* Re: Kernel crash in 2.6.0-test9-mm3
[not found] <6.0.1.1.2.20031118232152.01ae5728@tornado.reub.net>
@ 2003-11-18 19:01 ` Andrew Morton
2003-11-18 22:22 ` David S. Miller
2003-11-19 0:49 ` David S. Miller
0 siblings, 2 replies; 12+ messages in thread
From: Andrew Morton @ 2003-11-18 19:01 UTC (permalink / raw)
To: Reuben Farrelly; +Cc: netdev
It's one for the networking guys.
The mm kernels have a patch which detects when atomic_dec_and_test
takes an atomic_t negative - it is assumed that this is a bug so
a warning is generated.
Reuben Farrelly <reuben-linux@reub.net> wrote:
>
> Hi Andrew,
>
> Have started to see this problem occur in -test9 and I think, -test8 (but
> not before then). At the moment I'm running -test9-mm3 which has the same
> problem. Kernel is not tainted.
>
> Fortunately when this box died a few mins ago (twice in a row) it was able
> to dump a heap of stuff to syslog, so I got something useful out of the
> crashes. This first one triggered when I started to load the ethernet card
> up with a "debug ip packet detail" from a Cisco router ;-)
>
> Reuben
>
> Crash 1:
>
>
> Nov 18 23:09:00 tornado kernel: Badness in atomic_dec_and_test at
> include/asm/atomic.h:150
> Nov 18 23:09:00 tornado kernel: Call Trace:
> Nov 18 23:09:00 tornado kernel: [<c029203c>] skb_release_data+0x14c/0x160
> Nov 18 23:09:00 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> Nov 18 23:09:00 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> Nov 18 23:09:00 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
> Nov 18 23:09:00 tornado kernel: [<c0296e9a>] net_tx_action+0x4a/0xf0
> Nov 18 23:09:00 tornado kernel: [<c01234a5>] do_softirq+0x95/0xa0
> Nov 18 23:09:00 tornado kernel: [<c010cd9b>] do_IRQ+0xfb/0x130
> Nov 18 23:09:00 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:00 tornado kernel: [<c02f56fc>] common_interrupt+0x18/0x20
> Nov 18 23:09:00 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:00 tornado kernel: [<e08cd23d>]
> acpi_processor_idle+0xd4/0x1c5 [processor]
> Nov 18 23:09:00 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:00 tornado kernel: [<c0109044>] cpu_idle+0x34/0x40
> Nov 18 23:09:00 tornado kernel: [<c0398795>] start_kernel+0x185/0x1c0
> Nov 18 23:09:00 tornado kernel: [<c03984b0>] unknown_bootoption+0x0/0x120
> Nov 18 23:09:00 tornado kernel:
> Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:09:01 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:09:01 tornado kernel: Badness in atomic_dec_and_test at
> include/asm/atomic.h:150
> Nov 18 23:09:01 tornado kernel: Call Trace:
> Nov 18 23:09:01 tornado kernel: [<c029203c>] skb_release_data+0x14c/0x160
> Nov 18 23:09:01 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> Nov 18 23:09:01 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> Nov 18 23:09:01 tornado kernel: [<c02921ef>] __kfree_skb+0x16f/0x1b0
> Nov 18 23:09:01 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
> Nov 18 23:09:01 tornado kernel: [<c0296e9a>] net_tx_action+0x4a/0xf0
> Nov 18 23:09:01 tornado kernel: [<c01234a5>] do_softirq+0x95/0xa0
> Nov 18 23:09:01 tornado kernel: [<c010cd9b>] do_IRQ+0xfb/0x130
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<c02f56fc>] common_interrupt+0x18/0x20
