Nasty Oops in 2.6.0-test6 bind/SO_REUSEADDR

Nasty Oops in 2.6.0-test6 bind/SO_REUSEADDR

[Dan Merillat]

[-- Attachment #1: Type: text/plain, Size: 1459 bytes --]


I can't provide a stacktrace because it hardlocks the system, but it's
trivial to reproduce.

Swap back and forth between apache2 and apache a few times, and it
hardlocks at bind.

From what I copied down and backtraced we crash at tcp_v4_get_port +
0x378/390, which is in tcp_ipv4.c:194 (inline tcp_bind_conflict)

                struct inet_opt *inet2 = inet_sk(sk2);
                if (!inet2->rcv_saddr || !inet->rcv_saddr ||
                    inet2->rcv_saddr == inet->rcv_saddr)
                    break;

     468:       0f b6 40 49             movzbl 0x49(%eax),%eax
     46c:       83 e0 20                and    $0x20,%eax
     46f:       84 c0                   test   %al,%al

In fact, I believe the problem to be with SO_REUSEADDR.  It only
manifests if the port has gotten traffic and there's sockets in
TIME_WAIT.

I suppose a trivial test would be to bind to a port, connect to it,
disconnect, close the socket, create a socket with SO_REUSEADDR and
rebind to it.  Pow.

I can't get UML 2.6.0 working so I can't test very well, but it's a
helluva showstopper.

The strace of apache starting up when it crashed:

socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl64(3, F_DUPFD, 15)                 = 20
close(3)                                = 0
setsockopt(20, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(20, SOL_SOCKET, SO_KEEPALIVE, [1], 4

(oopsed in bind so strace never saw it)

--Dan

[-- Attachment #2: Type: application/pgp-signature, Size: 155 bytes --]

Re: Nasty Oops in 2.6.0-test6 bind/SO_REUSEADDR

[David S. Miller]

I've forwarded your report to netdev@oss.sgi.com, please send
networking bug reports there in the future since that is where
the networking developers live, not here.  Thanks.