From: Sander Eikelenboom <linux@eikelenboom.it>
To: Paul Durrant <Paul.Durrant@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>, annie li <annie.li@oracle.com>,
Zoltan Kiss <zoltan.kiss@citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Ian Campbell <Ian.Campbell@citrix.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [Xen-devel] Xen-unstable Linux 3.14-rc3 and 3.13 Network troubles "bisected"
Date: Wed, 26 Mar 2014 19:07:52 +0100 [thread overview]
Message-ID: <1959698732.20140326190752@eikelenboom.it> (raw)
In-Reply-To: <9AAE0902D5BC7E449B7C8E4E778ABCD029B350@AMSPEX01CL01.citrite.net>
Wednesday, March 26, 2014, 6:46:06 PM, you wrote:
> Re-send shortened version...
>> -----Original Message-----
>> From: Sander Eikelenboom [mailto:linux@eikelenboom.it]
>> Sent: 26 March 2014 16:54
>> To: Paul Durrant
>> Cc: Wei Liu; annie li; Zoltan Kiss; xen-devel@lists.xen.org; Ian Campbell; linux-
>> kernel; netdev@vger.kernel.org
>> Subject: Re: [Xen-devel] Xen-unstable Linux 3.14-rc3 and 3.13 Network
>> troubles "bisected"
>>
> [snip]
>> >>
>> >> - When processing an SKB we end up in "xenvif_gop_frag_copy" while
>> prod
>> >> == cons ... but we still have bytes and size left ..
>> >> - start_new_rx_buffer() has returned true ..
>> >> - so we end up in get_next_rx_buffer
>> >> - this does a RING_GET_REQUEST and ups cons ..
>> >> - and we end up with a bad grant reference.
>> >>
>> >> Sometimes we are saved by the bell .. since additional slots have become
>> >> free (you see cons become > prod in "get_next_rx_buffer" but shortly
>> after
>> >> that prod is increased ..
>> >> just in time to not cause a overrun).
>> >>
>>
>> > Ah, but hang on... There's a BUG_ON meta_slots_used >
>> max_slots_needed, so if we are overflowing the worst-case calculation then
>> why is that BUG_ON not firing?
>>
>> You mean:
>> sco = (struct skb_cb_overlay *)skb->cb;
>> sco->meta_slots_used = xenvif_gop_skb(skb, &npo);
>> BUG_ON(sco->meta_slots_used > max_slots_needed);
>>
>> in "get_next_rx_buffer" ?
>>
> That code excerpt is from net_rx_action(),isn't it?
Yes
>> I don't know .. at least now it doesn't crash dom0 and therefore not my
>> complete machine and since tcp is recovering from a failed packet :-)
>>
> Well, if the code calculating max_slots_needed were underestimating then the BUG_ON() should fire. If it is not firing in your case then this suggests your problem lies elsewhere, or that meta_slots_used is not equal to the number of ring slots consumed.
It's seem to be the last ..
[ 1157.188908] vif vif-7-0 vif7.0: ?!? xenvif_gop_skb Me here 5 npo->meta_prod:40 old_meta_prod:36 vif->rx.sring->req_prod:2105867 vif->rx.req_cons:2105868 meta->gso_type:1 meta->gso_size:1448 nr_frags:1 req->gref:657 req->id:7 estimated_slots_needed:4 j(data):1 reserved_slots_left:-1 used in funcstart: 0 + 1 .. used_dataloop:1 .. used_fragloop:3
[ 1157.244975] vif vif-7-0 vif7.0: ?!? xenvif_rx_action me here 2 .. vif->rx.sring->req_prod:2105867 vif->rx.req_cons:2105868 sco->meta_slots_used:4 max_upped_gso:1 skb_is_gso(skb):1 max_slots_needed:4 j:6 is_gso:1 nr_frags:1 firstpart:1 secondpart:2 reserved_slots_left:-1
net_rx_action() calculated we would need 4 slots .. and sco->meta_slots_used == 4 when we return so it doesn't trigger you BUG_ON ..
The 4 slots we calculated are:
1 slot for the data part: DIV_ROUND_UP(offset_in_page(skb->data) + skb_headlen(skb), PAGE_SIZE)
2 slots for the single frag in this SKB from: DIV_ROUND_UP(size, PAGE_SIZE)
1 slot since GSO
In the debug code i annotated all cons++, and the code uses 1 slot to process the data from the SKB as expected but uses 3 slots in the frag chopping loop.
And when it reaches the state were cons > prod it is always in "get_next_rx_buffer".
>> But probably because "npo->copy_prod++" seems to be used for the frags ..
>> and it isn't added to npo->meta_prod ?
>>
> meta_slots_used is calculated as the value of meta_prod at return (from xenvif_gop_skb()) minus the value on entry ,
> and if you look back up the code then you can see that meta_prod is incremented every time RING_GET_REQUEST() is evaluated.
> So, we must be consuming a slot without evaluating RING_GET_REQUEST() and I think that's exactly what's happening...
> Right at the bottom of xenvif_gop_frag_copy() req_cons is simply incremented in the case of a GSO. So the BUG_ON() is indeed off by one.
That is probably only done on first iteration / frag ?
Because i don't see my warn there trigger .. but it could be that's because at that moment we still have cons <= prod.
> Paul
next prev parent reply other threads:[~2014-03-26 18:07 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1744594108.20140318162127@eikelenboom.it>
[not found] ` <20140318160412.GB16807@zion.uk.xensource.com>
[not found] ` <1701035622.20140318211402@eikelenboom.it>
[not found] ` <722971844.20140318221859@eikelenboom.it>
[not found] ` <1688396550.20140319001104@eikelenboom.it>
[not found] ` <20140319113532.GD16807@zion.uk.xensource.com>
[not found] ` <246793256.20140319220752@eikelenboom.it>
[not found] ` <20140321164958.GA31766@zion.uk.xensource.com>
[not found] ` <1334202265.20140321182727@eikelenboom.it>
[not found] ` <1056661597.20140322192834@eikelenboom.it>
[not found] ` <20140325151539.GG31766@zion.uk.xensource.com>
[not found] ` <79975567.20140325162942@eikelenboom.it>
2014-03-26 11:11 ` [Xen-devel] Xen-unstable Linux 3.14-rc3 and 3.13 Network troubles "bisected" Sander Eikelenboom
2014-03-26 14:44 ` Paul Durrant
2014-03-26 15:22 ` Sander Eikelenboom
2014-03-26 15:50 ` Paul Durrant
2014-03-26 16:06 ` Sander Eikelenboom
2014-03-26 16:25 ` Paul Durrant
2014-03-26 16:53 ` Sander Eikelenboom
2014-03-26 17:16 ` Paul Durrant
2014-03-26 17:33 ` Sander Eikelenboom
2014-03-26 17:46 ` Paul Durrant
2014-03-26 18:07 ` Sander Eikelenboom [this message]
2014-03-26 18:15 ` Paul Durrant
2014-03-26 18:42 ` Paul Durrant
2014-03-26 20:17 ` Sander Eikelenboom
2014-03-27 9:54 ` Paul Durrant
2014-03-27 10:05 ` Sander Eikelenboom
2014-03-26 17:48 ` Paul Durrant
2014-03-26 19:57 ` Sander Eikelenboom
2014-03-27 9:47 ` Paul Durrant
2014-03-27 10:00 ` Sander Eikelenboom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1959698732.20140326190752@eikelenboom.it \
--to=linux@eikelenboom.it \
--cc=Ian.Campbell@citrix.com \
--cc=Paul.Durrant@citrix.com \
--cc=annie.li@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
--cc=zoltan.kiss@citrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).