Re: oops in tcp_v4_rcv. - Manfred Spraul

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Manfred Spraul <manfred@colorfullife.com>
To: "David S. Miller" <davem@redhat.com>
Cc: netdev@oss.sgi.com, Andrew Morton <akpm@digeo.com>
Subject: Re: oops in tcp_v4_rcv.
Date: Thu, 29 May 2003 03:15:57 +0200	[thread overview]
Message-ID: <3ED55F4D.1070306@colorfullife.com> (raw)
In-Reply-To: <3ED54DBC.4020203@colorfullife.com>

[netdev added to cc list]

I think I understand now what causes the crash:
The tcp_ehash assumes that the entries are of the type 'struct inet_sock'.
But the actual entry is of the type tcp_tw_bucket. And 'sk->inet.daddr' 
is not shared between both structures.

 << net/ipv4/tcp_ipv4, line 510:
        /* Must check for a TIME_WAIT'er before going to listener hash. */
        for (sk = (head + tcp_ehash_size)->chain; sk; sk = sk->next)
               if (TCP_IPV4_MATCH(sk, acookie, saddr, daddr, ports, dif))
                    goto hit;
<<
preprocessor output:
<<
for (sk = (head + (tcp_hashinfo.__tcp_ehash_size))->chain; sk; sk = 
sk->next)
      if ((((&((struct inet_sock *)sk)->inet)->daddr == (saddr)) &&
           ((&((struct inet_sock *)sk)->inet)->rcv_saddr == (daddr)) &&
           ((*((__u32 *)&((&((struct inet_sock *)sk)->inet)->dport)))== 
(ports)) &&
           (!((sk)->bound_dev_if) || ((sk)->bound_dev_if == (dif)))))
                       goto hit;
<<

Manfred Spraul wrote:

> Hi,
>
> I'm looking at crashes that occur during network stress testing with 
> the CONFIG_DEBUG_PAGEALLOC from -mm: Pages that are not in use are 
> immediately unmapped from the linear mapping, and thus reading stale 
> pointer causes an immediate oops.
>
> I've now analyzed one crash:
> the oops is in __tcp_v4_lookup_established, in the 2nd look [i.e. 
> looking at TIME_WAIT sockets. Easy to identify due to the access to 
> __tcp_ehash_size].
>
> The entry in the hash table is an tcp_tw_bucket, and that structure is 
> only ~88 bytes long. The oops is caused by an access to objp+0x168, 
> which doesn't exist.

next      parent reply	other threads:[~2003-05-29  1:15 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <3ED54DBC.4020203@colorfullife.com>
2003-05-29  1:15 ` Manfred Spraul [this message]
2003-05-29  1:40   ` oops in tcp_v4_rcv David S. Miller
2003-05-29  1:50     ` Arnaldo Carvalho de Melo
2003-05-29  1:51       ` David S. Miller
2003-05-29  2:00         ` Arnaldo Carvalho de Melo
2003-05-29  3:06           ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ED55F4D.1070306@colorfullife.com \
    --to=manfred@colorfullife.com \
    --cc=akpm@digeo.com \
    --cc=davem@redhat.com \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.