From: Luiz Augusto von Dentz <[email protected]>
bt_skb_sendmsg helps takes care of allocation the skb and copying the
the contents of msg over to the skb while checking for possible errors
so it should be safe to call it without holding lock_sock.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
include/net/bluetooth/bluetooth.h | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 9125effbf448..f858efcf9f40 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -420,6 +420,32 @@ static inline struct sk_buff *bt_skb_send_alloc(struct sock *sk,
return NULL;
}
+/* Shall not be called with lock_sock held */
+static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk,
+ struct msghdr *msg,
+ size_t len, size_t header,
+ size_t footer)
+{
+ struct sk_buff *skb;
+ int err;
+
+ skb = bt_skb_send_alloc(sk, len + header + footer,
+ msg->msg_flags & MSG_DONTWAIT, &err);
+ if (!skb)
+ return ERR_PTR(err);
+
+ skb_reserve(skb, header);
+
+ if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
+ kfree_skb(skb);
+ return ERR_PTR(-EFAULT);
+ }
+
+ skb->priority = sk->sk_priority;
+
+ return skb;
+}
+
int bt_to_errno(u16 code);
void hci_sock_set_flag(struct sock *sk, int nr);
--
2.31.1
From: Luiz Augusto von Dentz <[email protected]>
This makes use of bt_skb_sendmsg instead of allocating a different
buffer to be used with memcpy_from_msg which cause one extra copy.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/sco.c | 34 +++++++++++-----------------------
1 file changed, 11 insertions(+), 23 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index b62c91c627e2..60fb4dc73bc2 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -280,27 +280,19 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
return err;
}
-static int sco_send_frame(struct sock *sk, void *buf, int len,
- unsigned int msg_flags)
+static int sco_send_frame(struct sock *sk, struct sk_buff *skb)
{
struct sco_conn *conn = sco_pi(sk)->conn;
- struct sk_buff *skb;
- int err;
/* Check outgoing MTU */
- if (len > conn->mtu)
+ if (skb->len > conn->mtu)
return -EINVAL;
- BT_DBG("sk %p len %d", sk, len);
+ BT_DBG("sk %p len %d", sk, skb->len);
- skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
- if (!skb)
- return err;
-
- memcpy(skb_put(skb, len), buf, len);
hci_send_sco(conn->hcon, skb);
- return len;
+ return skb->len;
}
static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
@@ -722,7 +714,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
size_t len)
{
struct sock *sk = sock->sk;
- void *buf;
+ struct sk_buff *skb;
int err;
BT_DBG("sock %p, sk %p", sock, sk);
@@ -734,24 +726,20 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
if (msg->msg_flags & MSG_OOB)
return -EOPNOTSUPP;
- buf = kmalloc(len, GFP_KERNEL);
- if (!buf)
- return -ENOMEM;
-
- if (memcpy_from_msg(buf, msg, len)) {
- kfree(buf);
- return -EFAULT;
- }
+ skb = bt_skb_sendmsg(sk, msg, len, 0, 0);
+ if (IS_ERR_OR_NULL(skb))
+ return PTR_ERR(skb);
lock_sock(sk);
if (sk->sk_state == BT_CONNECTED)
- err = sco_send_frame(sk, buf, len, msg->msg_flags);
+ err = sco_send_frame(sk, skb);
else
err = -ENOTCONN;
release_sock(sk);
- kfree(buf);
+ if (err)
+ kfree_skb(skb);
return err;
}
--
2.31.1
From: Luiz Augusto von Dentz <[email protected]>
This works similarly to bt_skb_sendmsg but can split the msg into
multiple skb fragments which is useful for stream sockets.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
include/net/bluetooth/bluetooth.h | 35 +++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index f858efcf9f40..96743e6e7a0a 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -446,6 +446,41 @@ static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk,
return skb;
}
+/* Similar to bt_skb_sendmsg but can split the msg into multiple fragments
+ * accourding to the MTU.
