From: Jun Chen <jun.d.chen@intel.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: ycheng@google.com, ncardwell@google.com, edumazet@google.com,
netdev@vger.kernel.org,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] tcp: Modify the condition for the first skb to collapse
Date: Mon, 17 Jun 2013 13:29:50 -0400 [thread overview]
Message-ID: <1371490190.28418.6.camel@chenjun-workstation> (raw)
In-Reply-To: <1371456935.3252.177.camel@edumazet-glaptop>
On Mon, 2013-06-17 at 01:15 -0700, Eric Dumazet wrote:
> On Mon, 2013-06-17 at 10:18 -0400, Jun Chen wrote:
> > When search the first skb to collapse,the condition of overlap to the next one have been
> > reached,but the start is less than TCP_SKB_CB(skb)->seq at this time, then followed process
> > will trigger the BUG_ON of the offset(start - TCP_SKB_CB(skb)->seq).
> > So this patch add one check (! before(start,TCP_SKB_CB(skb)->seq)) to avoid this ipanic.
> >
> > Signed-off-by: Chen Jun <jun.d.chen@intel.com>
> > ---
> > net/ipv4/tcp_input.c | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> > index 9c62257..4c745c5 100644
> > --- a/net/ipv4/tcp_input.c
> > +++ b/net/ipv4/tcp_input.c
> > @@ -4465,7 +4465,8 @@ restart:
> > * overlaps to the next one.
> > */
> > if (!tcp_hdr(skb)->syn && !tcp_hdr(skb)->fin &&
> > - (tcp_win_from_space(skb->truesize) > skb->len ||
> > + ((tcp_win_from_space(skb->truesize) > skb->len &&
> > + !before(start, TCP_SKB_CB(skb)->seq)) ||
> > before(TCP_SKB_CB(skb)->seq, start))) {
> > end_of_skbs = false;
> > break;
>
> Hmm... I must say I do not understand this patch.
>
> If we find a skb with before(TCP_SKB_CB(skb)->seq, start), then the
> final condition will be true.
>
> Let's rewrite your code to equivalent one :
>
> if (!tcp_hdr(skb)->syn && !tcp_hdr(skb)->fin &&
> (before(TCP_SKB_CB(skb)->seq, start) ||
> tcp_win_from_space(skb->truesize) > skb->len)) {
>
> So it seems your patch would not solve the problem for all
> possible skbs (aka not bloated) ?
>
> Please tell us how you trigger this bug, and send the stack trace.
>
> Thanks
>
>
hi,
When the condition of tcp_win_from_space(skb->truesize) > skb->len is
true but the before(start, TCP_SKB_CB(skb)->seq) is also true, the final
condition will be true. The follow line:
int offset = start - TCP_SKB_CB(skb)->seq;
BUG_ON(offset < 0);
this BUG_ON will be triggered.
Follow line is my error logs:
<2>[ 7736.344508] kernel BUG
at /data/buildbot/workdir/jb/kernel/net/ipv4/tcp_input.c:4845!
<4>[ 7736.344578] invalid opcode: 0000 [#1] PREEMPT SMP
<4>[ 7736.344883] Modules linked in: atomisp lm3559 ov9724 imx1x5
bcm4335(O) cfg80211 bcm_bt_lpm videobuf_vmalloc videobuf_core matrix(C)
<4>[ 7736.345681]
<4>[ 7736.345748] Pid: 5189, comm: TimedEventQueue Tainted: G WC
O 3.4.43-186445-g3ada675 #1 Intel Corporation Merrifield/SALT BAY
<4>[ 7736.346059] EIP: 0060:[<c18ad61d>] EFLAGS: 00010297 CPU: 1
<4>[ 7736.346183] EIP is at tcp_collapse+0x3bd/0x3d0
<4>[ 7736.346250] EAX: ab57d2bb EBX: df428c00 ECX: c97dcd00 EDX:
000010c0
<4>[ 7736.346372] ESI: df4289c0 EDI: fffffadb EBP: edca1d88 ESP:
edca1d60
<4>[ 7736.346441] DS: 007b ES: 007b FS: 00d8 GS: 003b SS: 0068
<4>[ 7736.346560] CR0: 8005003b CR2: 41d310bc CR3: 2d300000 CR4:
001007d0
<4>[ 7736.346629] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3:
00000000
<4>[ 7736.346749] DR6: ffff0ff0 DR7: 00000400
<0>[ 7736.346816] Process TimedEventQueue (pid: 5189, ti=edca0000
task=dc30b660 task.ti=c9a6e000)
<0>[ 7736.346936] Stack:
<4>[ 7736.347002] ffffffff ffffffff fffffadb c97dcd5c 00000001 c97dcd00
00000e32 c97dcd00
<4>[ 7736.347615] c97dcd00 df428180 edca1db0 c18addd0 00000000 ab57c870
ab57f19f c97dcd00
<4>[ 7736.348175] c97dd198 000080c0 c97dcd00 df428180 edca1df0 c18aea27
00000000 c18dc8f8
<0>[ 7736.348788] Call Trace:
<4>[ 7736.348861] [<c18addd0>] tcp_prune_queue+0x120/0x2f0
<4>[ 7736.348984] [<c18aea27>] tcp_data_queue+0x777/0xf00
<4>[ 7736.349055] [<c18dc8f8>] ? ipt_do_table+0x1f8/0x480
<4>[ 7736.349126] [<c18dc8f8>] ? ipt_do_table+0x1f8/0x480
<4>[ 7736.349196] [<c18b2e84>] tcp_rcv_established+0x114/0x680
<4>[ 7736.349269] [<c18bb034>] tcp_v4_do_rcv+0x164/0x350
next prev parent reply other threads:[~2013-06-17 17:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-17 14:18 [PATCH] tcp: Modify the condition for the first skb to collapse Jun Chen
2013-06-17 8:15 ` Eric Dumazet
2013-06-17 17:29 ` Jun Chen [this message]
2013-06-17 10:29 ` Eric Dumazet
2013-06-17 18:52 ` Jun Chen
2013-06-17 13:21 ` Eric Dumazet
2013-06-18 9:52 ` Jun Chen
2013-06-18 5:53 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1371490190.28418.6.camel@chenjun-workstation \
--to=jun.d.chen@intel.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).