Description of problem: The problem is in function bnx2_free_tx_skbs() which is inlined in bnx2_free_skbs(). See the following piece of code: <snip> 5284 for (j = 0; j < TX_DESC_CNT; ) { 5285 struct sw_bd *tx_buf = &txr->tx_buf_ring[j]; 5286 struct sk_buff *skb = tx_buf->skb; 5287 int k, last; <snip> 5300 last = skb_shinfo(skb)->nr_frags; 5301 for (k = 0; k < last; k++) { 5302 tx_buf = &txr->tx_buf_ring[j + k + 1]; 5303 pci_unmap_page(bp->pdev, 5304 pci_unmap_addr(tx_buf, mapping), 5305 skb_shinfo(skb)->frags[j].size, 5306 PCI_DMA_TODEVICE); 5307 } 5308 dev_kfree_skb(skb); 5309 j += k + 1; 5310 } The crash happened at line #5305 because 'j' there exceeded the frags[] array limit hitting an invalid memory address. Unable to handle kernel paging request at ffff8807d53ca852 RIP: [<ffffffff88240f6f>] :bnx2:bnx2_free_skbs+0xbc/0x215 RSP: e02b:ffff880001345d20 EFLAGS: 00010286 RAX: ffff8807d7b06f30 RBX: 0000000000000000 RCX: 00000000007d53c9 RDX: ffff8807d53ca830 RSI: 0000000e0dbc98be RDI: 0000000000000000 RBP: ffff880087e739f8 R08: 0000000000e0dbc9 R09: 0000000000800800 R10: ffff880001345c00 R11: 0000000000000001 R12: ffff8807f55c2500 R13: 00000000000000f3 R14: ffff8807f55c26c0 R15: 0000000000000002 FS: 00002ac37c81fc90(0000) GS:ffffffff805ca180(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 Process events/3 (pid: 29, threadinfo ffff880001344000, task ffff880001323080) Stack: 0000000000000000 ffff8807f55c2500 ffff8807f55c2500 0000000000000001 0000000000000000 ffff8807f55c2500 ffffffff88246a42 ffffffff88241548 00000001002478e9 ffffffff80292cf6 Call Trace: [<ffffffff88246a42>] :bnx2:bnx2_reset_task+0x0/0x46 [<ffffffff88241548>] :bnx2:bnx2_reset_nic+0x22/0x1042 [<ffffffff80292cf6>] process_timeout+0x0/0x5 [<ffffffff8026e0ab>] do_softirq+0x31/0x98 [<ffffffff8028ff09>] local_bh_enable_ip+0x48/0x5a [<ffffffff8824284c>] :bnx2:bnx2_netif_stop+0xad/0xc8 [<ffffffff88246a42>] :bnx2:bnx2_reset_task+0x0/0x46 [<ffffffff8824270f>] :bnx2:bnx2_init_nic+0x1a/0x67 [<ffffffff88246a6d>] :bnx2:bnx2_reset_task+0x2b/0x46 [<ffffffff8024f5ff>] run_workqueue+0x94/0xe4 Version-Release number of selected component (if applicable): 2.6.18-164.2.1.el5xen Additional info: This patch should fix it: diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index fa8c5b1..610048f 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -5304,7 +5304,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp) tx_buf = &txr->tx_buf_ring[j + k + 1]; pci_unmap_page(bp->pdev, pci_unmap_addr(tx_buf, mapping), - skb_shinfo(skb)->frags[j].size, + skb_shinfo(skb)->frags[k].size, PCI_DMA_TODEVICE); } dev_kfree_skb(skb);
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in kernel-2.6.18-180.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please update the appropriate value in the Verified field (cf_verified) to indicate this fix has been successfully verified. Include a comment with verification details.
~~ Attention Customers and Partners - RHEL 5.5 Beta is now available on RHN ~~ RHEL 5.5 Beta has been released! There should be a fix present in this release that addresses your request. Please test and report back results here, by March 3rd 2010 (2010-03-03) or sooner. Upon successful verification of this request, post your results and update the Verified field in Bugzilla with the appropriate value. If you encounter any issues while testing, please describe them and set this bug into NEED_INFO. If you encounter new defects or have additional patch(es) to request for inclusion, please clone this bug per each request and escalate through your support representative.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0178.html