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<e08cd21c>]
> acpi_processor_idle+0xb3/0x1c5 [processor]
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<c0109044>] cpu_idle+0x34/0x40
> Nov 18 23:09:01 tornado kernel: [<c0398795>] start_kernel+0x185/0x1c0
> Nov 18 23:09:01 tornado kernel: [<c03984b0>] unknown_bootoption+0x0/0x120
> Nov 18 23:09:01 tornado kernel:
> Nov 18 23:09:01 tornado kernel: BUG: dst underflow -1: c02921ef
> Nov 18 23:09:01 tornado kernel: Badness in atomic_dec_and_test at
> include/asm/atomic.h:150
> Nov 18 23:09:01 tornado kernel: Call Trace:
> Nov 18 23:09:01 tornado kernel: [<c0291136>] sock_wfree+0x86/0xa0
> Nov 18 23:09:01 tornado kernel: [<c02920fe>] __kfree_skb+0x7e/0x1b0
> Nov 18 23:09:01 tornado kernel: [<c02921ef>] __kfree_skb+0x16f/0x1b0
> Nov 18 23:09:01 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
> Nov 18 23:09:01 tornado kernel: [<c0296e9a>] net_tx_action+0x4a/0xf0
> Nov 18 23:09:01 tornado kernel: [<c01234a5>] do_softirq+0x95/0xa0
> Nov 18 23:09:01 tornado kernel: [<c010cd9b>] do_IRQ+0xfb/0x130
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<c02f56fc>] common_interrupt+0x18/0x20
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<e08cd21c>]
> acpi_processor_idle+0xb3/0x1c5 [processor]
> Nov 18 23:09:01 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:09:01 tornado kernel: [<c0109044>] cpu_idle+0x34/0x40
> Nov 18 23:09:01 tornado kernel: [<c0398795>] start_kernel+0x185/0x1c0
> Nov 18 23:09:01 tornado kernel: [<c03984b0>] unknown_bootoption+0x0/0x120
> Nov 18 23:09:01 tornado kernel:
> Nov 18 23:09:02 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:09:02 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:09:02 tornado kernel: BUG: dst underflow 0: c02d5c1b
> Nov 18 23:09:02 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:09:02 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:09:02 tornado kernel: BUG: dst underflow -1: c02921ef
> Nov 18 23:09:02 tornado kernel: Badness in atomic_dec_and_test at
> include/asm/atomic.h:150
> Nov 18 23:09:02 tornado kernel: Call Trace:
> Nov 18 23:09:02 tornado kernel: [<c0291136>] sock_wfree+0x86/0xa0
> Nov 18 23:09:02 tornado kernel: [<c02920fe>] __kfree_skb+0x7e/0x1b0
> Nov 18 23:09:02 tornado kernel: [<c02921ef>] __kfree_skb+0x16f/0x1b0
> Nov 18 23:09:02 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
> Nov 18 23:09:02 tornado kernel: [<c0296e9a>] net_tx_action+0x4a/0xf0
> Nov 18 23:09:02 tornado kernel: [<c01234a5>] do_softirq+0x95/0xa0
> Nov 18 23:09:02 tornado kernel: [<c010cd9b>] do_IRQ+0xfb/0x130
> Nov 18 23:09:02 tornado kernel: [<c02f56fc>] common_interrupt+0x18/0x20
> Nov 18 23:09:02 tornado kernel: [<c02ee87e>] unix_dgram_sendmsg+0x3e/0x700
> Nov 18 23:09:02 tornado kernel: [<c01387bc>] find_get_page+0x2c/0x60
> Nov 18 23:09:02 tornado kernel: [<c028e3d3>] sock_aio_write+0xc3/0xf0
> Nov 18 23:09:02 tornado kernel: [<c0156841>] do_sync_write+0xb1/0xe0
> Nov 18 23:09:02 tornado kernel: [<c01385c5>] unlock_page+0x15/0x60
> Nov 18 23:09:02 tornado kernel: [<c011b670>] schedule+0x350/0x680
> Nov 18 23:09:02 tornado kernel: [<c011d2a0>] autoremove_wake_function+0x0/0x50
