I'm working on a network driver for a fibre channel host adapter (the
LSI Logic FC4909, or whatever the marketing department decided to call
it). At various points in my testing, I've managed to kill the system by
calling dev_kfree_skb_irq on a Tx skb.
The scenario goes like this: I'm always at a point in my testing where
I'm hammering out packets very quickly (i.e. `ping -f`, or telneting
into the other system, running vi and holding down an arrow key for a
few seconds), at some point in the test (when is rather unpredictable),
I'll get a packet to transmit, send it off to the host adapter and, when
the host adapter tells me it's done with it, I call dev_kfree_skb_irq
with a pointer to the skb. I'm not doing anything different with it than
I've done with several thousand, sometimes millions, of packets before
The console output is:
Warning: kfree_skb passed and skb still on a list (from c01c4392).
kernel BUG at skbuff.c:276!
Entering kdb (0xc0d00000) Panic: invalid operand
due to panic @ 0xc01c225d
A `bt` in the kernel debugger shows:
I'm currently running 2.4.0-test5 with the kdb patches from oss.sgi.com
although I've seen this since at least 2.3.99-pre6 (I've just now gotten
enough other bugs chased down to pay attention to this one).
Any ideas as to why kfree_skb thinks that the skb is still on a list?
The only thing I do with Tx packets, besides send them, is to add on a
FC Optional header to the start of the packet.
P.S. The driver code has not yet been released, although a few people
outside the company have seen it in various stages. If it would help, I
can post the relevant sections of code.
P.P.S. I'm not on this mailing list, so if whomever (if anyone) replies,
I would greatly appreciate it if you could CC me.