From: Ingo Molnar <mingo@elte.hu>
To: "Paweł Sikora" <pluto@agmk.net>
Cc: linux kernel mailing list <linux-kernel@vger.kernel.org>,
Rusty Russell <rusty@rustcorp.com.au>,
netfilter-devel@lists.netfilter.org
Subject: Re: [2.6.14-rt1] slowdown / oops.
Date: Wed, 2 Nov 2005 15:00:25 +0100 [thread overview]
Message-ID: <20051102140025.GA17385@elte.hu> (raw)
In-Reply-To: <20051102135516.GA16175@elte.hu>
* Ingo Molnar <mingo@elte.hu> wrote:
> ah, managed to reproduce a crash in the NAT code with your .config
> (see below). This indeed seems to be some sort of use-after-free bug:
> 0x6b6b6b6b6b is SLAB_DEBUG's POISON_FREE - use-after-free poison byte.
> This bug is either caused by and unique to -rt, or possibly present
> upstream too.
with DEBUG_PAGEALLOC the crash happens almost instantly - it possibly
catches the bad area very quickly. But there doesnt seem to be any trace
in the stackdump about what method created the corrupt data-structure,
what we see is a plain RX interrupt trying to look up existing
connections and crashing on it.
Ingo
XT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly.
*****************************************************************************
* *
* REMINDER, the following debugging options are turned on in your .config: *
* *
* CONFIG_RT_DEADLOCK_DETECT *
* CONFIG_DEBUG_PREEMPT *
* CONFIG_DEBUG_SLAB *
* CONFIG_DEBUG_PAGEALLOC *
* *
* they may increase runtime overhead and latencies. *
* *
*****************************************************************************
Freeing unused kernel memory: 200k freed
BUG: Unable to handle kernel paging request at virtual address f1267fe0
printing eip:
c03a87a4
*pde = 005cc067
*pte = 31267000
Oops: 0000 [#1]
PREEMPT DEBUG_PAGEALLOC
Modules linked in:
CPU: 0
EIP: 0060:[<c03a87a4>] Not tainted VLI
EFLAGS: 00010282 (2.6.14-rt4)
EIP is at __ip_conntrack_find+0x24/0x110
eax: 00001324 ebx: f1267fe0 ecx: fb5c8c00 edx: f6f59920
esi: f7c55e28 edi: 00009920 ebp: f7c55df4 esp: f7c55de4
ds: 007b es: 007b ss: 0068 preempt: 00000001
Process softirq-net-rx/ (pid: 5, threadinfo=f7c54000 task=f7c538f0 stack_left=7600 worst_left=-1)
Stack: 00000000 00000000 f7c55e28 f7c55ecc f7c55e04 c03a88b4 f131ef64 c03ab0d0
f7c55e48 c03a9444 f7c55e28 c0498020 f881d040 00000000 00000000 c0498020
f7c55ecc 0101000a c0591600 0701000a 000612c6 00000000 c04975e8 f7c55e8c
Call Trace:
[<c0103cd7>] show_stack+0x97/0xd0 (32)
[<c0103ec2>] show_registers+0x192/0x250 (68)
[<c010410b>] die+0xeb/0x1a0 (56)
[<c03f2236>] do_page_fault+0x176/0x57c (72)
[<c0103943>] error_code+0x4f/0x54 (76)
[<c03a88b4>] ip_conntrack_find_get+0x24/0x60 (16)
[<c03a9444>] ip_conntrack_in+0xc4/0x370 (68)
[<c03c4939>] nf_iterate+0x59/0x90 (36)
[<c03c49c2>] nf_hook_slow+0x52/0x100 (48)
[<c03741a2>] ip_rcv+0x182/0x4f0 (64)
[<c035f95d>] netif_receive_skb+0x15d/0x1e0 (52)
[<c02f2d97>] rtl8139_rx+0x1b7/0x340 (80)
[<c02f3108>] rtl8139_poll+0x58/0x110 (40)
[<c035fb32>] net_rx_action+0x72/0x140 (24)
[<c011ee09>] ksoftirqd+0xb9/0x140 (40)
[<c012d7d4>] kthread+0x94/0xa0 (28)
[<c01010e9>] kernel_thread_helper+0x5/0xc (138059804)
---------------------------
| preempt count: 00000001 ]
| 1-level deep critical section nesting:
----------------------------------------
.. [<c013af6f>] .... add_preempt_count+0xf/0x20
.....[<c0104058>] .. ( <= die+0x38/0x1a0)
------------------------------
| showing all locks held by: | (softirq-net-rx//5 [f7c538f0, 98]):
------------------------------
#001: [f7b50be4] {&tp->rx_lock}
... acquired at: rtl8139_poll+0x39/0x110
#002: [c0497bc0] {ip_conntrack_lock}
... acquired at: ip_conntrack_find_get+0x1b/0x60
Code: 8d b4 26 00 00 00 00 55 89 e5 57 56 89 c6 53 83 ec 04 89 55 f0 e8 1d fa ff ff 8d 3c c5 00 00 00 00 89 fa 03 15 80 2a 59 c0 8b 1a <8b> 03 0f 18 00 90 39 da 75 47 e9 c4 00 00 00 b8 01 00 00 00 e8
next prev parent reply other threads:[~2005-11-02 14:00 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-02 13:20 [2.6.14-rt1] slowdown / oops Paweł Sikora
2005-11-02 13:29 ` Ingo Molnar
2005-11-02 13:40 ` Paweł Sikora
2005-11-02 13:44 ` Ingo Molnar
2005-11-02 13:47 ` Ingo Molnar
2005-11-02 13:55 ` Ingo Molnar
2005-11-02 14:00 ` Ingo Molnar [this message]
2005-11-02 14:25 ` Ingo Molnar
2005-11-02 15:12 ` Ingo Molnar
2005-11-02 15:33 ` Ingo Molnar
2005-11-03 2:09 ` Rusty Russell
2005-11-03 2:09 ` Rusty Russell
2005-11-03 10:12 ` Ingo Molnar
-- strict thread matches above, loose matches on Subject: below --
2005-11-02 17:36 Paweł Sikora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051102140025.GA17385@elte.hu \
--to=mingo@elte.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pluto@agmk.net \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.