> Nov 18 23:09:02 tornado kernel: [<c011b9f0>] default_wake_function+0x0/0x20
> Nov 18 23:09:02 tornado kernel: [<c0127be0>] do_timer+0xe0/0xf0
> Nov 18 23:09:02 tornado kernel: [<c015696f>] vfs_write+0xff/0x130
> Nov 18 23:09:02 tornado kernel: [<c0156a52>] sys_write+0x42/0x70
> Nov 18 23:09:02 tornado kernel: [<c02f4d3a>] sysenter_past_esp+0x43/0x65
> Nov 18 23:09:02 tornado kernel:
> Nov 18 23:09:02 tornado kernel: BUG: dst underflow -2: c02921ef
>
>
> Crash 2:
>
> Nov 18 23:23:56 tornado kernel: Badness in atomic_dec_and_test at
> include/asm/atomic.h:150
> Nov 18 23:23:56 tornado kernel: Call Trace:
> Nov 18 23:23:56 tornado kernel: [<c029203c>] skb_release_data+0x14c/0x160
> Nov 18 23:23:56 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> Nov 18 23:23:56 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> Nov 18 23:23:56 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
> Nov 18 23:23:56 tornado kernel: [<c0296e9a>] net_tx_action+0x4a/0xf0
> Nov 18 23:23:56 tornado kernel: [<c01234a5>] do_softirq+0x95/0xa0
> Nov 18 23:23:56 tornado kernel: [<c010cd9b>] do_IRQ+0xfb/0x130
> Nov 18 23:23:56 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:23:56 tornado kernel: [<c02f56fc>] common_interrupt+0x18/0x20
> Nov 18 23:23:56 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:23:56 tornado kernel: [<e08cd23d>]
> acpi_processor_idle+0xd4/0x1c5 [processor]
> Nov 18 23:23:56 tornado kernel: [<c0107000>] rest_init+0x0/0x60
> Nov 18 23:23:56 tornado kernel: [<c0109044>] cpu_idle+0x34/0x40
> Nov 18 23:23:56 tornado kernel: [<c0398795>] start_kernel+0x185/0x1c0
> Nov 18 23:23:56 tornado kernel: [<c03984b0>] unknown_bootoption+0x0/0x120
> Nov 18 23:23:56 tornado kernel:
> Nov 18 23:23:56 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:23:56 tornado kernel: Attempt to release alive inet socket dfd4c780
> Nov 18 23:23:56 tornado kernel: BUG: dst underflow 0: c02921ef
> Nov 18 23:23:56 tornado kernel: Attempt to release alive inet socket dfd4c780
>
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-18 19:01 ` Kernel crash in 2.6.0-test9-mm3 Andrew Morton
@ 2003-11-18 22:22 ` David S. Miller
2003-11-19 0:49 ` David S. Miller
1 sibling, 0 replies; 12+ messages in thread
From: David S. Miller @ 2003-11-18 22:22 UTC (permalink / raw)
To: Andrew Morton; +Cc: reuben-linux, netdev
On Tue, 18 Nov 2003 11:01:39 -0800
Andrew Morton <akpm@osdl.org> wrote:
> It's one for the networking guys.
>
> The mm kernels have a patch which detects when atomic_dec_and_test
> takes an atomic_t negative - it is assumed that this is a bug so
> a warning is generated.
It is a bug especially for the backtrace cases shown here, I'll take a
look.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-18 19:01 ` Kernel crash in 2.6.0-test9-mm3 Andrew Morton
2003-11-18 22:22 ` David S. Miller
@ 2003-11-19 0:49 ` David S. Miller
2003-11-19 1:22 ` Reuben Farrelly
2003-11-19 2:02 ` Andrew Morton
1 sibling, 2 replies; 12+ messages in thread
From: David S. Miller @ 2003-11-19 0:49 UTC (permalink / raw)
To: Andrew Morton; +Cc: reuben-linux, netdev
On Tue, 18 Nov 2003 11:01:39 -0800
Andrew Morton <akpm@osdl.org> wrote:
> It's one for the networking guys.
