From: george anzinger <george@mvista.com>
To: Andi Kleen <ak@muc.de>
Cc: netdev@oss.sgi.com, linux-net@vger.kernel.org, davem@redhat.com,
kuznet@ms2.inr.ac.ru, pekkas@netcore.fi
Subject: Re: System crash in tcp_fragment()
Date: Mon, 20 May 2002 14:18:34 -0700 [thread overview]
Message-ID: <3CE9682A.2CC13644@mvista.com> (raw)
In-Reply-To: 20020520222937.A1467@averell
Andi Kleen wrote:
>
> > Incase you can not see this, it appears that the addresses
> > of each skb are alright, so the assumption is that the skb
> > passed to tcp_fragment() has been unlinked while
> > tcp_fragment() was doing its thing. This implies a need for
> > locking at some higher level and we don't know enough about
> > the tcp code to divine where this might best be done.
>
> 2.4 TCP should in theory already have enough locking to prevent this
> (the socket lock that is aquired by timers and user context socket users)
>
> -Andi
Here is another oops, not quite the same, AND with an assert
failure ahead of it. I append the whole report and some and
some observations:
We had two more panics over the weekend.
Here is the analysis from one of them.
---------comments from Dave Howell--------------
Looking at the sysint4l dump, some observations:
- Panic was due to an Oops (Null pointer dereference kernel
incident)
- Full system configuration is in kernel startup logs
(memory, disks, chipsets,
etc)
- Last part of kernel log has oops info, follows kernel
assertion failed
warning:
<4>KERNRL: assertion (atomic_read(&sk->wmem_alloc) == 0)
failed at af_inet.c <==============
(174):inet_sock_destruct
<1>Unable to handle kernel NULL pointer dereference at
virtual address 00000049
<4> printing eip:
<4>c0255196
<1>*pde = 00000000
<4>Oops: 0000
<4>CPU: 1
<4>EIP: 0010:[<c0255196>] Not tainted
<4>EFLAGS: 00010213
<4>eax: c6ace4c8 ebx: 00000000 ecx: 00000004 edx:
00000000
<4>esi: c6ace538 edi: c6ace460 ebp: 00000026 esp:
c1219eb4
<4>ds: 0018 es: 0018 ss: 0018
<4>Process swapper (pid: 0, stackpage=c1219000)
<4>Stack: c6ace460 c6ace538 c6ace460 004ec3ef c025de3e
c6ace460 00000000
c72011a0
<4> c1218050 004ec2d2 c02395b2 c6ace460 c6ace538
c1218000 004ec3ef
c025e056
<4> c6ace460 c1218000 00000046 004ebfe7 00000000
c1218000 00cf70a0
c0128eaa
<4>Call Trace: [<c025de3e>] [<c02395b2>] [<c025e056>]
[<c0128eaa>] [<c025df70>]
<4> [<c0128fad>] [<c012483b>] [<c0109704>] [<c0105490>]
[<c0105490>]
[<c0105490>]
<4> [<c01054bc>] [<c0105542>] [<c011d51b>] [<c011d8ad>]
<4>
<4>Code: 0f b6 4b 49 45 f6 c1 82 74 0c 31 d2 89 96 78 01 00
00 0f b6
- Finally at the bottom of the trace the active backtrace, a
bit suspect
because it's on the interrupt
side (not trace but process it's attributed to).
===========================
STACK TRACE OF FAILING TASK
===========================
================================================================
STACK TRACE FOR TASK: 0xc1218000 (swapper)
0 tcp_enter_loss+198 [0xc0255196]
1 tcp_retransmit_timer+473 [0xc025de39]
2 tcp_write_timer+225 [0xc025e051]
3 timer_bh+710 [0xc0128ea6]
4 timer_softirq+40 [0xc0128fa8]
5 do_softirq+185 [0xc0124839]
6 do_IRQ+511 [0xc01096ff]
7 do_IRQ+511 [0xc01096ff]
TRACE ERROR 0x1
================================================================
- In comparison with previous dump looks like the same
upstream event occured,
with a timer bottom half running and invoking the
tcp_retransmit_timer. Last
one caught it oopsing in the tcp_fragment code, this is a
bit different but the
upstream path there is the same.
- Same pile of unknown symbol references bringing up dump
manually in lcrash,
must be corrupt or wrong system.0 or kerntypes.0. Needs a
look.
- Dumped tcp_enter_loss+0 to tcp_enter_loss+200 to see site
at
tcp_enter_loss+198.
Code at this site is:
movzbl 0x49(%ebx),%ecx
%ebx is NULL at this point (see above), hence the oops at
00000049.
Code for function is in net/ipv4/tcp_input.c starting at
line 987.
- The failure is in the loop starting at line 1002:
for_retrans_queue(skb, sk, tp) {
cnt++;
if (TCP_SKB_CB(skb)->sacked&TCPCB_RETRANS)
tp->undo_marker = 0;
TCP_SKB_CB(skb)->sacked &=
(~TCPCB_TAGBITS)|TCPCB_SACKED_ACKED;
if
(!(TCP_SKB_CB(skb)->sacked&TCPCB_SACKED_ACKED) || how) {
TCP_SKB_CB(skb)->sacked &=
~TCPCB_SACKED_ACKED;
TCP_SKB_CB(skb)->sacked |=
TCPCB_LOST;
tp->lost_out++;
} else {
tp->sacked_out++;
tp->fackets_out = cnt;
}
}
I didn't fully map the code but think that the expansion of:
if (TCP_SKB_CB(skb)->sacked&TCPCB_RETRANS)
is where the zeroed pointer is used. Looks like the intent
is that skp is the
iterater variable to loop through the retrans_queue and it
got the zero value
set on some iteration, not the first. So my guess is a
corrupted queue element
pointer being picked up and used.
