lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1373314235.4979.121.camel@edumazet-glaptop>
Date:	Mon, 08 Jul 2013 13:10:35 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Ben Greear <greearb@...delatech.com>
Cc:	netdev <netdev@...r.kernel.org>
Subject: Re: 3.9.5+:  Crash in tcp_input.c:4810.

On Mon, 2013-07-08 at 12:59 -0700, Ben Greear wrote:

> > There is this thing in ath9k about aggregating two frags
> >
> > drivers/net/wireless/ath/ath9k/recv.c line 1298 contains :
> >
> > RX_STAT_INC(rx_frags);
> >
> > Could you check these stats (I do not know if they are reported by
> > ethtool -S or another debugging facility) and check if rx_frags is ever
> > increasing ?
> 
> They are in debugfs, and they appear to increase fairly often, for
> instance:
> 
> [root@...2010-ath9k-1 lanforge]# cat /debug/ieee80211/wiphy0/ath9k/recv|tail -5
>             RX-Pkts-All :  288009442
>            RX-Bytes-All : 4067932166
>              RX-Beacons :   14826735
>                RX-Frags :       3944
>             RX-Spectral :          0
> 
> I don't have the stats from the system that reproduced the bug
> (it has been rebooted), but if I do see the bug again, I'll
> grab the rx-frags and other stats just in case it shows
> some anomaly.
> 

Reading this code again, I believe following patch is needed.

Could you test it ?

Thanks

diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 8be2b5d..f642f04 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -1317,7 +1317,8 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
 		if (sc->rx.frag) {
 			int space = skb->len - skb_tailroom(hdr_skb);
 
-			if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
+			if (space > 0 &&
+			    pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
 				dev_kfree_skb(skb);
 				RX_STAT_INC(rx_oom_err);
 				goto requeue_drop_frag;


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