+ */
+static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk,
+ struct msghdr *msg,
+ size_t len, size_t mtu,
+ size_t header, size_t footer)
+{
+ struct sk_buff *skb, **frag;
+ size_t size = min_t(size_t, len, mtu);
+
+ skb = bt_skb_sendmsg(sk, msg, size, header, footer);
+ if (IS_ERR_OR_NULL(skb))
+ return skb;
+
+ len -= size;
+ if (!len)
+ return skb;
+
+ /* Add remaining data over MTU as continuation fragments */
+ frag = &skb_shinfo(skb)->frag_list;
+ while (len) {
+ *frag = bt_skb_sendmsg(sk, msg, size, header, footer);
+ if (IS_ERR_OR_NULL(*frag)) {
+ kfree_skb(skb);
+ return *frag;
+ }
+
+ len -= (*frag)->len;
+ frag = &(*frag)->next;
+ }
+
+ return skb;
+}
+
int bt_to_errno(u16 code);
void hci_sock_set_flag(struct sock *sk, int nr);
--
2.31.1
From: Luiz Augusto von Dentz <[email protected]>
This makes use of bt_skb_sendmmsg instead using memcpy_from_msg which
is not considered safe to be used when lock_sock is held.
Also make rfcomm_dlc_send handle skb with fragments and queue them all
atomically.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/rfcomm/core.c | 44 +++++++++++++++++++++++++++++------
net/bluetooth/rfcomm/sock.c | 46 ++++++++-----------------------------
2 files changed, 47 insertions(+), 43 deletions(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index f2bacb464ccf..361a60b4a670 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -549,22 +549,52 @@ struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
return dlc;
}
+static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
+{
+ int len = frag->len;
+
+ BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
+
+ if (len > d->mtu)
+ return -EINVAL;
+
+ rfcomm_make_uih(frag, d->addr);
+ __skb_queue_tail(&d->tx_queue, frag);
+
+ return len;
+}
+
int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
{
- int len = skb->len;
+ struct sk_buff *frag;
+ int len;
if (d->state != BT_CONNECTED)
return -ENOTCONN;
- BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
+ /* Queue all fragments atomically. */
+ spin_lock_bh(&d->tx_queue.lock);
- if (len > d->mtu)
- return -EINVAL;
+ len = rfcomm_dlc_send_frag(d, skb);
+ if (len < 0)
+ goto unlock;
- rfcomm_make_uih(skb, d->addr);
- skb_queue_tail(&d->tx_queue, skb);
+ skb_walk_frags(skb, frag) {
+ int ret;
+
+ ret = rfcomm_dlc_send_frag(d, frag);
+ if (ret < 0)
+ break;
+
+ len += ret;
+ }
+
+ skb_shinfo(skb)->frag_list = NULL;
+
+unlock:
+ spin_unlock_bh(&d->tx_queue.lock);
- if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
+ if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
rfcomm_schedule();
return len;
}
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 2c95bb58f901..5938af3e9936 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -575,46 +575,20 @@ static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
sent = bt_sock_wait_ready(sk, msg->msg_flags);
- if (sent)
- goto done;
-
- while (len) {
- size_t size = min_t(size_t, len, d->mtu);
- int err;
-
- skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
- msg->msg_flags & MSG_DONTWAIT, &err);
- if (!skb) {
- if (sent == 0)
- sent = err;
- break;
- }
- skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
-
- err = memcpy_from_msg(skb_put(skb, size), msg, size);
- if (err) {
- kfree_skb(skb);
- if (sent == 0)
- sent = err;
- break;
- }
- skb->priority = sk->sk_priority;
+ release_sock(sk);
- err = rfcomm_dlc_send(d, skb);
- if (err < 0) {
- kfree_skb(skb);
- if (sent == 0)
- sent = err;
- break;
- }
+ if (sent)
+ return sent;
- sent += size;
- len -= size;
- }
+ skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
+ RFCOMM_SKB_TAIL_RESERVE);
+ if (IS_ERR_OR_NULL(skb))
+ return PTR_ERR(skb);
-done:
- release_sock(sk);
+ sent = rfcomm_dlc_send(d, skb);
+ if (sent < 0)
+ kfree_skb(skb);
return sent;
}
--
2.31.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=540067
---Test result---
Test Summary:
CheckPatch PASS 1.59 seconds
GitLint PASS 0.39 seconds
BuildKernel PASS 509.49 seconds
TestRunner: Setup PASS 336.66 seconds
TestRunner: l2cap-tester PASS 2.48 seconds
TestRunner: bnep-tester PASS 1.89 seconds
TestRunner: mgmt-tester PASS 30.84 seconds
TestRunner: rfcomm-tester PASS 2.04 seconds
TestRunner: sco-tester PASS 2.02 seconds
TestRunner: smp-tester PASS 2.11 seconds
TestRunner: userchan-tester PASS 1.92 seconds
Details
##############################
Test: CheckPatch - PASS - 1.59 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
##############################
Test: GitLint - PASS - 0.39 seconds
Run gitlint with rule in .gitlint
##############################
Test: BuildKernel - PASS - 509.49 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 336.66 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 2.48 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 1.89 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 30.84 seconds
Run test-runner with mgmt-tester
Total: 452, Passed: 452 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.04 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.02 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - PASS - 2.11 seconds
Run test-runner with smp-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: userchan-tester - PASS - 1.92 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
Hi Luiz,
> bt_skb_sendmsg helps takes care of allocation the skb and copying the
> the contents of msg over to the skb while checking for possible errors
> so it should be safe to call it without holding lock_sock.
