Fixed
Created: Nov 16, 2016
Updated: Dec 9, 2019
Resolved Date: Dec 1, 2016
Found In Version: 8.0
Fix Version: 8.0.0.12
Severity: Severe
Applicable for: Wind River Linux 8
Component/s: Kernel
This is regarding a crash on ecmlnh after upgrade to WRL8.
Report the following error message from the kernel during sendto():
*[ 389.820957] ecmlnh: packet size is too short (35 <= 38)*
*[ 390.826560] ecmlnh: packet size is too short (35 <= 38)*
*[ 399.832391] ecmlnh: packet size is too short (35 <= 38)*
*[ 400.838051] ecmlnh: packet size is too short (35 <= 38)*
*[ 409.844003] ecmlnh: packet size is too short (35 <= 38)*
With this message the sendto() is failing and returning -1 with the error message *sendto failed: 22(Invalid argument).*
When the send fails, their system crashes with abort() call.
They checked the kernel code and the error is thrown from the check in the *kernel/net/packet/af_packet.c*
static bool ll_header_truncated(const struct net_device *dev, int len)
{
* /* net device doesn't like empty head */*
if (unlikely(len <= dev->hard_header_len)) {
* net_warn_ratelimited("%s: packet size is too short
(%d <= %d)\n",*
* current->comm, len,
dev->hard_header_len);*
return true;
}
return false;
}
The size of packet sent from ECMLNH, they have printed the packet size and loaded the black on top of WRL7, here are the
traces:
ecmlnh: packet size *35*
ecmlnh: packet size *35*
ecmlnh: packet size *35*
ecmlnh: packet size *35*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
ecmlnh: packet size *22*
The above traces clearly shows that we are *sending less than 38* sized packets in WRL7 and since there is no check at kernel side there is no failure to sendto() call.
The attached :
1. 0001-net-validate-variable-length-ll-headers.patch
2. 0002-packet-validate-variable-length-ll-headers.patch
#0 0x00003fff86462b24 in ?? ()
#1 0x00003fff8649659c in dumphooks_run (signo=<optimized out>) at
/usr/src/debug/crl-errman/0.6.13-r0/git/eri/eri_ng.c:422
#2 <signal handler called>
#3 0x00003fff860bc898 in ?? () from
/home/xxxxxxx/epb/epb_epb2_v1.3_spi_bug/sdk_install/sysroots/ppc64e6500-wrs-linux/usr/lib64/libxml2.so.2
#4 0x00003fff860c1fd0 in ?? () from
/home/xxxxxxx/epb/epb_epb2_v1.3_spi_bug/sdk_install/sysroots/ppc64e6500-wrs-linux/usr/lib64/libxml2.so.2
*#5 0x000000001011865c in ecmt_transmit (ecmt_r=<optimized out>, conn_ref=0x3ffdc4002b30, buff=<optimized out>) at ulh_ecmt.c:782
*
#6 0x0000000010124d60 in ulh_trans_transmit (cid=<optimized out>, buff=<optimized out>) at ulh_transport.c:437
#7 0x0000000010114c1c in ecm_tx_connect (co=co@entry=0x3ffdb0032a90, type=type@entry=2 '\002') at ulh_ecm.c:464
#8 0x0000000010115320 in ecm_connect (co=0x3ffdb0032a90) at
ulh_ecm.c:1193
#9 0x0000000010115470 in ecm_dc_connect (handle=<optimized out>, prio=<optimized out>) at ulh_ecm.c:1397
#10 0x0000000010122e98 in handle_createlink (msg=0x3ffdc4002bd0, lnh=<optimized out>) at ulh_lnh.c:1037
#11 handle_localmsg (msg_p=0x3ffea59564e0, lnh=<optimized out>) at
ulh_lnh.c:1494
#12 lnh_thread (param=0x3ffdc40025a0) at ulh_lnh.c:1617
#13 0x00003fff86454b10 in ?? ()
#14 0x00003fff8618acac in xmlXPathRegisterFunc__internal_alias
(f=@0x3fff8628a790: 0x3fff86181c48
<xmlXPathRoundFunction__internal_alias>, name=0x3fff86235f20 "en",
ctxt=0x3ffea5956590)
at /usr/src/debug/libxml2/2.9.2-r0/libxml2-2.9.2/xpath.c:4847
#15 xmlXPathRegisterAllFunctions__internal_alias
(ctxt=0x3ffea5956590) at
/usr/src/debug/libxml2/2.9.2-r0/libxml2-2.9.2/xpath.c:15349
#16 0x0000000000000000 in ?? ()
From the code base I could see that sendto() on a socket is failing and resulting in abort():
static int ecmt_transmit(void *ecmt_r, void *conn_ref,
struct ulh_tbuff *buff) {
.
.
.
if(sendto(co->dev->txfd, txbuff, txsize,
0, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
ULH_TRACE_ERROR("sendto failed: %d(%s) len: %d",
errno, strerror(errno), txsize);
if (ioctl(co->dev->txfd, SIOCOUTQ, &send_size) < 0) {
ULH_TRACE_ERROR("ioctl failed: %d(%s)",
errno, strerror(errno));
}
else {
ULH_TRACE_ERROR("Transmit socket current "
"unsent data: %u", send_size);
}
* abort(); <<-----Crashing here*
}
ulh_tbuff_free(buff);
return 0;
}
Traces corresponding to thea bove code:
[1970-01-01 03:26:10.318823636] (+0.014447667) oamhost
com_ericsson_ulh_ecm:ulh_error: { cpu_id = 21 }, { file = "ulh_ecmt.c", line = 772, err_msg = "sendto failed: 22(Invalid
argument) len: 35" }
[1970-01-01 03:26:10.318924489] (+0.000100853) oamhost
com_ericsson_ulh_ecm:ulh_error: { cpu_id = 21 }, { file = "ulh_ecmt.c", line = 780, err_msg = "Transmit socket current unsent
data: 0" }
Also in the dmesg we have the below trace:
[ 171.338244] ecmlnh: packet size is too short (35 <= 38) New PMDs are in the below path:
*/home/ebhhdea/wr8/wr8*
