On Wed, Oct 25, 2017 at 2:24 PM, Willem de Bruijn <willemdebruijn.ker...@gmail.com> wrote: > On Sat, Oct 21, 2017 at 9:56 PM, Wei Wei <dotwe...@gmail.com> wrote: >> I have uploaded the VM core dump [1]. And I don’t know if these logs are >> helpful in the case of >> failing to get the C reproducer currently. >> >> [1] >> https://github.com/dotweiba/skb_clone_atomic_inc_bug/blob/master/vmcore.gz > > Thanks. So this would be the atomic_inc on shb_shinfo(skb)->dataref, which > matches the __ll_sc_atomic_add in Mark's trace. > > Debugging with crash shows 0xffff800071bb3180 and 0xffff800071bb2c80 > to be valid skbuffs of len 40, no sk, both pointing to the same head. > > That is indeed unaligned: head = 0xffff8000327c80c9 "", end = 256, giving > skb_shared_info at 0xffff8000327c81c9 and &skb_shared_info(skb)->dataref > at 0xffff8000327c81c9 + 36 == 0xffff8000327c81ed
>From skb->dev and netdev_priv, the tun device has flags 0x1002 == IFF_TAP | IFF_NO_PI. This kernel precedes the recent support for IFF_NAPI and IFF_NAPI_FRAGS. The allocation most likely happened in tun_build_skb from current->task_frag. It would be a previous allocation that left alloc_frag->offset unaligned. But perhaps this code needs to perform alignment before setting skb->head. At least on platforms where atomic on dataref must be aligned.
