> And call it from various points, to check who corrupts your skb.

By increasing the allocation length of our rx skbuff the corruption issue is fixed... I have increased it by 2... Were we writing outside our boundaries of skb data?

Please let me know about this approach...

Abraham
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c
index b4fb07a..6da81e1 100644
--- a/drivers/net/ks8851.c
+++ b/drivers/net/ks8851.c
@@ -504,7 +504,7 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
                               ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE);

                if (rxlen > 0) {
-                       skb = netdev_alloc_skb(ks->netdev, rxlen + 2 + 8);
+                       skb = netdev_alloc_skb(ks->netdev, rxlen + 4 + 8);
                        if (!skb) {

Best Regards