[Top] [All Lists]

Kernel panic in sock_rfree (intel Linux)

To: linux-kernel@xxxxxxxxxxxxxxxx, Linus.Torvalds@xxxxxxxxxxx, pnorton@xxxxxxxx, netdev@xxxxxxxxxxx, davem@xxxxxxxxxx, p2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Kernel panic in sock_rfree (intel Linux)
From: stefan.steinert@xxxxxxxxxx
Date: Mon, 7 May 2001 16:43:27 +0200
Sender: owner-netdev@xxxxxxxxxxx


today the kernel on one of our systems crashed with a kernel panic.

IBM Netfinity 7000 M10
Two Intel Pentium III Xeon processors 550 MHz, 512KB Cache each
IBM ServeRAID SCSI controller
Olympic Token Ring card

RedHat Linux 6.2 distribution
Kernel 2.2.14-5.0 (RedHat package name)
  Did the following kernel patches:
  Edited include/asm/shmparam.h. Changed _SHM_ID_BITS to 9.
  Edited include/linux/msg.h. Changed MSGMNI to 1024.
  Edited include/linux/sem.h. Changed SEMMNI to 1024 and SEMMSL to 512.
  Edited include/net/tcp.h. Changed TCP_SYN_RETRIES to 3

The kernel panic occured roughly 80 minutes after system start with
the following message (Written down from the console by hand, might
not be 100% complete)

Warning: kfree_skb passed an skb still on a list (from c0096245)
current->tss.cr3 = 00101000, %cr3 = 00101000
*pde = 00000000
Oops: 0002
CPU:    3
EIP:    0010:[<80151e27>]
EFLAGS: 00010286
eax: 00000fd0   ebx: b3f769c0    ecx: 00020400    edx: 00000000
esi: b3f769c0   edi: 80235d84    ebp: b3f769c0    esp: 8024bf4c
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 0, process nr: 0, stackpage=8024b000)
Code: f0 29 42 40 c3 53 8b 5c 24 08 83 7c 24 10 00 75 08 8b 43 50

The system did quite a lot of socket operations in its 80 minutes
of uptime. It port scanned a range of IP addresses.

I locked up the symbol table of the running kernel as described in

80151d4e T sk_alloc
80151d89 T sk_free
80151e02 T sock_wfree
80151e1d T sock_rfree
80151e2c T sock_wmalloc
80151e74 T sock_rmalloc
80151ebc T sock_kmalloc

The function that caused the panic seems to be sock_rfree. Following
is the disasembled function taken from the kernel

0x80151e1d :     mov    0x4(%esp,1),%eax
0x80151e21 :     mov    0xc(%eax),%edx
0x80151e24 :     mov    0x78(%eax),%eax
0x80151e27 :     lock sub %eax,0x40(%edx)
0x80151e2b :     ret

The funtion is implemented in net/core/sock.c and looks as follows:

void sock_rfree(struct sk_buff *skb)
        struct sock *sk = skb->sk;

        atomic_sub(skb->truesize, &sk->rmem_alloc);

Now I am not sure on how to proceed.

Could this be some kind of race condition that occurs on multiprocessor
Is this error already known?

MfG/kind regards, Stefan Steinert
IBM R&D Germany
Tel.: (49) +49 7031 16 2173
Fax: (49) +49 7031 16 3328
e-mail: stefan.steinert@xxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>
  • Kernel panic in sock_rfree (intel Linux), stefan . steinert <=