Re: oops in tcp_v4_rcv. - Manfred Spraul

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Manfred Spraul <manfred@colorfullife.com>
To: "David S. Miller" <davem@redhat.com>
Cc: netdev@oss.sgi.com, Andrew Morton <akpm@digeo.com>
Subject: Re: oops in tcp_v4_rcv.
Date: Thu, 29 May 2003 03:15:57 +0200	[thread overview]
Message-ID: <3ED55F4D.1070306@colorfullife.com> (raw)
In-Reply-To: <3ED54DBC.4020203@colorfullife.com>

[netdev added to cc list]

I think I understand now what causes the crash:
The tcp_ehash assumes that the entries are of the type 'struct inet_sock'.
But the actual entry is of the type tcp_tw_bucket. And 'sk->inet.daddr' 
is not shared between both structures.

 << net/ipv4/tcp_ipv4, line 510:
        /* Must check for a TIME_WAIT'er before going to listener hash. */
        for (sk = (head + tcp_ehash_size)->chain; sk; sk = sk->next)
               if (TCP_IPV4_MATCH(sk, acookie, saddr, daddr, ports, dif))
                    goto hit;
<<
preprocessor output:
<<
for (sk = (head + (tcp_hashinfo.__tcp_ehash_size))->chain; sk; sk = 
sk->next)
      if ((((&((struct inet_sock *)sk)->inet)->daddr == (saddr)) &&
           ((&((struct inet_sock *)sk)->inet)->rcv_saddr == (daddr)) &&
           ((*((__u32 *)&((&((struct inet_sock *)sk)->inet)->dport)))== 
(ports)) &&
           (!((sk)->bound_dev_if) || ((sk)->bound_dev_if == (dif)))))
                       goto hit;
<<

Manfred Spraul wrote:

> Hi,
>
> I'm looking at crashes that occur during network stress testing with 
> the CONFIG_DEBUG_PAGEALLOC from -mm: Pages that are not in use are 
> immediately unmapped from the linear mapping, and thus reading stale 
> pointer causes an immediate oops.
>
> I've now analyzed one crash:
> the oops is in __tcp_v4_lookup_established, in the 2nd look [i.e. 
> looking at TIME_WAIT sockets. Easy to identify due to the access to 
> __tcp_ehash_size].
>
> The entry in the hash table is an tcp_tw_bucket, and that structure is 
> only ~88 bytes long. The oops is caused by an access to objp+0x168, 
> which doesn't exist.

next      parent reply	other threads:[~2003-05-29  1:15 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <3ED54DBC.4020203@colorfullife.com>
2003-05-29  1:15 ` Manfred Spraul [this message]
2003-05-29  1:40   ` oops in tcp_v4_rcv David S. Miller
2003-05-29  1:50     ` Arnaldo Carvalho de Melo
2003-05-29  1:51       ` David S. Miller
2003-05-29  2:00         ` Arnaldo Carvalho de Melo
2003-05-29  3:06           ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ED55F4D.1070306@colorfullife.com \
    --to=manfred@colorfullife.com \
    --cc=akpm@digeo.com \
    --cc=davem@redhat.com \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).