From patchwork Tue Sep 29 09:18:45 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 34414 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id BDE87B7C1D for ; Tue, 29 Sep 2009 19:19:44 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753689AbZI2JSq (ORCPT ); Tue, 29 Sep 2009 05:18:46 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753545AbZI2JSq (ORCPT ); Tue, 29 Sep 2009 05:18:46 -0400 Received: from gw1.cosmosbay.com ([212.99.114.194]:36527 "EHLO gw1.cosmosbay.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753535AbZI2JSp (ORCPT ); Tue, 29 Sep 2009 05:18:45 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by gw1.cosmosbay.com (8.13.7/8.13.7) with ESMTP id n8T9Ijhi013800; Tue, 29 Sep 2009 11:18:46 +0200 Message-ID: <4AC1D0F5.4050709@gmail.com> Date: Tue, 29 Sep 2009 11:18:45 +0200 From: Eric Dumazet User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Francis Moreau CC: Linux Kernel Mailing List , Linux Netdev List , "David S. Miller" Subject: Re: WARNING: at net/ipv4/af_inet.c:154 inet_sock_destruct References: <38b2ab8a0909290109m3f82c161j4fb0f1266152877e@mail.gmail.com> In-Reply-To: <38b2ab8a0909290109m3f82c161j4fb0f1266152877e@mail.gmail.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (gw1.cosmosbay.com [0.0.0.0]); Tue, 29 Sep 2009 11:18:46 +0200 (CEST) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Francis Moreau a écrit : > Hello, > > I got this kernel warning when stopping nfsd: > > [260104.553720] WARNING: at net/ipv4/af_inet.c:154 > inet_sock_destruct+0x164/0x182() > [260104.553722] Hardware name: P5K-VM > [260104.553724] Modules linked in: jfs loop nfsd lockd nfs_acl > auth_rpcgss exportfs sunrpc [last unloaded: microcode] > [260104.553736] Pid: 858, comm: nfsd Tainted: G M 2.6.31 #13 > [260104.553738] Call Trace: > [260104.553743] [] ? inet_sock_destruct+0x164/0x182 > [260104.553748] [] warn_slowpath_common+0x7c/0xa9 > [260104.553751] [] warn_slowpath_null+0x14/0x16 > [260104.553754] [] inet_sock_destruct+0x164/0x182 > [260104.553759] [] __sk_free+0x23/0xe7 > [260104.553762] [] sk_free+0x1f/0x21 > [260104.553765] [] sk_common_release+0xc8/0xcd > [260104.553769] [] udp_lib_close+0xe/0x10 > [260104.553772] [] inet_release+0x55/0x5c > [260104.553775] [] sock_release+0x1f/0x71 > [260104.553778] [] sock_close+0x27/0x2b > [260104.553782] [] __fput+0xfb/0x1c0 > [260104.553787] [] ? local_bh_disable+0x12/0x14 > [260104.553790] [] fput+0x1d/0x1f > [260104.553810] [] svc_sock_free+0x40/0x56 [sunrpc] > [260104.553827] [] svc_xprt_free+0x43/0x53 [sunrpc] > [260104.553843] [] ? svc_xprt_free+0x0/0x53 [sunrpc] > [260104.553847] [] kref_put+0x43/0x4f > [260104.553863] [] svc_close_xprt+0x55/0x5e [sunrpc] > [260104.553879] [] svc_close_all+0x50/0x69 [sunrpc] > [260104.553894] [] svc_destroy+0x9e/0x142 [sunrpc] > [260104.553910] [] svc_exit_thread+0xb9/0xc2 [sunrpc] > [260104.553922] [] ? nfsd+0x0/0x151 [nfsd] > [260104.553932] [] nfsd+0x137/0x151 [nfsd] > [260104.553936] [] kthread+0x94/0x9c > [260104.553941] [] child_rip+0xa/0x20 > [260104.553944] [] ? do_exit+0x5d7/0x691 > [260104.553948] [] ? finish_task_switch+0x6a/0xc7 > [260104.553953] [] ? restore_args+0x0/0x30 > [260104.553956] [] ? kthread+0x0/0x9c > [260104.553959] [] ? child_rip+0x0/0x20 > > It happens on 2.6.31 and older kernels as well though I don't remember > when it really started. Could you please try following patch ? Thanks [PATCH] net: Fix sock_wfree() race Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. A fix is to call sk->sk_write_space(sk) while still holding a reference on sk. Reported-by: Jike Song Signed-off-by: Eric Dumazet --- net/core/sock.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/sock.c b/net/core/sock.c index 30d5446..e1f034e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1228,17 +1228,22 @@ void __init sk_init(void) void sock_wfree(struct sk_buff *skb) { struct sock *sk = skb->sk; - int res; + unsigned int len = skb->truesize; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { + /* + * Keep a reference on sk_wmem_alloc, this will be released + * after sk_write_space() call + */ + atomic_sub(len - 1, &sk->sk_wmem_alloc); sk->sk_write_space(sk); + len = 1; + } /* - * if sk_wmem_alloc reached 0, we are last user and should - * free this sock, as sk_free() call could not do it. + * if sk_wmem_alloc reaches 0, we must finish what sk_free() + * could not do because of in-flight packets */ - if (res == 0) + if (atomic_sub_and_test(len, &sk->sk_wmem_alloc)) __sk_free(sk); } EXPORT_SYMBOL(sock_wfree);