From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jan Beulich" <JBeulich@suse.com>
Subject: Re: [Xen-users] kernel 3.9.2 - xen 4.2.2/4.3rc1 => BUG
 unable to handle kernel paging request netif_poll+0x49c/0xe8
Date: Mon, 08 Jul 2013 09:25:07 +0100
Message-ID: <51DA938302000078000E327E@nat28.tlf.novell.com>
References: <8511913.uMAmUdIO30@eistomin.edss.local>
	<20130517085923.GC14401@zion.uk.xensource.com>
	<51D57C1F.8070909@hunenet.nl>
	<20130704150137.GW7483@zion.uk.xensource.com>
	<51D6A282.4030703@hunenet.nl>
	<51D6C29102000078000E2F57@nat28.tlf.novell.com>
	<51D72291.7090508@hunenet.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <51D72291.7090508@hunenet.nl>
Content-Disposition: inline
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Dion Kant <g.w.kant@hunenet.nl>
Cc: Wei Liu <wei.liu2@citrix.com>, xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

>>> On 05.07.13 at 21:46, Dion Kant <g.w.kant@hunenet.nl> wrote:
> After obtaining results with your patch
> 
> 1285 static RING_IDX xennet_fill_frags(struct netfront_info *np,
> 1286                                   struct sk_buff *skb,
> 1287                                   struct sk_buff_head *list)
> 1288 {
> 1289         struct skb_shared_info *shinfo = skb_shinfo(skb);
> 1290         int nr_frags = shinfo->nr_frags;
> 1291         RING_IDX cons = np->rx.rsp_cons;
> 1292         struct sk_buff *nskb;
> 1293
> 1294         while ((nskb = __skb_dequeue(list))) {
> 1295                 struct netif_rx_response *rx =
> 1296                         RING_GET_RESPONSE(&np->rx, ++cons);
> 1297
> 1298
> 1299 if (nr_frags == MAX_SKB_FRAGS) {
> 1300         unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
> 1301
> 1302         BUG_ON(pull_to <= skb_headlen(skb));
> 1303         __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
> 1304                 nr_frags = shinfo->nr_frags;
> 1305 }
> 1306 BUG_ON(nr_frags >= MAX_SKB_FRAGS);
> 1307
> 1308  __skb_fill_page_desc(skb, nr_frags,
> 1309                       skb_frag_page(skb_shinfo(nskb)->frags),
> 1310                       rx->offset, rx->status);
> 
> Can I conclude that nr_frags == MAX_SKB_FRAGS, pull_to <=
> skb_headlen(skb) and the panic happens before the next BUG_ON is reached ?

Yes, exactly. And Wei pointed at an issue with the patch, so I'll
have to see whether that might be an explanation for the crash
you observed.

Jan