From: Eric Dumazet <eric.dumazet@gmail.com>
To: Ben Greear <greearb@candelatech.com>
Cc: netdev <netdev@vger.kernel.org>
Subject: Re: 3.9.5+: Crash in tcp_input.c:4810.
Date: Tue, 02 Jul 2013 18:04:27 -0700 [thread overview]
Message-ID: <1372813467.4979.46.camel@edumazet-glaptop> (raw)
In-Reply-To: <51D1C620.8030007@candelatech.com>
On Mon, 2013-07-01 at 11:10 -0700, Ben Greear wrote:
> offset: -1459 start: -1146162927 seq: -1146161468 size: 16047 copy: 3576
> ...
>
> There were 80 total splats of this nature grouped together, and then
> the system recovered and continue to function normally as far as I
> can tell. The later splats are a bit farther apart...maybe the
> TCP connection is dying.
>
> It appears my 'work-around' is poor at best, but I'd rather kill
> a TCP connection and spam the logs than crash the OS.
>
> I'd be more than happy to add more/different debugging code.
It would be nice to pinpoint the origin of the bug. Really.
This BUG_ON() is at least 7 years old. I do not think invariant has
changed ?
Sure we can avoid crashes but it looks like we could randomly corrupt
tcp payload or whatever kernel memory, if it turns out its caused by a
buggy driver.
Is it happening while collapsing the receive queue, or the ofo queue ?
In receive queue, all skbs skb2 following skb1 must have
TCP_SKB_CB(skb1)->end_seq >= TCP_SKB_CB(skb2)->seq
Only on ofo, we could have this not respected, and it should be handled
properly in tcp_collapse_ofo_queue()
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 28af45a..d77f1f0 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4457,7 +4457,12 @@ restart:
int offset = start - TCP_SKB_CB(skb)->seq;
int size = TCP_SKB_CB(skb)->end_seq - start;
- BUG_ON(offset < 0);
+ if (unlikely(offset < 0)) {
+ pr_err("tcp_collapse() bug on %s offset:%d size:%d copy:%d skb->len %u truesize %u, nskb->len %u\n",
+ list == &sk->sk_receive_queue ? "receive_queue" : "ofo_queue",
+ offset, size, copy, skb->len, skb->truesize, nskb->len);
+ return;
+ }
if (size > 0) {
size = min(copy, size);
if (skb_copy_bits(skb, offset, skb_put(nskb, size), size))
next prev parent reply other threads:[~2013-07-03 1:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-17 18:08 3.9.5+: Crash in tcp_input.c:4810 Ben Greear
2013-06-17 18:17 ` Eric Dumazet
2013-06-21 19:26 ` Ben Greear
2013-07-01 18:10 ` Ben Greear
2013-07-03 1:04 ` Eric Dumazet [this message]
2013-07-03 3:21 ` Ben Greear
2013-07-03 4:41 ` Eric Dumazet
2013-07-03 4:49 ` Ben Greear
2013-07-03 5:02 ` Eric Dumazet
2013-07-08 17:23 ` Ben Greear
2013-07-08 18:21 ` Eric Dumazet
2013-07-08 18:30 ` Ben Greear
2013-07-08 19:01 ` Eric Dumazet
2013-07-08 19:59 ` Ben Greear
2013-07-08 20:10 ` Eric Dumazet
2013-07-08 20:17 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1372813467.4979.46.camel@edumazet-glaptop \
--to=eric.dumazet@gmail.com \
--cc=greearb@candelatech.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).