From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
To: netdev@vger.kernel.org, ycheng@google.com,
eric.dumazet@gmail.com, ncardwell@google.com
Subject: Crash when receiving FIN-ACK in TCP_FIN_WAIT1 state
Date: Sun, 20 Oct 2019 14:25:49 -0600 [thread overview]
Message-ID: <68ad6fb82c0edfb788c7ce1a3bdc851b@codeaurora.org> (raw)
We are seeing a crash in the TCP ACK codepath often in our regression
racks with an ARM64 device with 4.19 based kernel.
It appears that the tp->highest_ack is invalid when being accessed when
a
FIN-ACK is received. In all the instances of the crash, the tcp socket
is in TCP_FIN_WAIT1 state.
[include/net/tcp.h]
static inline u32 tcp_highest_sack_seq(struct tcp_sock *tp)
{
if (!tp->sacked_out)
return tp->snd_una;
if (tp->highest_sack == NULL)
return tp->snd_nxt;
return TCP_SKB_CB(tp->highest_sack)->seq;
}
[net/ipv4/tcp_input.c]
static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
{
...
prior_fack = tcp_is_sack(tp) ? tcp_highest_sack_seq(tp) : tp->snd_una;
Crash call stack below-
16496.596106: <6> Unable to handle kernel paging request at virtual
address fffffff2cd81a368
16496.730771: <2> pc : tcp_ack+0x174/0x11e8
16496.734536: <2> lr : tcp_rcv_state_process+0x318/0x1300
16497.183109: <2> Call trace:
16497.183114: <2> tcp_ack+0x174/0x11e8
16497.183115: <2> tcp_rcv_state_process+0x318/0x1300
16497.183117: <2> tcp_v4_do_rcv+0x1a8/0x1f0
16497.183118: <2> tcp_v4_rcv+0xe90/0xec8
16497.183120: <2> ip_protocol_deliver_rcu+0x150/0x298
16497.183121: <2> ip_local_deliver+0x21c/0x2a8
16497.183122: <2> ip_rcv+0x1c4/0x210
16497.183124: <2> __netif_receive_skb_core+0xab0/0xd90
16497.183125: <2> netif_receive_skb_internal+0x12c/0x368
16497.183126: <2> napi_gro_receive+0x1e0/0x290
Is it expected for the tp->highest_ack to be
accessed in this state?
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
next reply other threads:[~2019-10-20 20:25 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 20:25 Subash Abhinov Kasiviswanathan [this message]
2019-10-20 22:16 ` Crash when receiving FIN-ACK in TCP_FIN_WAIT1 state Neal Cardwell
2019-10-20 23:15 ` Subash Abhinov Kasiviswanathan
2019-10-21 1:20 ` Neal Cardwell
2019-10-21 2:45 ` Subash Abhinov Kasiviswanathan
2019-10-21 11:47 ` Neal Cardwell
2019-10-22 0:04 ` Subash Abhinov Kasiviswanathan
2019-10-22 1:28 ` Neal Cardwell
2019-10-29 1:36 ` Subash Abhinov Kasiviswanathan
2019-10-30 17:13 ` Neal Cardwell
2019-10-30 18:27 ` Subash Abhinov Kasiviswanathan
2019-10-30 21:48 ` Josh Hunt
2019-10-31 1:27 ` Eric Dumazet
2019-11-27 5:30 ` Eric Dumazet
2019-11-30 2:51 ` subashab
2019-11-30 5:39 ` Avinash Patil
2019-12-02 2:23 ` Eric Dumazet
[not found] ` <0101016eba38455f-e79cd85a-a807-4309-bf3b-8a788135f3f2-000000@us-west-2.amazonses.com>
2019-12-03 17:24 ` Josh Hunt
2019-10-31 0:38 ` Eric Dumazet
2019-10-31 1:17 ` Subash Abhinov Kasiviswanathan
2019-10-21 14:17 ` Eric Dumazet
2019-10-21 17:40 ` Subash Abhinov Kasiviswanathan
2019-10-21 18:10 ` Josh Hunt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68ad6fb82c0edfb788c7ce1a3bdc851b@codeaurora.org \
--to=subashab@codeaurora.org \
--cc=eric.dumazet@gmail.com \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).