>
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> ---
> include/net/bluetooth/bluetooth.h | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
>
> diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
> index 9125effbf448..f858efcf9f40 100644
> --- a/include/net/bluetooth/bluetooth.h
> +++ b/include/net/bluetooth/bluetooth.h
> @@ -420,6 +420,32 @@ static inline struct sk_buff *bt_skb_send_alloc(struct sock *sk,
> return NULL;
> }
>
> +/* Shall not be called with lock_sock held */
> +static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk,
> + struct msghdr *msg,
> + size_t len, size_t header,
> + size_t footer)
> +{
> + struct sk_buff *skb;
> + int err;
> +
> + skb = bt_skb_send_alloc(sk, len + header + footer,
> + msg->msg_flags & MSG_DONTWAIT, &err);
> + if (!skb)
> + return ERR_PTR(err);
> +
> + skb_reserve(skb, header);
I am not with you on this one since bt_skb_send_alloc already calls skb_reserve in the first place.
/**
* skb_reserve - adjust headroom
* @skb: buffer to alter
* @len: bytes to move
*
* Increase the headroom of an empty &sk_buff by reducing the tail
* room. This is only allowed for an empty buffer.
*/
In addition we have this comment here. So what kind of headroom do we need with this SKB?
And wouldn’t it be better to actually assign a tailroom instead of just a large enough buffer?
/**
* skb_tailroom_reserve - adjust reserved_tailroom
* @skb: buffer to alter
* @mtu: maximum amount of headlen permitted
* @needed_tailroom: minimum amount of reserved_tailroom
*
* Set reserved_tailroom so that headlen can be as large as possible but
* not larger than mtu and tailroom cannot be smaller than
* needed_tailroom.
* The required headroom should already have been reserved before using
* this function.
*/
We also have this capability inside the SKBs.
So while the basic idea of this patchset seems fine, we need to figure out the details and not overload us in spaghetti code by wanting to have a common bt_skb_* helper. Maybe it is actually not helpful in this case since we just have to have a too large parameter list to satisfy all 3 users.
Regards
Marcel
Hi Marcel,
On Tue, Aug 31, 2021 at 10:44 PM Marcel Holtmann <[email protected]> wrote:
>
> Hi Luiz,
>
> > bt_skb_sendmsg helps takes care of allocation the skb and copying the
> > the contents of msg over to the skb while checking for possible errors
> > so it should be safe to call it without holding lock_sock.
> >
> > Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> > ---
> > include/net/bluetooth/bluetooth.h | 26 ++++++++++++++++++++++++++
> > 1 file changed, 26 insertions(+)
> >
> > diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
> > index 9125effbf448..f858efcf9f40 100644
> > --- a/include/net/bluetooth/bluetooth.h
> > +++ b/include/net/bluetooth/bluetooth.h
> > @@ -420,6 +420,32 @@ static inline struct sk_buff *bt_skb_send_alloc(struct sock *sk,
> > return NULL;
> > }
> >
> > +/* Shall not be called with lock_sock held */
> > +static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk,
> > + struct msghdr *msg,
> > + size_t len, size_t header,
> > + size_t footer)
> > +{
> > + struct sk_buff *skb;
> > + int err;
> > +
> > + skb = bt_skb_send_alloc(sk, len + header + footer,
> > + msg->msg_flags & MSG_DONTWAIT, &err);
> > + if (!skb)
> > + return ERR_PTR(err);
> > +
> > + skb_reserve(skb, header);
>
> I am not with you on this one since bt_skb_send_alloc already calls skb_reserve in the first place.
Afaik skb_reserve can be called multiple since it just add more
headroom/reduce tailroom:
static inline void skb_reserve(struct sk_buff *skb, int len)
{
skb->data += len;
skb->tail += len;
}
The RFCOMM does exactly that:
- skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
- msg->msg_flags & MSG_DONTWAIT, &err);
- if (!skb) {
- if (sent == 0)
- sent = err;
- break;
- }
- skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
> /**
> * skb_reserve - adjust headroom
> * @skb: buffer to alter
> * @len: bytes to move
> *
> * Increase the headroom of an empty &sk_buff by reducing the tail
> * room. This is only allowed for an empty buffer.
