* skbuff: skb_under_panic warning in 3.10rc7+
@ 2013-06-30 16:02 Dave Jones
2013-06-30 18:29 ` Hannes Frederic Sowa
2013-06-30 22:13 ` Hannes Frederic Sowa
0 siblings, 2 replies; 7+ messages in thread
From: Dave Jones @ 2013-06-30 16:02 UTC (permalink / raw)
To: netdev
skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:126!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
Call Trace:
[<ffffffff8159a9aa>] skb_push+0x3a/0x40
[<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
[<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
[<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
[<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
[<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
[<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
[<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
[<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
[<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
[<ffffffff816f5d54>] tracesys+0xdd/0xe2
Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP <ffff8801e6431de8>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-06-30 16:02 skbuff: skb_under_panic warning in 3.10rc7+ Dave Jones
@ 2013-06-30 18:29 ` Hannes Frederic Sowa
2013-06-30 18:43 ` Hannes Frederic Sowa
2013-06-30 22:13 ` Hannes Frederic Sowa
1 sibling, 1 reply; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-06-30 18:29 UTC (permalink / raw)
To: Dave Jones; +Cc: netdev
On Sun, Jun 30, 2013 at 12:02:46PM -0400, Dave Jones wrote:
> skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:126!
> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
> CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
> task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
> RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
> RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
> RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
> RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
> RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
> R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
> FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
> Stack:
> ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
> ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
> ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
> Call Trace:
> [<ffffffff8159a9aa>] skb_push+0x3a/0x40
> [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
> [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
> [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
> [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
> [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
> [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
> [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
> [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
> [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
> [<ffffffff816f5d54>] tracesys+0xdd/0xe2
> Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
> RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
> RSP <ffff8801e6431de8>
We need to add some logic to reallocate skbs in case of UDP_CORK and if
extension headers are in use. A small test with UDP_CORK and IPV6_DSTOPTS
resulted in this (some lines below your crash in ip6_append_data):
[37598.993962] ------------[ cut here ]------------
[37598.994008] kernel BUG at net/core/skbuff.c:2064!
[37598.994008] invalid opcode: 0000 [#1] SMP
[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode
cdc_wdm cdc_acm
[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
[37598.994008] CPU 0
[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
[37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
[37598.994008] Stack:
[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
[37598.994008] Call Trace:
[37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
[37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
[37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
[37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
[37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
[37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
[37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
[37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
[37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
[37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
[37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
[37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
[37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
[37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP <ffff88003670da18>
[37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-06-30 18:29 ` Hannes Frederic Sowa
@ 2013-06-30 18:43 ` Hannes Frederic Sowa
0 siblings, 0 replies; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-06-30 18:43 UTC (permalink / raw)
To: Dave Jones, netdev
On Sun, Jun 30, 2013 at 08:29:11PM +0200, Hannes Frederic Sowa wrote:
> On Sun, Jun 30, 2013 at 12:02:46PM -0400, Dave Jones wrote:
> We need to add some logic to reallocate skbs in case of UDP_CORK and if
> extension headers are in use. A small test with UDP_CORK and IPV6_DSTOPTS
> resulted in this (some lines below your crash in ip6_append_data):
I actually had a fragment header in there, too.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-06-30 16:02 skbuff: skb_under_panic warning in 3.10rc7+ Dave Jones
2013-06-30 18:29 ` Hannes Frederic Sowa
@ 2013-06-30 22:13 ` Hannes Frederic Sowa
2013-06-30 23:23 ` Hannes Frederic Sowa
1 sibling, 1 reply; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-06-30 22:13 UTC (permalink / raw)
To: Dave Jones; +Cc: netdev
On Sun, Jun 30, 2013 at 12:02:46PM -0400, Dave Jones wrote:
> skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:126!
> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
> CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
> task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
> RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
> RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
> RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
> RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
> RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
> R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
> FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
> Stack:
> ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
> ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
> ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
> Call Trace:
> [<ffffffff8159a9aa>] skb_push+0x3a/0x40
> [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
> [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
> [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
> [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
> [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
> [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
> [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
> [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
> [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
> [<ffffffff816f5d54>] tracesys+0xdd/0xe2
> Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
> RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
> RSP <ffff8801e6431de8>
Dave, could you try to reproduce this Eric's patch
https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/net/ipv6/ip6_output.c?id=284041ef21fdf2e0d216ab6b787bc9072b4eb58a
cherry-picked from net-next? I could just test net-next with my testcase and
at least my BUG does not occur any more.
