Bug 34622 - WARNING: at include/linux/skbuff.h:457 ip_cmsg_recv_pktinfo+0xa6/0xb0
Summary: WARNING: at include/linux/skbuff.h:457 ip_cmsg_recv_pktinfo+0xa6/0xb0
Status: CLOSED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-06 12:15 UTC by Witold Baryluk
Modified: 2011-05-30 08:39 UTC (History)
3 users (show)

See Also:
Kernel Version: 2.6.39-rc6-00569-g5895198
Subsystem:
Regression: Yes
Bisected commit-id:

Attachments
kernel configuration (84.75 KB, application/octet-stream)
2011-05-06 12:15 UTC, Witold Baryluk 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Witold Baryluk 2011-05-06 12:15:40 UTC 
Created attachment 56822 [details]
kernel configuration

Hi.

# uname -a
Linux sredniczarny 2.6.39-rc6-00569-g5895198-dirty #22 SMP PREEMPT Thu May 5 20:10:35 CEST 2011 i686 GNU/Linux


relevant part of dmesg:

------------[ cut here ]------------
WARNING: at include/linux/skbuff.h:457 ip_cmsg_recv_pktinfo+0xa6/0xb0()
Hardware name: 2669UYD
Modules linked in: isofs vboxnetadp vboxnetflt nfsd ebtable_nat ebtables lib80211_crypt_ccmp uinput xcbc hdaps tp_smapi thinkpad_ec radeonfb fb_ddc radeon ttm drm_kms_helper drm ipw2200 intel_agp intel_gtt libipw i2c_algo_bit i2c_i801 agpgart rng_core cfbfillrect cfbcopyarea cfbimgblt video raid10 raid1 raid0 linear md_mod vboxdrv
Pid: 4697, comm: miredo Not tainted 2.6.39-rc6-00569-g5895198-dirty #22
Call Trace:
 [<c17746b6>] ? printk+0x1d/0x1f
 [<c1058302>] warn_slowpath_common+0x72/0xa0
 [<c15bbca6>] ? ip_cmsg_recv_pktinfo+0xa6/0xb0
 [<c15bbca6>] ? ip_cmsg_recv_pktinfo+0xa6/0xb0
 [<c1058350>] warn_slowpath_null+0x20/0x30
 [<c15bbca6>] ip_cmsg_recv_pktinfo+0xa6/0xb0
 [<c15bbdd7>] ip_cmsg_recv+0x127/0x260
 [<c154f82d>] ? skb_dequeue+0x4d/0x70
 [<c1555523>] ? skb_copy_datagram_iovec+0x53/0x300
 [<c178e834>] ? sub_preempt_count+0x24/0x50
 [<c15bdd2d>] ip_recv_error+0x23d/0x270
 [<c15de554>] udp_recvmsg+0x264/0x2b0
 [<c15ea659>] inet_recvmsg+0xd9/0x130
 [<c1547752>] sock_recvmsg+0xf2/0x120
 [<c11179cb>] ? might_fault+0x4b/0xa0
 [<c15546bc>] ? verify_iovec+0x4c/0xc0
 [<c1547660>] ? sock_recvmsg_nosec+0x100/0x100
 [<c1548294>] __sys_recvmsg+0x114/0x1e0
 [<c1093895>] ? __lock_acquire+0x365/0x780
 [<c1148b66>] ? fget_light+0xa6/0x3e0
 [<c1148b7f>] ? fget_light+0xbf/0x3e0
 [<c1148aee>] ? fget_light+0x2e/0x3e0
 [<c1549f29>] sys_recvmsg+0x39/0x60
 [<c154a473>] sys_socketcall+0x2d3/0x2f0
 [<c10bbcac>] ? audit_syscall_entry+0x2ac/0x2d0
 [<c132ce98>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c17921d8>] sysenter_do_call+0x12/0x38
---[ end trace 7d87d515c294ab32 ]---
------------[ cut here ]------------



(before that there is essentially no strange things).

easly reproductible, happens very often (from once a second to once a minute).

# grep WARNING /var/log/messages | grep ip_cmsg_recv_pktinfo | wc -l
50
#

Compiled using gcc-4.6.0-6 on Debian unstable.

Thanks.

PS. kerneloops.org looks to be dead, why oh why, it was nice and automated service.
Comment 1 Witold Baryluk 2011-05-09 23:05:13 UTC 
Still happens in 2.6.39-rc6-00585-gc2bf807-dirty
Comment 2 Witold Baryluk 2011-05-17 18:48:21 UTC 
git blame points me to this commit:

commit 7fee226ad2397b635e2fd565a59ca3ae08a164cd
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Tue May 11 23:19:48 2010 +0000

    net: add a noref bit on skb dst
    
    Use low order bit of skb->_skb_dst to tell dst is not refcounted.
    
    Change _skb_dst to _skb_refdst to make sure all uses are catched.
    
    skb_dst() returns the dst, regardless of noref bit set or not, but
    with a lockdep check to make sure a noref dst is not given if current
    user is not rcu protected.
    
    New skb_dst_set_noref() helper to set an notrefcounted dst on a skb.
    (with lockdep check)
    
    skb_dst_drop() drops a reference only if skb dst was refcounted.
    
    skb_dst_force() helper is used to force a refcount on dst, when skb
    is queued and not anymore RCU protected.
    
    Use skb_dst_force() in __sk_add_backlog(), __dev_xmit_skb() if
    !IFF_XMIT_DST_RELEASE or skb enqueued on qdisc queue, in
    sock_queue_rcv_skb(), in __nf_queue().
    
    Use skb_dst_force() in dev_requeue_skb().
    
    Note: dst_use_noref() still dirties dst, we might transform it
    later to do one dirtying per jiffies.
    
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 3 Eric Dumazet 2011-05-17 22:57:58 UTC 
Hi

Thanks for the report.

Please try following patch :

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 7ebeed0..3e934fe 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2993,6 +2993,9 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
 	skb->destructor = sock_rmem_free;
 	atomic_add(skb->truesize, &sk->sk_rmem_alloc);
 
+	/* before exiting rcu section, make sure dst is refcounted */
+	skb_dst_force(skb);
+
 	skb_queue_tail(&sk->sk_error_queue, skb);
 	if (!sock_flag(sk, SOCK_DEAD))
 		sk->sk_data_ready(sk, skb->len);
Comment 4 Florian Mickler 2011-05-30 07:22:52 UTC 
A patch referencing this bug report has been merged in v3.0-rc1:

commit abb57ea48fd9431fa320a5c55f73e6b5a44c2efb
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Wed May 18 02:21:31 2011 -0400

    net: add skb_dst_force() in sock_queue_err_skb()
Note You need to log in before you can comment on or make changes to this bug.