Summary:	DAHLIN-00351: Kernel crash in dahdi_dynamic_eth with igb network driver
Reporter:	Michael Walton (mike@farsouthnet.com)	Labels:	patch
Date Opened:	2016-06-22 17:32:59	Date Closed:
Priority:	Major	Regression?	No
Status:	Triage/New	Components:	dahdi_dynamic_eth
Versions:	2.7.0.1 2.10.1	Frequency of Occurrence	Constant
Related Issues:
Environment:	Ubuntu 12.04, kernel 2.6.38, i386, Ethernet controller: Intel Corporation I211 Gigabit Network Connection, igb	Attachments:	( 0) dahlin-351.patch
Description:	Starting a PRI span over dahdi_dynamic_eth in the above environment (specifically, igb network driver) causes immediate kernel crash, with following crash dump (extract): {noformat} [ 2721.528920] ------------[ cut here ]------------ [ 2721.533548] kernel BUG at /build/linux-lts-backport-natty-OhJ2Vz/linux-lts-backport-natty-2.6.38/include/linux/skbuff.h:1186! [ 2721.544840] invalid opcode: 0000 [#1] SMP [ 2721.548972] last sysfs file: /sys/devices/system/cpu/online [ 2721.554543] Modules linked in: ... [ 2721.664699] Pid: 0, comm: swapper Not tainted 2.6.38-14-generic-pae #1~mpx1                                                                                 / [ 2721.672264] EIP: 0060:[<c1535787>] EFLAGS: 00010283 CPU: 0 [ 2721.677762] EIP is at __skb_pull.part.34+0x8/0xa [ 2721.682384] EAX: 0000010e EBX: ef508050 ECX: ef6b56c0 EDX: 00000002 [ 2721.688646] ESI: ef53fe46 EDI: ef6b56c0 EBP: f740be54 ESP: f740be54 [ 2721.694912]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 2721.700312] Process swapper (pid: 0, ti=f740a000 task=c177af60 task.ti=c17740                                                                             00) [ 2721.707700] Stack: [ 2721.709716]  f740be5c c143fcd4 f740be7c f87620b9 ef6b56c0 01000000 00000286 e                                                                             f6b56c0 [ 2721.717599]  c17d95a8 f8764000 f740beb4 c1449d63 f766a000 f740bea8 f766a000 f                                                                             8764000 [ 2721.725469]  c17d95c8 00000000 f766a000 ef6b56c0 c17d95c8 ef6b56c0 d74247e0 d                                                                             79ba580 [ 2721.733341] Call Trace: [ 2721.735808]  [<c143fcd4>] skb_pull+0x34/0x40 [ 2721.740093]  [<f87620b9>] ztdeth_rcv+0xb9/0xe0 [dahdi_dynamic_eth] [ 2721.746283]  [<c1449d63>] __netif_receive_skb+0x373/0x4b0 [ 2721.751688]  [<c144afff>] netif_receive_skb+0x6f/0x80 [ 2721.756747]  [<c1440728>] ? __alloc_skb+0x58/0x1f0 ... {noformat}
Comments:	By: Michael Walton (mike@farsouthnet.com) 2016-06-22 17:37:26.051-0500 The cause is the non-linear skb delivered by igb, presumably containing only the ethernet frame header in the first fragment. This causes the following lines of code to fail, because they occur before the call to skb_linearize(skb), in dahdi_dynamic_eth.c:ztdeth_rcv() {code} span = ztdeth_getspan(eth_hdr(skb)->h_source, zh->subaddr); if (span) { skb_pull(skb, sizeof(struct ztdeth_header)); {code} Moving the skb_linearize() to the top of the function solves the problem and normal operation is restored. I will attach a patch. By: Michael Walton (mike@farsouthnet.com) 2016-06-22 17:45:56.083-0500 Patch against 2.7.0.1