Created attachment 39332 [details] Kernel Panic Hello i have problems with ppp driver and pppoe I have random kernel panics In attached image is Call Trace from panic. Thanks Pawel
(switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Wed, 8 Dec 2010 20:14:45 GMT bugzilla-daemon@bugzilla.kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=24472 > > Summary: Kernel panic - not syncing: Fatal Exception > Product: Drivers > Version: 2.5 > Kernel Version: 2.6.36.1 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Network > AssignedTo: drivers_network@kernel-bugs.osdl.org > ReportedBy: pstaszewski@artcom.pl > Regression: No > > > Created an attachment (id=39332) > --> (https://bugzilla.kernel.org/attachment.cgi?id=39332) > Kernel Panic > > Hello i have problems with ppp driver and pppoe > I have random kernel panics > > In attached image is Call Trace from panic. > > ppp_unregister_channel() appears to be using a bad pointer.
Reply-To: pstaszewski@itcare.pl W dniu 2010-12-08 21:22, Andrew Morton pisze: > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > On Wed, 8 Dec 2010 20:14:45 GMT > bugzilla-daemon@bugzilla.kernel.org wrote: > >> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >> >> Summary: Kernel panic - not syncing: Fatal Exception >> Product: Drivers >> Version: 2.5 >> Kernel Version: 2.6.36.1 >> Platform: All >> OS/Version: Linux >> Tree: Mainline >> Status: NEW >> Severity: normal >> Priority: P1 >> Component: Network >> AssignedTo: drivers_network@kernel-bugs.osdl.org >> ReportedBy: pstaszewski@artcom.pl >> Regression: No >> >> >> Created an attachment (id=39332) >> --> (https://bugzilla.kernel.org/attachment.cgi?id=39332) >> Kernel Panic >> >> Hello i have problems with ppp driver and pppoe >> I have random kernel panics >> >> In attached image is Call Trace from panic. >> >> > ppp_unregister_channel() appears to be using a bad pointer. > -- Yes. I see kernel panics when connection is terminated - but this happend randomly Sometimes to reproduce i need to connect->disconnect 50 - 60 times before kernel panic. > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > >
Paweł Staszewski wrote: > W dniu 2010-12-08 21:22, Andrew Morton pisze: >> (switched to email. Please respond via emailed reply-to-all, not via the >> bugzilla web interface). >> >> On Wed, 8 Dec 2010 20:14:45 GMT >> bugzilla-daemon@bugzilla.kernel.org wrote: >> >>> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >>> >>> Summary: Kernel panic - not syncing: Fatal Exception >>> Product: Drivers >>> Version: 2.5 >>> Kernel Version: 2.6.36.1 Hi, Could you try to revert this patch?: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.36.y.git;a=commitdiff;h=55c95e738da85373965cb03b4f975d0fd559865b Jarek P.
Reply-To: pstaszewski@itcare.pl W dniu 2010-12-08 23:01, Jarek Poplawski pisze: > Paweł Staszewski wrote: >> W dniu 2010-12-08 21:22, Andrew Morton pisze: >>> (switched to email. Please respond via emailed reply-to-all, not via the >>> bugzilla web interface). >>> >>> On Wed, 8 Dec 2010 20:14:45 GMT >>> bugzilla-daemon@bugzilla.kernel.org wrote: >>> >>>> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >>>> >>>> Summary: Kernel panic - not syncing: Fatal Exception >>>> Product: Drivers >>>> Version: 2.5 >>>> Kernel Version: 2.6.36.1 > Hi, > Could you try to revert this patch?: > > http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.36.y.git;a=commitdiff;h=55c95e738da85373965cb03b4f975d0fd559865b > After reverting this patch all is working 200 connects-disconnects and no kernel panic I will make more session and test more. Thanks Pawel > Jarek P. > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > >
Paweł Staszewski wrote: > W dniu 2010-12-08 23:01, Jarek Poplawski pisze: >> Paweł Staszewski wrote: >>> W dniu 2010-12-08 21:22, Andrew Morton pisze: >>>> (switched to email. Please respond via emailed reply-to-all, not >>>> via the >>>> bugzilla web interface). >>>> >>>> On Wed, 8 Dec 2010 20:14:45 GMT >>>> bugzilla-daemon@bugzilla.kernel.org wrote: >>>> >>>>> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >>>>> >>>>> Summary: Kernel panic - not syncing: Fatal Exception >>>>> Product: Drivers >>>>> Version: 2.5 >>>>> Kernel Version: 2.6.36.1 >> Hi, >> Could you try to revert this patch?: >> >> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.36.y.git;a=commitdiff;h=55c95e738da85373965cb03b4f975d0fd559865b >> >> > After reverting this patch all is working > 200 connects-disconnects and no kernel panic > > I will make more session and test more. OK. I CC Andrej and Eric, who diagnosed it in this thread: http://lkml.org/lkml/2010/12/3/116 [unable to handle kernel NULL pointer dereference in skb_dequeue] This should be also interesting: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db7bf6d97c6956b7eb0f22131cb5c37bd41f33c0 Thanks for testing, Jarek P.
