From: george anzinger <george@mvista.com>
To: Andi Kleen <ak@muc.de>
Cc: netdev@oss.sgi.com, linux-net@vger.kernel.org, davem@redhat.com,
kuznet@ms2.inr.ac.ru, pekkas@netcore.fi
Subject: Re: System crash in tcp_fragment()
Date: Mon, 20 May 2002 14:18:34 -0700 [thread overview]
Message-ID: <3CE9682A.2CC13644@mvista.com> (raw)
In-Reply-To: 20020520222937.A1467@averell
Andi Kleen wrote:
>
> > Incase you can not see this, it appears that the addresses
> > of each skb are alright, so the assumption is that the skb
> > passed to tcp_fragment() has been unlinked while
> > tcp_fragment() was doing its thing. This implies a need for
> > locking at some higher level and we don't know enough about
> > the tcp code to divine where this might best be done.
>
> 2.4 TCP should in theory already have enough locking to prevent this
> (the socket lock that is aquired by timers and user context socket users)
>
> -Andi
Here is another oops, not quite the same, AND with an assert
failure ahead of it. I append the whole report and some and
some observations:
We had two more panics over the weekend.
Here is the analysis from one of them.
---------comments from Dave Howell--------------
Looking at the sysint4l dump, some observations:
- Panic was due to an Oops (Null pointer dereference kernel
incident)
- Full system configuration is in kernel startup logs
(memory, disks, chipsets,
etc)
- Last part of kernel log has oops info, follows kernel
assertion failed
warning:
<4>KERNRL: assertion (atomic_read(&sk->wmem_alloc) == 0)
failed at af_inet.c <==============
(174):inet_sock_destruct
<1>Unable to handle kernel NULL pointer dereference at
virtual address 00000049
<4> printing eip:
<4>c0255196
<1>*pde = 00000000
<4>Oops: 0000
<4>CPU: 1
<4>EIP: 0010:[<c0255196>] Not tainted
<4>EFLAGS: 00010213
<4>eax: c6ace4c8 ebx: 00000000 ecx: 00000004 edx:
00000000
<4>esi: c6ace538 edi: c6ace460 ebp: 00000026 esp:
c1219eb4
<4>ds: 0018 es: 0018 ss: 0018
<4>Process swapper (pid: 0, stackpage=c1219000)
<4>Stack: c6ace460 c6ace538 c6ace460 004ec3ef c025de3e
c6ace460 00000000
c72011a0
<4> c1218050 004ec2d2 c02395b2 c6ace460 c6ace538
c1218000 004ec3ef
c025e056
<4> c6ace460 c1218000 00000046 004ebfe7 00000000
c1218000 00cf70a0
c0128eaa
<4>Call Trace: [<c025de3e>] [<c02395b2>] [<c025e056>]
[<c0128eaa>] [<c025df70>]
<4> [<c0128fad>] [<c012483b>] [<c0109704>] [<c0105490>]
[<c0105490>]
[<c0105490>]
<4> [<c01054bc>] [<c0105542>] [<c011d51b>] [<c011d8ad>]
<4>
<4>Code: 0f b6 4b 49 45 f6 c1 82 74 0c 31 d2 89 96 78 01 00
00 0f b6
- Finally at the bottom of the trace the active backtrace, a
bit suspect
because it's on the interrupt
side (not trace but process it's attributed to).
===========================
STACK TRACE OF FAILING TASK
===========================
================================================================
STACK TRACE FOR TASK: 0xc1218000 (swapper)
0 tcp_enter_loss+198 [0xc0255196]
1 tcp_retransmit_timer+473 [0xc025de39]
2 tcp_write_timer+225 [0xc025e051]
3 timer_bh+710 [0xc0128ea6]
4 timer_softirq+40 [0xc0128fa8]
5 do_softirq+185 [0xc0124839]
6 do_IRQ+511 [0xc01096ff]
7 do_IRQ+511 [0xc01096ff]
TRACE ERROR 0x1
================================================================
- In comparison with previous dump looks like the same
upstream event occured,
with a timer bottom half running and invoking the
tcp_retransmit_timer. Last
one caught it oopsing in the tcp_fragment code, this is a
bit different but the
upstream path there is the same.
- Same pile of unknown symbol references bringing up dump
manually in lcrash,
must be corrupt or wrong system.0 or kerntypes.0. Needs a
look.
- Dumped tcp_enter_loss+0 to tcp_enter_loss+200 to see site
at
tcp_enter_loss+198.
Code at this site is:
movzbl 0x49(%ebx),%ecx
%ebx is NULL at this point (see above), hence the oops at
00000049.
Code for function is in net/ipv4/tcp_input.c starting at
line 987.
- The failure is in the loop starting at line 1002:
for_retrans_queue(skb, sk, tp) {
cnt++;
if (TCP_SKB_CB(skb)->sacked&TCPCB_RETRANS)
tp->undo_marker = 0;
TCP_SKB_CB(skb)->sacked &=
(~TCPCB_TAGBITS)|TCPCB_SACKED_ACKED;
if
(!(TCP_SKB_CB(skb)->sacked&TCPCB_SACKED_ACKED) || how) {
TCP_SKB_CB(skb)->sacked &=
~TCPCB_SACKED_ACKED;
TCP_SKB_CB(skb)->sacked |=
TCPCB_LOST;
tp->lost_out++;
} else {
tp->sacked_out++;
tp->fackets_out = cnt;
}
}
I didn't fully map the code but think that the expansion of:
if (TCP_SKB_CB(skb)->sacked&TCPCB_RETRANS)
is where the zeroed pointer is used. Looks like the intent
is that skp is the
iterater variable to loop through the retrans_queue and it
got the zero value
set on some iteration, not the first. So my guess is a
corrupted queue element
pointer being picked up and used.