> */
>
> In addition we have this comment here. So what kind of headroom do we need with this SKB?
We need the BT_SKB_RESERVE(ACL + L2CAP) +
RFCOMM_SKB_HEAD_RESERVE(RFCOMM header) +
RFCOMM_SKB_TAIL_RESERVE(RFCOMM footer) as tailroom, the len need to
accomodate all of them since they are considered part of the data
(there is no separate storage).
> And wouldn’t it be better to actually assign a tailroom instead of just a large enough buffer?
Yep, though I think the skb_tailroom_reserve does not create a
separate area in the buffer it just marks it so the likes of
__skb_grow can grow the skb, anyway it shall be possible to use it as
well.
> /**
> * skb_tailroom_reserve - adjust reserved_tailroom
> * @skb: buffer to alter
> * @mtu: maximum amount of headlen permitted
> * @needed_tailroom: minimum amount of reserved_tailroom
> *
> * Set reserved_tailroom so that headlen can be as large as possible but
> * not larger than mtu and tailroom cannot be smaller than
> * needed_tailroom.
> * The required headroom should already have been reserved before using
> * this function.
> */
>
> We also have this capability inside the SKBs.
>
> So while the basic idea of this patchset seems fine, we need to figure out the details and not overload us in spaghetti code by wanting to have a common bt_skb_* helper. Maybe it is actually not helpful in this case since we just have to have a too large parameter list to satisfy all 3 users.
Actually having proper helpers for this might actually simplify the
code since then we can enforce that both headroom and tailroom are
properly set as currently each protocol is doing this in its own way.
>
> Regards
>
> Marcel
>
--
Luiz Augusto von Dentz
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: e1ce6a3427fad2e3ecfdab087d93e13fc72599a3 ("[PATCH 4/4] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg")
url: https://github.com/0day-ci/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-Add-bt_skb_sendmsg-helper/20210901-082811
base: https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-next.git master
in testcase: trinity
version: trinity-x86_64-b1a0aef9-1_20210901
with following parameters:
ucode: 0xe2
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 0eab6ff3b3 | e1ce6a3427 |
+---------------------------------------------+------------+------------+
| boot_failures | 0 | 13 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 13 |
| Oops:#[##] | 0 | 13 |
| RIP:skb_release_data | 0 | 13 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 13 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 32.034956][ T1099] BUG: unable to handle page fault for address: fffffffffffffff2
[ 32.042483][ T1099] #PF: supervisor read access in kernel mode
[ 32.048278][ T1099] #PF: error_code(0x0000) - not-present page
[ 32.054075][ T1099] PGD 870c13067 P4D 870c13067 PUD 870c15067 PMD 0
[ 32.060389][ T1099] Oops: 0000 [#1] SMP PTI
[ 32.064545][ T1099] CPU: 3 PID: 1099 Comm: trinity-c0 Tainted: G I 5.14.0-rc7-01825-ge1ce6a3427fa #1
[ 32.074916][ T1099] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[ 32.082955][ T1099] RIP: 0010:skb_release_data+0x119/0x180
[ 32.088411][ T1099] Code: 90 f0 ff 4d 34 75 bd 48 89 ef 48 83 c3 01 e8 7e b3 85 ff 41 0f b6 44 24 02 39 d8 7f b5 49 8b 5c 24 08 48 85 db 74 10 48 89 d
f <48> 8b 1b e8 df fd ff ff 48 85 db 75 f0 4c 89 ef e8 52 c8 ff ff 41
[ 32.107756][ T1099] RSP: 0018:ffffc9000098fd38 EFLAGS: 00010282
[ 32.113637][ T1099] RAX: ffff88886e564701 RBX: fffffffffffffff2 RCX: ffffffff8262ef08
[ 32.121429][ T1099] RDX: 0000000000000b59 RSI: ffffffff81a67fe1 RDI: fffffffffffffff2
[ 32.129222][ T1099] RBP: ffff88886e564c00 R08: 0000000000000001 R09: ffffffff81a67f00
[ 32.137000][ T1099] R10: ffff888100ee2800 R11: 0000000000000001 R12: ffff888100ee0ec0