Reply-To: pstaszewski@itcare.pl W dniu 2010-12-09 18:55, Jarek Poplawski pisze: > Paweł Staszewski wrote: >> W dniu 2010-12-08 23:01, Jarek Poplawski pisze: >>> Paweł Staszewski wrote: >>>> W dniu 2010-12-08 21:22, Andrew Morton pisze: >>>>> (switched to email. Please respond via emailed reply-to-all, not >>>>> via the >>>>> bugzilla web interface). >>>>> >>>>> On Wed, 8 Dec 2010 20:14:45 GMT >>>>> bugzilla-daemon@bugzilla.kernel.org wrote: >>>>> >>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >>>>>> >>>>>> Summary: Kernel panic - not syncing: Fatal Exception >>>>>> Product: Drivers >>>>>> Version: 2.5 >>>>>> Kernel Version: 2.6.36.1 >>> Hi, >>> Could you try to revert this patch?: >>> >>> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.36.y.git;a=commitdiff;h=55c95e738da85373965cb03b4f975d0fd559865b >>> >>> >> After reverting this patch all is working >> 200 connects-disconnects and no kernel panic >> >> I will make more session and test more. > OK. I CC Andrej and Eric, who diagnosed it in this thread: > http://lkml.org/lkml/2010/12/3/116 > [unable to handle kernel NULL pointer dereference in skb_dequeue] > > This should be also interesting: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db7bf6d97c6956b7eb0f22131cb5c37bd41f33c0 > > Thanks for testing, > Jarek P. > > After 10 hours of testing all is working. I can't reproduce kernel panic now with houndreds of pppoe sessions that connects-disconnects. Thanks Paweł
On 2010-12-09 20:59, Paweł Staszewski wrote: > W dniu 2010-12-09 18:55, Jarek Poplawski pisze: >> Paweł Staszewski wrote: >>> W dniu 2010-12-08 23:01, Jarek Poplawski pisze: >>>> Paweł Staszewski wrote: >>>>> W dniu 2010-12-08 21:22, Andrew Morton pisze: >>>>>> (switched to email. Please respond via emailed reply-to-all, not >>>>>> via the >>>>>> bugzilla web interface). >>>>>> >>>>>> On Wed, 8 Dec 2010 20:14:45 GMT >>>>>> bugzilla-daemon@bugzilla.kernel.org wrote: >>>>>> >>>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=24472 >>>>>>> >>>>>>> Summary: Kernel panic - not syncing: Fatal Exception >>>>>>> Product: Drivers >>>>>>> Version: 2.5 >>>>>>> Kernel Version: 2.6.36.1 >>>> Hi, >>>> Could you try to revert this patch?: >>>> >>>> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.36.y.git;a=commitdiff;h=55c95e738da85373965cb03b4f975d0fd559865b >>>> >>>> >>> After reverting this patch all is working >>> 200 connects-disconnects and no kernel panic >>> >>> I will make more session and test more. >> OK. I CC Andrej and Eric, who diagnosed it in this thread: >> http://lkml.org/lkml/2010/12/3/116 >> [unable to handle kernel NULL pointer dereference in skb_dequeue] >> >> This should be also interesting: >> >> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db7bf6d97c6956b7eb0f22131cb5c37bd41f33c0 >> >> Thanks for testing, >> Jarek P. >> >> > After 10 hours of testing all is working. > > I can't reproduce kernel panic now with houndreds of pppoe sessions that > connects-disconnects. Pawel, thanks again. Andrej, could you send this patch? You did the most essential job here. Thanks, Jarek P.
Reply-To: andrej@ota.si Move kfree_skb which was causing memory corruption to new location, while still keeping appropriate return value for function __pppoe_xmit. Prevents memory corruption and consequent kernel panic when PPPoE peer terminates the link. Signed-off-by: Andrej Ota [andrej@ota.si] Reported-by: Pawel Staszewski [pstaszewski@artcom.pl] --- drivers/net/pppoe.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c index d72fb05..1a21dce 100644 --- a/drivers/net/pppoe.c +++ b/drivers/net/pppoe.c @@ -924,8 +924,10 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb) /* Copy the data if there is no space for the header or if it's * read-only. */ - if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) + if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) { + kfree_skb(skb); goto abort; + } __skb_push(skb, sizeof(*ph)); skb_reset_network_header(skb); @@ -947,7 +949,6 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb) return 1; abort: - kfree_skb(skb); return 0; } --- Andrej Ota.
On Fri, Dec 10, 2010 at 03:49:08PM +0100, Andrej Ota wrote: > Move kfree_skb which was causing memory corruption to new location, while > still keeping appropriate return value for function __pppoe_xmit. Prevents > memory corruption and consequent kernel panic when PPPoE peer terminates the > link. Andrej, a slight misunderstanding - probably I should be more explicit. I sent this link, which explains why return shouldn't be zero: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=db7bf6d97c6956b7eb0f22131cb5c37bd41f33c0 So the simplest fix is to revert this one change only. If you disagree with this let me know. You should also fix the subject to something more meaningful, e.g.: [PATCH] pppoe: Fix kernel panic caused by __pppoe_xmit Please, break lines in the changelog around 70 lines and add it fixes commit 55c95e738da85373965cb03b4f975d0fd559865b. Thanks, Jarek P. > > Signed-off-by: Andrej Ota [andrej@ota.si] > Reported-by: Pawel Staszewski [pstaszewski@artcom.pl] > --- > drivers/net/pppoe.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c > index d72fb05..1a21dce 100644 > --- a/drivers/net/pppoe.c > +++ b/drivers/net/pppoe.c > @@ -924,8 +924,10 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff > *skb) > /* Copy the data if there is no space for the header or if it's > * read-only. > */ > - if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) > + if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len)) { > + kfree_skb(skb); > goto abort; > + } > > __skb_push(skb, sizeof(*ph)); > skb_reset_network_header(skb); > @@ -947,7 +949,6 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff > *skb) > return 1; > > abort: > - kfree_skb(skb); > return 0; > } > > --- > > Andrej Ota.