- I still would look upstream at the timer bottom half
invocation as in both
of the dumps this upstream trace is present, and it seems
like an exception
path for a timeout that leads to a retransmit.
- Also needs a look is the kernel assertion that failed and
likely led to the
oops, looks a lot like an allocation failed and returned a
NULL value, this
would be my top culprit to pursue.
Code from af_net.c at line 174:
void inet_sock_destruct(struct sock *sk)
{
__skb_queue_purge(&sk->receive_queue);
__skb_queue_purge(&sk->error_queue);
if (sk->type == SOCK_STREAM && sk->state !=
TCP_CLOSE) {
printk("Attempt to release TCP socket in
state %d %p\n",
sk->state,
sk);
return;
}
if (!sk->dead) {
printk("Attempt to release alive inet socket
%p\n", sk);
return;
}
BUG_TRAP(atomic_read(&sk->rmem_alloc) == 0);
BUG_TRAP(atomic_read(&sk->wmem_alloc) == 0); <<--
assert reported
here
BUG_TRAP(sk->wmem_queued == 0);
BUG_TRAP(sk->forward_alloc == 0);
if (sk->protinfo.af_inet.opt)
kfree(sk->protinfo.af_inet.opt);
Continuing on after this likely led to the oops that
killed us.
--
George Anzinger george@mvista.com
High-res-timers:
http://sourceforge.net/projects/high-res-timers/
Real time sched: http://sourceforge.net/projects/rtsched/
Preemption patch:
http://www.kernel.org/pub/linux/kernel/people/rml
next prev parent reply other threads:[~2002-05-20 21:18 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3CE95190.75C52E2D@mvista.com>
2002-05-20 20:29 ` System crash in tcp_fragment() Andi Kleen
[not found] ` <20020520222937.A1467@averell>
2002-05-20 21:18 ` george anzinger [this message]
2002-05-20 21:25 ` kuznet
2002-05-20 22:08 ` David S. Miller
[not found] ` <200205202125.BAA03545@sex.inr.ac.ru>
2002-05-20 23:01 ` george anzinger
2002-05-20 23:54 ` Andi Kleen
2002-06-09 17:31 ` Network oops george anzinger
[not found] ` <3D0390E2.1B80ADEE@mvista.com>
2002-06-10 4:31 ` David S. Miller
2002-06-10 4:32 ` David S. Miller
[not found] ` <20020609.213150.32126725.davem@redhat.com>
2002-06-10 4:48 ` george anzinger
[not found] ` <3D042F8F.72764243@mvista.com>
2002-06-10 5:06 ` David S. Miller
2002-06-20 17:19 ` george anzinger
[not found] ` <3D120EAE.5A0D365E@mvista.com>
2002-06-21 0:38 ` David S. Miller
[not found] ` <20020620.173805.55219901.davem@redhat.com>
2002-06-21 14:16 ` george anzinger
[not found] ` <3D133538.60B6810C@mvista.com>
2002-06-21 14:17 ` David S. Miller
[not found] ` <20020621.071720.07439917.davem@redhat.com>
2002-06-21 15:12 ` george anzinger
2002-06-22 0:55 ` Andi Kleen
[not found] ` <20020622025551.A1919@averell>
2002-06-28 19:56 ` george anzinger
[not found] ` <20020609.213224.01016187.davem@redhat.com>
2002-06-10 8:11 ` george anzinger
[not found] ` <3D045F15.578E1DA9@mvista.com>
2002-06-10 8:31 ` David S. Miller
[not found] ` <20020610.013110.81671593.davem@redhat.com>
2002-06-10 14:12 ` george anzinger
[not found] <Pine.LNX.4.33.0205201836160.9301-100000@w-nivedita2.des.beaverton.ibm.com>
[not found] ` <3CE9E466.AC2358EE@mvista.com>
2002-05-21 6:00 ` System crash in tcp_fragment() David S. Miller
[not found] ` <20020520.230021.29510217.davem@redhat.com>
2002-05-21 7:25 ` george anzinger
2002-05-21 9:49 ` Andi Kleen
[not found] ` <3CE9F679.90ACF597@mvista.com>
2002-05-21 7:22 ` David S. Miller
2002-05-21 12:47 ` kuznet
2002-05-21 15:42 ` george anzinger
2002-05-21 12:54 ` Andi Kleen
2002-05-21 6:08 ` george anzinger
[not found] <20020520.173416.105610032.davem@redhat.com>
2002-05-21 1:00 ` kuznet
2002-05-21 1:49 ` Nivedita Singhvi
[not found] <3CE9960D.15D41380@mvista.com>
[not found] ` <200205210041.EAA04407@sex.inr.ac.ru>
2002-05-21 0:34 ` David S. Miller
2002-05-21 0:41 ` kuznet
[not found] <20020521015407.A1296@wotan.suse.de>
2002-05-21 0:11 ` kuznet
[not found] ` <3CE99434.20E7479C@mvista.com>
2002-05-21 0:18 ` David S. Miller
2002-05-21 0:39 ` Andi Kleen
2002-05-21 0:20 ` Andi Kleen
2002-05-21 0:26 ` george anzinger
[not found] ` <20020521022007.A6248@wotan.suse.de>
2002-05-21 0:34 ` george anzinger
2002-05-20 19:42 george anzinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CE9682A.2CC13644@mvista.com \
--to=george@mvista.com \
--cc=ak@muc.de \
--cc=davem@redhat.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-net@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=pekkas@netcore.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).