[ 32.144783][ T1099] R13: ffff88886e564c00 R14: 000000000000007f R15: ffff88886e564f00
[ 32.152576][ T1099] FS: 00007f0b2ec5e740(0000) GS:ffff888841580000(0000) knlGS:0000000000000000
[ 32.161304][ T1099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.167701][ T1099] CR2: fffffffffffffff2 CR3: 000000086dbe0006 CR4: 00000000003706e0
[ 32.175481][ T1099] DR0: 00007f0b2cd44000 DR1: 00007f0b2cdb6000 DR2: 00007f0b2cdbb000
[ 32.183259][ T1099] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 32.191038][ T1099] Call Trace:
[ 32.194161][ T1099] kfree_skb+0x2c/0xc0
[ 32.198064][ T1099] rfcomm_sock_sendmsg+0x368/0x4c0 [rfcomm]
[ 32.203776][ T1099] sock_sendmsg+0x5e/0x80
[ 32.207939][ T1099] __sys_sendto+0xee/0x180
[ 32.212193][ T1099] __x64_sys_sendto+0x25/0x40
[ 32.216700][ T1099] do_syscall_64+0x3b/0xc0
[ 32.220951][ T1099] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 32.226667][ T1099] RIP: 0033:0x7f0b2ed75f59
[ 32.230917][ T1099] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
[ 32.250266][ T1099] RSP: 002b:00007fff1c21ba78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 32.258477][ T1099] RAX: ffffffffffffffda RBX: 000000000000002c RCX: 00007f0b2ed75f59
[ 32.266255][ T1099] RDX: 0000000000000677 RSI: 0000562987640980 RDI: 000000000000016b
[ 32.274034][ T1099] RBP: 000000000000002c R08: 0000562987640900 R09: 000000000000006e
[ 32.281812][ T1099] R10: 00000000800067b8 R11: 0000000000000246 R12: 0000000000000002
[ 32.289607][ T1099] R13: 00007f0b2d728058 R14: 00007f0b2ec5e6c0 R15: 00007f0b2d728000
[ 32.297401][ T1099] Modules linked in: mpls_router ip_tunnel vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ieee802154_socket ieee802154 af_key hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_user ib_core nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel xfs btrfs blake2b_generic xor zstd_compress raid6_pq libcrc32c ipmi_devintf ipmi_msghandler sd_mod t10_pi sg intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp i915 kvm_intel kvm intel_gtt irqbypass ttm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel drm_kms_helper rapl syscopyarea mei_wdt intel_cstate sysfillrect wmi_bmof sysimgblt intel_uncore fb_sys_fops ahci mei_me libahci drm libata intel_pch_thermal mei wmi video intel_pmc_core acpi_pad ip_tables
[ 32.370652][ T1099] CR2: fffffffffffffff2
[ 32.374635][ T1099] ---[ end trace 618f0f6fd7095aea ]---
[ 32.379926][ T1099] RIP: 0010:skb_release_data+0x119/0x180
[ 32.385378][ T1099] Code: 90 f0 ff 4d 34 75 bd 48 89 ef 48 83 c3 01 e8 7e b3 85 ff 41 0f b6 44 24 02 39 d8 7f b5 49 8b 5c 24 08 48 85 db 74 10 48 89 df <48> 8b 1b e8 df fd ff ff 48 85 db 75 f0 4c 89 ef e8 52 c8 ff ff 41
[ 32.404720][ T1099] RSP: 0018:ffffc9000098fd38 EFLAGS: 00010282
[ 32.410602][ T1099] RAX: ffff88886e564701 RBX: fffffffffffffff2 RCX: ffffffff8262ef08
[ 32.418396][ T1099] RDX: 0000000000000b59 RSI: ffffffff81a67fe1 RDI: fffffffffffffff2
[ 32.426175][ T1099] RBP: ffff88886e564c00 R08: 0000000000000001 R09: ffffffff81a67f00
[ 32.433952][ T1099] R10: ffff888100ee2800 R11: 0000000000000001 R12: ffff888100ee0ec0
[ 32.441732][ T1099] R13: ffff88886e564c00 R14: 000000000000007f R15: ffff88886e564f00
[ 32.449533][ T1099] FS: 00007f0b2ec5e740(0000) GS:ffff888841580000(0000) knlGS:0000000000000000
[ 32.458273][ T1099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 32.464683][ T1099] CR2: fffffffffffffff2 CR3: 000000086dbe0006 CR4: 00000000003706e0
[ 32.472474][ T1099] DR0: 00007f0b2cd44000 DR1: 00007f0b2cdb6000 DR2: 00007f0b2cdbb000
[ 32.480256][ T1099] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 32.488037][ T1099] Kernel panic - not syncing: Fatal exception
[ 32.493954][ T1099] Kernel Offset: disabled
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
bin/lkp run generated-yaml-file
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang