From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: vinayak menon <vinayakm.list@gmail.com>,
linux-kernel@vger.kernel.org, davem@davemloft.net,
getarunks@gmail.com, netdev@vger.kernel.org
Subject: Re: ipv4: crash at leaf_walk_rcu
Date: Wed, 31 Jul 2013 07:13:06 -0700 [thread overview]
Message-ID: <20130731141306.GT26694@linux.vnet.ibm.com> (raw)
In-Reply-To: <20130731131323.GB31245@order.stressinduktion.org>
On Wed, Jul 31, 2013 at 03:13:23PM +0200, Hannes Frederic Sowa wrote:
> On Wed, Jul 31, 2013 at 05:55:13AM -0700, Paul E. McKenney wrote:
> > On Wed, Jul 31, 2013 at 04:40:47PM +0530, vinayak menon wrote:
> > > Hi,
> > >
> > > A crash was seen on 3.4.5 kernel during some random wlan operations.
> > >
> > > CPU: Single core ARM Cortex A9.
> > >
> > > fib_route_seq_next was called with second argument (void *v) as 0xd6e3e360
> > > which is a "freed" object of the "ip_fib_trie" cache. I confirmed that the
> > > object was freed with crash utility.
> > >
> > > Sequence: fib_route_seq_next->trie_nextleaf->leaf_walk_rcu
> > >
> > > As "v" was a freed object, inside trie_nextleaf(), node_parent_rcu()
> > > returned an invalid tnode. But as I had enabled slab poisoning and the
> > > object was already freed, the tnode was 0x6b6b6b6b. And this was passed to
> > > leaf_walk_rcu and resulted in the crash.
> > >
> > > fib_route_seq_start, takes rcu_read_lock(), but free_leaf
> > > calls call_rcu_bh. Can this be the problem ?
> > > Should rcu_read_lock() in fib_route_seq_start be changed to rcu_read_lock_bh()
> > > ?
> >
> > One way or the other, the RCU read-side primitives need to match the RCU
> > update-side primitives. Adding netdev...
>
> Already fixed by:
>
> commit 0c03eca3d995e73d691edea8c787e25929ec156d
> Author: Eric Dumazet <edumazet@google.com>
> Date: Tue Aug 7 00:47:11 2012 +0000
>
> net: fib: fix incorrect call_rcu_bh()
>
> After IP route cache removal, I believe rcu_bh() has very little use and
> we should remove this RCU variant, since it adds some cycles in fast
> path.
>
> Anyway, the call_rcu_bh() use in fib_true is obviously wrong, since
> some users only assert rcu_read_lock().
Even better! ;-)
Thanx, Paul
next prev parent reply other threads:[~2013-07-31 14:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOaiJ-k14g6ihjVfgHqgq48KV7-dRJ1_owNyDkza-r=36gscsQ@mail.gmail.com>
2013-07-31 12:55 ` ipv4: crash at leaf_walk_rcu Paul E. McKenney
2013-07-31 13:13 ` Hannes Frederic Sowa
2013-07-31 13:31 ` vinayak menon
2013-07-31 14:13 ` Paul E. McKenney [this message]
2013-07-31 11:24 vinayak menon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130731141306.GT26694@linux.vnet.ibm.com \
--to=paulmck@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=getarunks@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=vinayakm.list@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.