Thanks,
Hannes
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-06-30 22:13 ` Hannes Frederic Sowa
@ 2013-06-30 23:23 ` Hannes Frederic Sowa
2013-07-01 8:24 ` Hannes Frederic Sowa
0 siblings, 1 reply; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-06-30 23:23 UTC (permalink / raw)
To: Dave Jones, netdev
On Mon, Jul 01, 2013 at 12:13:22AM +0200, Hannes Frederic Sowa wrote:
> On Sun, Jun 30, 2013 at 12:02:46PM -0400, Dave Jones wrote:
> > skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
> > ------------[ cut here ]------------
> > kernel BUG at net/core/skbuff.c:126!
> > invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> > Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
> > CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
> > task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
> > RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
> > RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
> > RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
> > RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
> > RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
> > R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
> > FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
> > Stack:
> > ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
> > ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
> > ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
> > Call Trace:
> > [<ffffffff8159a9aa>] skb_push+0x3a/0x40
> > [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
> > [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
> > [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
> > [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
> > [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
> > [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
> > [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
> > [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
> > [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
> > [<ffffffff816f5d54>] tracesys+0xdd/0xe2
> > Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
> > RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
> > RSP <ffff8801e6431de8>
>
> Dave, could you try to reproduce this Eric's patch
>
> https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/net/ipv6/ip6_output.c?id=284041ef21fdf2e0d216ab6b787bc9072b4eb58a
>
> cherry-picked from net-next? I could just test net-next with my testcase and
> at least my BUG does not occur any more.
Sorry, I am a bit too tired. The patch is already in net. I could again
reproduce at least my crash with net-next, it just needs a bit more load
and retries to do so. I do think those BUGs are somehow connected.
Here is my test program:
-- 8< --
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/udp.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
int main(int argc, char **argv)
{
int on = 1;
int mtu = 1280;
char buf[1220] = {0};
int sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
if (sockfd < 0) {
perror("socket");
exit(EXIT_FAILURE);
}
if (setsockopt(sockfd, IPPROTO_UDP, UDP_CORK, &on, sizeof(on))) {
perror("setsockopt");
exit(EXIT_FAILURE);
}
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_MTU, &mtu, sizeof(mtu))) {
perror("setsockopt");
exit(EXIT_FAILURE);
}
struct sockaddr_in6 sa6 = {0};
sa6.sin6_family = AF_INET6;
sa6.sin6_port = 678;
if (!inet_pton(AF_INET6, "::1", &sa6.sin6_addr)) {
perror("inet_pton");
exit(EXIT_FAILURE);
}
while (true) {
const char dstops[8] = {0};
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_DSTOPTS, &dstops, sizeof(dstops))) {
perror("setsockopt");
exit(EXIT_FAILURE);
}
if (sendto(sockfd, buf, sizeof(buf), MSG_MORE, (struct sockaddr *)&sa6,
sizeof(sa6)) == -1) {
perror("sendto");
exit(EXIT_FAILURE);
}
}
if (close(sockfd)) {
perror("close");
exit(EXIT_FAILURE);
}
}
-- >8 --
What is a bit strange but I did not investiage, yet:
If the size of buf is strict smaller than 1217 I get a message too big error.
If the size of the buffer is between (inclusive) 1217 and 1224 I can trigger the bug.
If the buffer is larger than 1225 I get a message error too big, too.
I'll look at it again tomorrow.
Greetings,
Hannes
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-06-30 23:23 ` Hannes Frederic Sowa
@ 2013-07-01 8:24 ` Hannes Frederic Sowa
2013-07-01 16:08 ` Hannes Frederic Sowa
0 siblings, 1 reply; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-07-01 8:24 UTC (permalink / raw)
To: Dave Jones, netdev; +Cc: gaofeng
On Mon, Jul 01, 2013 at 01:23:08AM +0200, Hannes Frederic Sowa wrote:
> I'll look at it again tomorrow.
[Cc Gao feng because of commit 0c1833797a5a6ec23ea9261d979aa18078720b74
("ipv6: fix incorrect ipsec fragment")]
Just a small update:
The following diff fixes the UDP_CORK case for me. I just traced the various
len variables and brought ip6_append_data_mtu in line with the initial
initialization when the first call to ip6_append_data happens.
I'll have to do more research on this and check if this correlates
somehow with Dave's report.
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1097,7 +1097,9 @@ static void ip6_append_data_mtu(int *mtu,
int *maxfraglen,
unsigned int fragheaderlen,
struct sk_buff *skb,
- struct rt6_info *rt)
+ struct rt6_info *rt,
+ __u32 frag_size,
+ bool pmtudisc)
{
if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
if (skb == NULL) {
@@ -1109,7 +1111,9 @@ static void ip6_append_data_mtu(int *mtu,
* this fragment is not first, the headers
* space is regarded as data space.