>
> The mm kernels have a patch which detects when atomic_dec_and_test
> takes an atomic_t negative - it is assumed that this is a bug so
> a warning is generated.
Andrew I've analyzed this a bit. This is incredible evidence in
these dumps that either there is a bug in Linus's atomic_dec_and_test()
debugging hack or GCC is miscompiling it in certain cases with certain
versions of the compiler.
Look at this:
> > Nov 18 23:09:00 tornado kernel: [<c029203c>] skb_release_data+0x14c/0x160
> > Nov 18 23:09:00 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> > Nov 18 23:09:00 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> > Nov 18 23:09:00 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
Ok, releasing an SKB data area twice.
> > Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
Freeing a 'dst' entry one too many times.
> > Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket dfd4c780
A socket refcount dropping to zero too early, before it's marked dead.
These last two problems are very serious errors, and would have
printed out debugging messages before the atomic_dec_and_test() patch.
If these last two messages don't show up without the
atomic_dec_and_test() debugging patch applied, well there you
go... :-)
In that debugging patch, I'm wondering something about x86.
When one goes "sete %reg; sets %reg" does the first 'sete' modify
the condition codes by chance? Probably not...
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-19 0:49 ` David S. Miller
@ 2003-11-19 1:22 ` Reuben Farrelly
2003-11-19 2:02 ` Andrew Morton
1 sibling, 0 replies; 12+ messages in thread
From: Reuben Farrelly @ 2003-11-19 1:22 UTC (permalink / raw)
To: David S. Miller, Andrew Morton; +Cc: netdev
FWIW I'm compiling with:
[root@tornado log]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.3.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--host=i386-redhat-linux
Thread model: posix
gcc version 3.3.2 20031107 (Red Hat Linux 3.3.2-2)
[root@tornado log]#
Reuben
At 13:49 19/11/2003, David S. Miller wrote:
>On Tue, 18 Nov 2003 11:01:39 -0800
>Andrew Morton <akpm@osdl.org> wrote:
>
> > It's one for the networking guys.
> >
> > The mm kernels have a patch which detects when atomic_dec_and_test
> > takes an atomic_t negative - it is assumed that this is a bug so
> > a warning is generated.
>
>Andrew I've analyzed this a bit. This is incredible evidence in
>these dumps that either there is a bug in Linus's atomic_dec_and_test()
>debugging hack or GCC is miscompiling it in certain cases with certain
>versions of the compiler.
>
>Look at this:
>
> > > Nov 18 23:09:00 tornado kernel: [<c029203c>]
> skb_release_data+0x14c/0x160
> > > Nov 18 23:09:00 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> > > Nov 18 23:09:00 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> > > Nov 18 23:09:00 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
>
>Ok, releasing an SKB data area twice.
>
> > > Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
>
>Freeing a 'dst' entry one too many times.
>
> > > Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket
> dfd4c780
>
>A socket refcount dropping to zero too early, before it's marked dead.
>
>These last two problems are very serious errors, and would have
>printed out debugging messages before the atomic_dec_and_test() patch.
>If these last two messages don't show up without the
>atomic_dec_and_test() debugging patch applied, well there you
>go... :-)
>
>In that debugging patch, I'm wondering something about x86.
>When one goes "sete %reg; sets %reg" does the first 'sete' modify
>the condition codes by chance? Probably not...
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-19 0:49 ` David S. Miller
2003-11-19 1:22 ` Reuben Farrelly
@ 2003-11-19 2:02 ` Andrew Morton
1 sibling, 0 replies; 12+ messages in thread
From: Andrew Morton @ 2003-11-19 2:02 UTC (permalink / raw)
To: David S. Miller; +Cc: reuben-linux, netdev
"David S. Miller" <davem@redhat.com> wrote:
>
> On Tue, 18 Nov 2003 11:01:39 -0800
> Andrew Morton <akpm@osdl.org> wrote:
>
> > It's one for the networking guys.
> >
> > The mm kernels have a patch which detects when atomic_dec_and_test
> > takes an atomic_t negative - it is assumed that this is a bug so
> > a warning is generated.
>
> Andrew I've analyzed this a bit. This is incredible evidence in
> these dumps that either there is a bug in Linus's atomic_dec_and_test()
> debugging hack or GCC is miscompiling it in certain cases with certain
> versions of the compiler.
>
> Look at this:
>
> > > Nov 18 23:09:00 tornado kernel: [<c029203c>] skb_release_data+0x14c/0x160
> > > Nov 18 23:09:00 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> > > Nov 18 23:09:00 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> > > Nov 18 23:09:00 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
>
> Ok, releasing an SKB data area twice.
>
> > > Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
>
> Freeing a 'dst' entry one too many times.
>
> > > Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket dfd4c780
>
> A socket refcount dropping to zero too early, before it's marked dead.
>
> These last two problems are very serious errors, and would have
> printed out debugging messages before the atomic_dec_and_test() patch.
> If these last two messages don't show up without the
> atomic_dec_and_test() debugging patch applied, well there you
> go... :-)
>
> In that debugging patch, I'm wondering something about x86.
> When one goes "sete %reg; sets %reg" does the first 'sete' modify
> the condition codes by chance? Probably not...
Beats me David. This is the only time where the correctness of that patch
has been questioned.
Reuben, can you please do a patch -R of
ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.0-test9/2.6.0-test9-mm3/broken-out/atomic_dec-debug.patch
and see if the problem goes away?
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
@ 2003-11-19 2:22 Krishna Kumar
2003-11-19 2:24 ` David S. Miller
2003-11-19 2:58 ` Reuben Farrelly
0 siblings, 2 replies; 12+ messages in thread
From: Krishna Kumar @ 2003-11-19 2:22 UTC (permalink / raw)
To: Reuben Farrelly; +Cc: Andrew Morton, David S. Miller, netdev
Could this be happening on an SMP system only ? If so, e100intr routine
services tx queues (e100_tx_srv)
without holding a lock. Can't multiple rx interrupts be scheduled on
different cpus at the same time, and
each execute dev_kfree_skb_irq() which decrements the ref count too many
times ? But the softirq handler
(net_tx_action) seems to clean up the skb once as the dec_test returns 1
only if count is zero, so I don't see
where the dst ref is being decremented wrongly in this case.
Can someone explain why the intr handler doesn't need locks to stop other
intr on different cpu's from going
through the same devices memory at the same time ?
Thanks,
- KK
|---------+---------------------------->
| | Reuben Farrelly |
| | <reuben-linux@reu|
| | b.net> |
| | Sent by: |
| | netdev-bounce@oss|
| | .sgi.com |
| | |
| | |
| | 11/18/2003 05:22 |
| | PM |
| | |
|---------+---------------------------->
>-----------------------------------------------------------------------------------------------------------------|
| |
| To: "David S. Miller" <davem@redhat.com>, Andrew Morton <akpm@osdl.org> |
| cc: netdev@oss.sgi.com |
| Subject: Re: Kernel crash in 2.6.0-test9-mm3 |
| |
>-----------------------------------------------------------------------------------------------------------------|
FWIW I'm compiling with:
[root@tornado log]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.3.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--host=i386-redhat-linux
Thread model: posix
gcc version 3.3.2 20031107 (Red Hat Linux 3.3.2-2)
[root@tornado log]#
Reuben
At 13:49 19/11/2003, David S. Miller wrote:
>On Tue, 18 Nov 2003 11:01:39 -0800
>Andrew Morton <akpm@osdl.org> wrote:
>
> > It's one for the networking guys.
> >
> > The mm kernels have a patch which detects when atomic_dec_and_test
> > takes an atomic_t negative - it is assumed that this is a bug so
> > a warning is generated.
>
>Andrew I've analyzed this a bit. This is incredible evidence in
>these dumps that either there is a bug in Linus's atomic_dec_and_test()
>debugging hack or GCC is miscompiling it in certain cases with certain
>versions of the compiler.
>
>Look at this:
>
> > > Nov 18 23:09:00 tornado kernel: [<c029203c>]
> skb_release_data+0x14c/0x160
> > > Nov 18 23:09:00 tornado kernel: [<c0292063>] kfree_skbmem+0x13/0x30
> > > Nov 18 23:09:00 tornado kernel: [<c0292138>] __kfree_skb+0xb8/0x1b0
> > > Nov 18 23:09:00 tornado kernel: [<c0218815>] e100intr+0x1e5/0x290
>
>Ok, releasing an SKB data area twice.
>
> > > Nov 18 23:09:00 tornado kernel: BUG: dst underflow 0: c02921ef
>
>Freeing a 'dst' entry one too many times.
>
> > > Nov 18 23:09:00 tornado kernel: Attempt to release alive inet socket
> dfd4c780
>
>A socket refcount dropping to zero too early, before it's marked dead.
>
>These last two problems are very serious errors, and would have
>printed out debugging messages before the atomic_dec_and_test() patch.
>If these last two messages don't show up without the
>atomic_dec_and_test() debugging patch applied, well there you
>go... :-)
>
>In that debugging patch, I'm wondering something about x86.
>When one goes "sete %reg; sets %reg" does the first 'sete' modify
>the condition codes by chance? Probably not...
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-19 2:22 Krishna Kumar
@ 2003-11-19 2:24 ` David S. Miller
2003-11-19 2:58 ` Reuben Farrelly
1 sibling, 0 replies; 12+ messages in thread
From: David S. Miller @ 2003-11-19 2:24 UTC (permalink / raw)
To: Krishna Kumar, scott.feldman; +Cc: reuben-linux, akpm, netdev
On Tue, 18 Nov 2003 18:22:42 -0800
Krishna Kumar <kumarkr@us.ibm.com> wrote:
> Could this be happening on an SMP system only ? If so, e100intr routine
> services tx queues (e100_tx_srv) without holding a lock.
[ Scott we have a bug report, and we're trying to determine if the
cause is that the e100 driver frees a TX SKB multiple times due
to some race or other problem in current 2.6.x ]
That's a very good point, and I looked a bit in this area.
When e100intr() is doing it's work, it disables and clears
the interrupt, only after doing RX and TX processing does
it reenable chip interrupts via e100_set_intr_mask().
That is my analysis of the situation.
However, with things like IOAPIC and such, it might be possible
for two cpus to enter e100intr() simultaneously, both read
the same status, both see that the interrupt is pending, and
both thus process the interrupt and race with each other.
Scott, what prevents the above from happening?
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-19 2:22 Krishna Kumar
2003-11-19 2:24 ` David S. Miller
@ 2003-11-19 2:58 ` Reuben Farrelly
[not found] ` <20031119185157.3edf69c8.davem@redhat.com>
1 sibling, 1 reply; 12+ messages in thread
From: Reuben Farrelly @ 2003-11-19 2:58 UTC (permalink / raw)
To: Krishna Kumar; +Cc: Andrew Morton, David S. Miller, netdev
The system is a UP system..
# CONFIG_SMP is not set
CONFIG_PREEMPT=y
CONFIG_X86_UP_APIC=y
CONFIG_X86_UP_IOAPIC=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_TSC=y
CONFIG_X86_MCE=y
I've put the full .config up at http://www.reub.net/linux/
Reuben
At 15:22 19/11/2003, Krishna Kumar wrote:
>Could this be happening on an SMP system only ? If so, e100intr routine
>services tx queues (e100_tx_srv)
>without holding a lock. Can't multiple rx interrupts be scheduled on
>different cpus at the same time, and
>each execute dev_kfree_skb_irq() which decrements the ref count too many
>times ? But the softirq handler
>(net_tx_action) seems to clean up the skb once as the dec_test returns 1
>only if count is zero, so I don't see
>where the dst ref is being decremented wrongly in this case.