- I still would look upstream at the timer bottom half
invocation as in both
of the dumps this upstream trace is present, and it seems
like an exception
path for a timeout that leads to a retransmit.
- Also needs a look is the kernel assertion that failed and
likely led to the
oops, looks a lot like an allocation failed and returned a
NULL value, this
would be my top culprit to pursue.
Code from af_net.c at line 174:
void inet_sock_destruct(struct sock *sk)
{
__skb_queue_purge(&sk->receive_queue);
__skb_queue_purge(&sk->error_queue);
if (sk->type == SOCK_STREAM && sk->state !=
TCP_CLOSE) {
printk("Attempt to release TCP socket in
state %d %p\n",
sk->state,
sk);
return;
}
if (!sk->dead) {
printk("Attempt to release alive inet socket
%p\n", sk);
return;
}
BUG_TRAP(atomic_read(&sk->rmem_alloc) == 0);
BUG_TRAP(atomic_read(&sk->wmem_alloc) == 0); <<--
assert reported
here
BUG_TRAP(sk->wmem_queued == 0);
BUG_TRAP(sk->forward_alloc == 0);
if (sk->protinfo.af_inet.opt)
kfree(sk->protinfo.af_inet.opt);
Continuing on after this likely led to the oops that
killed us.
--
George Anzinger george@mvista.com
High-res-timers:
http://sourceforge.net/projects/high-res-timers/
Real time sched: http://sourceforge.net/projects/rtsched/
Preemption patch:
http://www.kernel.org/pub/linux/kernel/people/rml
next prev parent reply other threads:[~2002-05-20 21:18 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3CE95190.75C52E2D@mvista.com>
2002-05-20 20:29 ` System crash in tcp_fragment() Andi Kleen
[not found] ` <20020520222937.A1467@averell>
2002-05-20 21:18 ` george anzinger [this message]
2002-05-20 21:25 ` kuznet
2002-05-20 22:08 ` David S. Miller
[not found] ` <200205202125.BAA03545@sex.inr.ac.ru>
2002-05-20 23:01 ` george anzinger
2002-05-20 23:54 ` Andi Kleen
2002-06-09 17:31 ` Network oops george anzinger
[not found] ` <3D0390E2.1B80ADEE@mvista.com>
2002-06-10 4:31 ` David S. Miller
2002-06-10 4:32 ` David S. Miller
[not found] ` <20020609.213150.32126725.davem@redhat.com>
2002-06-10 4:48 ` george anzinger
[not found] ` <3D042F8F.72764243@mvista.com>
2002-06-10 5:06 ` David S. Miller
2002-06-20 17:19 ` george anzinger
[not found] ` <3D120EAE.5A0D365E@mvista.com>
2002-06-21 0:38 ` David S. Miller
[not found] ` <20020620.173805.55219901.davem@redhat.com>
2002-06-21 14:16 ` george anzinger
[not found] ` <3D133538.60B6810C@mvista.com>
2002-06-21 14:17 ` David S. Miller
[not found] ` <20020621.071720.07439917.davem@redhat.com>
2002-06-21 15:12 ` george anzinger
2002-06-22 0:55 ` Andi Kleen
[not found] ` <20020622025551.A1919@averell>
2002-06-28 19:56 ` george anzinger
[not found] ` <20020609.213224.01016187.davem@redhat.com>
2002-06-10 8:11 ` george anzinger
[not found] ` <3D045F15.578E1DA9@mvista.com>
2002-06-10 8:31 ` David S. Miller
[not found] ` <20020610.013110.81671593.davem@redhat.com>
2002-06-10 14:12 ` george anzinger
[not found] <Pine.LNX.4.33.0205201836160.9301-100000@w-nivedita2.des.beaverton.ibm.com>
[not found] ` <3CE9E466.AC2358EE@mvista.com>
2002-05-21 6:00 ` System crash in tcp_fragment() David S. Miller
[not found] ` <20020520.230021.29510217.davem@redhat.com>
[not found] ` <3CE9F679.90ACF597@mvista.com>
2002-05-21 7:22 ` David S. Miller
2002-05-21 12:47 ` kuznet
2002-05-21 15:42 ` george anzinger
2002-05-21 12:54 ` Andi Kleen
2002-05-21 7:25 ` george anzinger
2002-05-21 9:49 ` Andi Kleen
2002-05-21 6:08 ` george anzinger
[not found] <20020520.173416.105610032.davem@redhat.com>
2002-05-21 1:00 ` kuznet
2002-05-21 1:49 ` Nivedita Singhvi
[not found] <3CE9960D.15D41380@mvista.com>
[not found] ` <200205210041.EAA04407@sex.inr.ac.ru>
2002-05-21 0:34 ` David S. Miller
2002-05-21 0:41 ` kuznet
[not found] <20020521015407.A1296@wotan.suse.de>
2002-05-21 0:11 ` kuznet
[not found] ` <3CE99434.20E7479C@mvista.com>
2002-05-21 0:18 ` David S. Miller
2002-05-21 0:39 ` Andi Kleen
2002-05-21 0:20 ` Andi Kleen
2002-05-21 0:26 ` george anzinger
[not found] ` <20020521022007.A6248@wotan.suse.de>
2002-05-21 0:34 ` george anzinger
2002-05-20 19:42 george anzinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CE9682A.2CC13644@mvista.com \
--to=george@mvista.com \
--cc=ak@muc.de \
--cc=davem@redhat.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-net@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=pekkas@netcore.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.