*/
- *mtu = dst_mtu(rt->dst.path);
+ *mtu = pmtudisc ? rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+ if (frag_size && frag_size < *mtu)
+ *mtu = frag_size;
}
*maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ fragheaderlen - sizeof(struct frag_hdr);
@@ -1287,7 +1291,8 @@ alloc_new_skb:
/* update mtu and maxfraglen if necessary */
if (skb == NULL || skb_prev == NULL)
ip6_append_data_mtu(&mtu, &maxfraglen,
- fragheaderlen, skb, rt);
+ fragheaderlen, skb, rt, np->frag_size,
+ np->pmtudisc == IPV6_PMTUDISC_PROBE);
skb_prev = skb;
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: skbuff: skb_under_panic warning in 3.10rc7+
2013-07-01 8:24 ` Hannes Frederic Sowa
@ 2013-07-01 16:08 ` Hannes Frederic Sowa
0 siblings, 0 replies; 7+ messages in thread
From: Hannes Frederic Sowa @ 2013-07-01 16:08 UTC (permalink / raw)
To: Dave Jones, netdev, gaofeng
On Mon, Jul 01, 2013 at 10:24:40AM +0200, Hannes Frederic Sowa wrote:
> On Mon, Jul 01, 2013 at 01:23:08AM +0200, Hannes Frederic Sowa wrote:
> > I'll look at it again tomorrow.
>
> [Cc Gao feng because of commit 0c1833797a5a6ec23ea9261d979aa18078720b74
> ("ipv6: fix incorrect ipsec fragment")]
>
> Just a small update:
I could reproduce Dave's exact bug and this fixes it for me:
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -182,6 +182,7 @@ extern void udp_err(struct sk_buff *, u32);
extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk,
struct msghdr *msg, size_t len);
extern void udp_flush_pending_frames(struct sock *sk);
+extern int udp_push_pending_frames(struct sock *sk);
extern int udp_rcv(struct sk_buff *skb);
extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
extern int udp_disconnect(struct sock *sk, int flags);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 959502a..6b270e5 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -800,7 +800,7 @@ send:
/*
* Push out all pending data as one UDP datagram. Socket is locked.
*/
-static int udp_push_pending_frames(struct sock *sk)
+int udp_push_pending_frames(struct sock *sk)
{
struct udp_sock *up = udp_sk(sk);
struct inet_sock *inet = inet_sk(sk);
@@ -819,6 +819,7 @@ out:
up->pending = 0;
return err;
}
+EXPORT_SYMBOL(udp_push_pending_frames);
int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
size_t len)
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index f77e34c..748046c 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1322,7 +1322,9 @@ int udpv6_setsockopt(struct sock *sk, int level, int optname,
{
if (level == SOL_UDP || level == SOL_UDPLITE)
return udp_lib_setsockopt(sk, level, optname, optval, optlen,
- udp_v6_push_pending_frames);
+ udp_sk(sk)->pending == AF_INET6 ?
+ udp_v6_push_pending_frames :
+ udp_push_pending_frames);
return ipv6_setsockopt(sk, level, optname, optval, optlen);
}
@@ -1332,7 +1334,9 @@ int compat_udpv6_setsockopt(struct sock *sk, int level, int optname,
{
if (level == SOL_UDP || level == SOL_UDPLITE)
return udp_lib_setsockopt(sk, level, optname, optval, optlen,
- udp_v6_push_pending_frames);
+ udp_sk(sk)->pending == AF_INET6 ?
+ udp_v6_push_pending_frames :
+ udp_push_pending_frames);
return compat_ipv6_setsockopt(sk, level, optname, optval, optlen);
}
#endif
We call udp_v6_push_pending_frames on a socket which pending data is
actually AF_INET only. I would beautify the above patches (and perhaps
move the call to udp_push_pending_frames into udp_v6_push_pending_frames,
whatever looks nicer) and would do proper patch submissions then.
Greetings,
Hannes
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-07-01 16:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-30 16:02 skbuff: skb_under_panic warning in 3.10rc7+ Dave Jones
2013-06-30 18:29 ` Hannes Frederic Sowa
2013-06-30 18:43 ` Hannes Frederic Sowa
2013-06-30 22:13 ` Hannes Frederic Sowa
2013-06-30 23:23 ` Hannes Frederic Sowa
2013-07-01 8:24 ` Hannes Frederic Sowa
2013-07-01 16:08 ` Hannes Frederic Sowa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.