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Kernel crash in 2.6.0-test9-mm3
@ 2003-11-20 2:40 Feldman, Scott
2003-11-23 20:29 ` Rask Ingemann Lambertsen
0 siblings, 1 reply; 12+ messages in thread
From: Feldman, Scott @ 2003-11-20 2:40 UTC (permalink / raw)
To: David S. Miller, Krishna Kumar; +Cc: reuben-linux, akpm, netdev
> However, with things like IOAPIC and such, it might be
> possible for two cpus to enter e100intr() simultaneously,
> both read the same status, both see that the interrupt is
> pending, and both thus process the interrupt and race with each other.
>
> Scott, what prevents the above from happening?
Whoa, this question is freaking me out just a little bit: my assumption
is that the device's interrupt line has been masked off at the CPU/PIC
before e100intr() is ever called, so 1) there really isn't any need to
disable device's interrupts from the driver (see eepro100.c), 2) or even
hold a lock unless we shared something critical on the queuing side (see
e1000), and 3) only one e100intr is running. [public spanking in
order?]
I'm not sure what's behind the rest of the bug report, but if you're
saying e100intr() can be running simultaneously on two different CPUs,
then there is a problem because the test for device interrupt and the
acking of device interrupt are two steps that need to be protected with
a lock.
-scott
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Kernel crash in 2.6.0-test9-mm3
2003-11-20 2:40 Feldman, Scott
@ 2003-11-23 20:29 ` Rask Ingemann Lambertsen
0 siblings, 0 replies; 12+ messages in thread
From: Rask Ingemann Lambertsen @ 2003-11-23 20:29 UTC (permalink / raw)
To: netdev
On Wed, Nov 19, 2003 at 06:40:04PM -0800, Feldman, Scott wrote:
> > However, with things like IOAPIC and such, it might be
> > possible for two cpus to enter e100intr() simultaneously,
> > both read the same status, both see that the interrupt is
> > pending, and both thus process the interrupt and race with each other.
> >
> > Scott, what prevents the above from happening?
>
> Whoa, this question is freaking me out just a little bit: my assumption
> is that the device's interrupt line has been masked off at the CPU/PIC
> before e100intr() is ever called, so 1) there really isn't any need to
> disable device's interrupts from the driver (see eepro100.c), 2) or even
> hold a lock unless we shared something critical on the queuing side (see
> e1000), and 3) only one e100intr is running. [public spanking in
> order?]
Me too. My impression is also that the kernel guarantees that the interrupt
handler is single threaded, regardless of IOAPIC, SMP and such.
--
Regards,
Rask Ingemann Lambertsen
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2003-11-23 20:29 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <6.0.1.1.2.20031118232152.01ae5728@tornado.reub.net>
2003-11-18 19:01 ` Kernel crash in 2.6.0-test9-mm3 Andrew Morton
2003-11-18 22:22 ` David S. Miller
2003-11-19 0:49 ` David S. Miller
2003-11-19 1:22 ` Reuben Farrelly
2003-11-19 2:02 ` Andrew Morton
2003-11-19 2:22 Krishna Kumar
2003-11-19 2:24 ` David S. Miller
2003-11-19 2:58 ` Reuben Farrelly
[not found] ` <20031119185157.3edf69c8.davem@redhat.com>
2003-11-20 3:05 ` Reuben Farrelly
[not found] ` <20031119190258.4d926957.davem@redhat.com>
2003-11-20 7:30 ` Reuben Farrelly
-- strict thread matches above, loose matches on Subject: below --
2003-11-20 2:40 Feldman, Scott
2003-11-23 20:29 ` Rask Ingemann Lambertsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).