Oops in DCCPv6

Gerrit Renker
Fri, 29 Sep 2006 10:25:13 -0700

While looking at DCCPv6 connections, I encountered the following oops:

Sep 29 17:38:30 gerrit kernel: BUG: unable to handle kernel paging request at 
virtual address 00300084
Sep 29 17:38:30 gerrit kernel:  printing eip:
Sep 29 17:38:30 gerrit kernel: c03bb4ac
Sep 29 17:38:30 gerrit kernel: *pde = 00000000
Sep 29 17:38:30 gerrit kernel: Oops: 0000 [#1]
Sep 29 17:38:30 gerrit kernel: Modules linked in: usbhid sd_mod
Sep 29 17:38:30 gerrit kernel: CPU:    0
Sep 29 17:38:30 gerrit kernel: EIP:    0060:[kfree_skb+9/46]    Not tainted VLI
Sep 29 17:38:30 gerrit kernel: EFLAGS: 00010206   
(2.6.18UDP-Lite-g9937f971-dirty #3)
Sep 29 17:38:31 gerrit kernel: EIP is at kfree_skb+0x9/0x2e
Sep 29 17:38:31 gerrit kernel: eax: 00300000   ebx: f2de2818   ecx: f60663e0   
edx: 00300000
Sep 29 17:38:31 gerrit kernel: esi: f60663f8   edi: f6066000   ebp: f479fd24   
esp: f479fd24
Sep 29 17:38:32 gerrit kernel: ds: 007b   es: 007b   ss: 0068
Sep 29 17:38:32 gerrit kernel: Process ttcp_dccp (pid: 5743, ti=f479e000 
task=f4660ab0 task.ti=f479e000)
Sep 29 17:38:33 gerrit kernel: Stack: f479fd2c c045be46 f479fd58 c03b9070 
c0121085 00000292 f7b0b02c f7b0b02c 
Sep 29 17:38:33 gerrit kernel:        000000f8 f60663e0 f7b0b02c f7b0b02c 
f7b0b02c f479fd88 c03df571 00000002 
Sep 29 17:38:33 gerrit kernel:        c046301a f479fd94 00000246 c041847d 
00000000 00000246 f7b0b02c f7b0b02c 
Sep 29 17:38:33 gerrit kernel: Call Trace:
Sep 29 17:38:33 gerrit kernel:  [dccp_v6_reqsk_destructor+20/22] 
dccp_v6_reqsk_destructor+0x14/0x16
Sep 29 17:38:34 gerrit kernel:  [reqsk_queue_destroy+101/197] 
reqsk_queue_destroy+0x65/0xc5
Sep 29 17:38:34 gerrit kernel:  [inet_csk_listen_stop+46/378] 
inet_csk_listen_stop+0x2e/0x17a
Sep 29 17:38:34 gerrit kernel:  [dccp_close+383/522] dccp_close+0x17f/0x20a
Sep 29 17:38:34 gerrit kernel:  [inet_release+47/76] inet_release+0x2f/0x4c
Sep 29 17:38:35 gerrit kernel:  [inet6_release+40/44] inet6_release+0x28/0x2c
Sep 29 17:38:35 gerrit kernel:  [sock_release+23/115] sock_release+0x17/0x73
Sep 29 17:38:35 gerrit kernel:  [sock_close+33/61] sock_close+0x21/0x3d
Sep 29 17:38:35 gerrit kernel:  [__fput+187/368] __fput+0xbb/0x170
Sep 29 17:38:35 gerrit kernel:  [fput+24/36] fput+0x18/0x24
Sep 29 17:38:35 gerrit kernel:  [filp_close+65/103] filp_close+0x41/0x67
Sep 29 17:38:35 gerrit kernel:  [put_files_struct+126/198] 
put_files_struct+0x7e/0xc6
Sep 29 17:38:35 gerrit kernel:  [do_exit+382/2251] do_exit+0x17e/0x8cb
Sep 29 17:38:35 gerrit kernel:  [do_group_exit+43/123] do_group_exit+0x2b/0x7b
Sep 29 17:38:35 gerrit kernel:  [get_signal_to_deliver+799/1053] 
get_signal_to_deliver+0x31f/0x41d
Sep 29 17:38:35 gerrit kernel:  [do_notify_resume+1007/1780] 
do_notify_resume+0x3ef/0x6f4
Sep 29 17:38:35 gerrit kernel:  [work_notifysig+19/26] work_notifysig+0x13/0x1a
Sep 29 17:38:35 gerrit kernel:  [phys_startup_32+-1210107764/-1073741824] 
0xb7ef388c
Sep 29 17:38:35 gerrit kernel:  =======================
Sep 29 17:38:35 gerrit kernel: Code: 9a 00 00 00 c7 44 24 04 e8 ba 4f c0 c7 04 
24 06 ae 49 c0 e8 1c e2 d5 ff e8 b6 8c d4 ff e9 59 ff ff ff 55 89 e5 89 c2 85 
c0 74 12 <8b> 80 84 00 00 00 83 e8 01 75 09 89 d0 e8 26 ff ff ff 5d c3 ff 
Sep 29 17:38:35 gerrit kernel: EIP: [kfree_skb+9/46] kfree_skb+0x9/0x2e SS:ESP 
0068:f479fd24
Sep 29 17:38:35 gerrit kernel:  <1>Fixing recursive fault but reboot is needed!


-----------------------------------------
CONFIGURATION
 * all DCCP modules built into the kernel
 * latest davem-2.6 tree (DCCP part corresponds to acme-2.6.19)

HOW TO REPRODUCE
 * Oops was encountered on host with listening socket
 * let tccp listen to AF_UNSPEC socket (i.e. both v4/v6)
 * connect from other host to the IPv4 address (but don't actually transfer 
data)
 * kill listening client on host ===> OOPS

I could not find out the exact cause, but the following may be helpful
 * while the oops happened, a lock was held by dccp_close:
   sk_lock-AF_INET6  dccp_close+0x12/0x20a
 * the above suggests the following trace:
    --dccp_close calls inet_csk_listen_stop(sk);
    --inet_csk_listen_stop calls reqsk_queue_destroy
    --the destructor dccp_v6_reqsk_destructor is called later in 
inet_csk_listen_stop,
      in the while loop, which calls inet_csk_destroy_sock
    --inet_csk_destroy_sock calls sk->sk_prot->destroy(sk), which goes to 
dccp_v6_reqsk_destructor

Sorry, I can't offer more explanation.

Gerrit

-
To unsubscribe from this list: send the line "unsubscribe dccp" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to