Bug 458116

Summary:	=sys-kernel/gentoo-sources-{3.7.5,3.8.3} - skb_over_panic by "java" process, invalid opcode 0000 in RIP skb_put called by tcp_sendmsg when sysctl net.ipv4.tcp_mtu_probing!=0; different call stacks, same head and bottom.
Product:	Gentoo Linux	Reporter:	El Goretto <el.goretto>
Component:	[OLD] Core system	Assignee:	Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel>
Status:	RESOLVED NEEDINFO
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	vanilla 3.7.5 kernel config file Kernel error messages collection (newest at the end of file)

Description El Goretto 2013-02-18 12:56:11 UTC

Hi,

Short version:
I did some troubleshoot before reporting this one, and all comes down to sysctl net.ipv4.tcp_mtu_probing which causes application crashes now (on 3.7.5 kernel) being reported as "kernel BUG".
Validated on 3.5.4-hardened-r1, 3.7.0-hardened, vanilla 3.7.5.
Error message on vanilla 3.7.5, when a java application crashes (complete version will be attached):
[204637.696945] skbuff: skb_over_panic: text:ffffffff81501c64 len:1568 put:768 head:ffff8800283cf800 data:ffff8800283cf9a0 tail:0
x7c0 end:0x6c0 dev:<NULL>
[204637.700263] kernel BUG at net/core/skbuff.c:127!
[204637.701365] invalid opcode: 0000 [#1] SMP
[204637.702487] CPU 0
[204637.702510] Pid: 2262, comm: java Not tainted 3.7.5 #1 HP ProLiant MicroServer
[...]
[204637.727627] Call Trace:
[204637.729164]  [<ffffffff81501c64>] ? tcp_sendmsg+0x584/0xd00
[...]
[204637.738484]  [<ffffffff815ba792>] ? system_call_fastpath+0x16/0x1b


Long version:
I first got 2-3 kernel panics (which were suspected originating from vsftpd crashing and hardened-sources security feature provoking a panic in response to a process crash when running as root).
Then I disabled this security feature, turned vsftpd off.
Right after I2P java process went regularly crashing (100% crashes were happening within 48hours), always with the same error message (see above). The application, the hardware, the kernel hardened patchset and the JVM were tested and validated as not being the cause of this.
I reproduced it on a vanilla kernel, and none of this happens when net.ipv4.tcp_mtu_probing=0. Of course, back then and thanks to sysctl.conf mtime, I realized I just set net.ipv4.tcp_mtu_probing=1 right before problems arised...

What now?
So basically, I'm trying to find a more handy/reliable way to reproduce this kernel bug than running an I2P router for more than 48h... Feel free to come up with suggestion on this. So far, I've not tried to set net.ipv4.tcp_mtu_probing=2, which could trigger the bug more rapidly. Additionaly I would like to find another application/test for people to replicate this too.
And of course I'm trying to get my observations confirmed by someone else.

Reproducible: Always

Steps to Reproduce:
1.sysctl net.ipv4.tcp_mtu_probing=1
2.start some heavily networking application (like I2P router in my case)
3.see application crash (may probably cause kernel panics some times)
Actual Results:  
Network related application crashing with tcp_sendmsg/skb related kernel message.

Expected Results:  
Application running happilly for days... weeks...

ortage 2.1.11.50 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.7.5-hardened x86_64)
=================================================================
System uname: Linux-3.7.5-hardened-x86_64-AMD_Turion-tm-_II_Neo_N40L_Dual-Core_Processor-with-gentoo-2.1
KiB Mem:     2014196 total,    157196 free
KiB Swap:    2097148 total,   2063436 free
Timestamp of tree: Sun, 17 Feb 2013 03:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
ccache version 3.1.8 [enabled]
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/ccache:          3.1.8
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.69
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo zugaina x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -msse4a -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/i2p /opt/i2p/*.config /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -msse4a -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ http://gentoo.modulix.net/gentoo/ ftp://gentoo.imj.fr/pub/gentoo/"
LANG="fr_FR.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/var/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/zugaina /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext acl aio amd64 bash-completion bzip2 caps cli cracklib cxx dri gpm hardened hardenedphp iconv ipv6 ithreads justify lm_sensors logrotate mmx mmxext modules mudflap multilib ncurses nfs nls nptl openmp pam pax_kernel pcre pic readline session sse sse2 sse3 sse4a ssl threads threadsafe unicode urandom zlib" ABI_X86="64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en fr" NGINX_MODULES_HTTP="auth_basic autoindex gzip proxy rewrite fastcgi uwsgi" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 1 El Goretto 2013-02-18 12:59:11 UTC

Created attachment 339242 [details]
vanilla 3.7.5 kernel config file

Comment 2 El Goretto 2013-02-18 13:01:21 UTC

Created attachment 339244 [details]
Kernel error messages collection (newest at the end of file)

Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-03-08 15:36:52 UTC

Can you try a more recent kernel like 3.8.2, a long term support kernel like 3.4.34 and / or a development kernel like 3.9_rc1? This would point out whether the issue is still present in current kernels. I assume this to be a broken network driver that makes skb crazy; though, also interesting is that it is writing through VFS (virtual file system) so I assume it is trying to write something over the network...

Comment 4 El Goretto 2013-03-19 09:29:56 UTC

(In reply to comment #3)
> Can you try a more recent kernel like 3.8.2, a long term support kernel like
> 3.4.34 and / or a development kernel like 3.9_rc1? This would point out
> whether the issue is still present in current kernels. I assume this to be a
> broken network driver that makes skb crazy; though, also interesting is that
> it is writing through VFS (virtual file system) so I assume it is trying to
> write something over the network...

Ok, I tried a 3.9rc2 git-sources kernel but it didn't compile, so... I tried a 3.4.36 LTS kernel: same bug.
I'll soon try a 3.8.3 hardened-sources kernel (as it's a vanilla-sources bug, it won't matter), but I'm confident in the fact it will still trigger it.

The good point is that the process that was killed this time is Tor, another heavy networking application (I2P was first impacted):

[19808.653912] skb_over_panic: text:ffffffff814de8fa len:1568 put:1054 head:ffff880031242000 data:ffff8800312420e8 tail:0x708 end:0x6c0 dev:<NULL>
[19808.656089] ------------[ cut here ]------------
[19808.657085] kernel BUG at net/core/skbuff.c:127!
[19808.657088] invalid opcode: 0000 [#1] SMP
[19808.657091] CPU 0
[19808.657096] Pid: 2659, comm: tor Not tainted 3.4.36 #1 HP ProLiant MicroServer
[19808.657100] RIP: 0010:[<ffffffff81498a76>]  [<ffffffff81498a76>] skb_put+0x86/0x90
[19808.657109] RSP: 0018:ffff88003f8efc78  EFLAGS: 00010292
[19808.657112] RAX: 0000000000000099 RBX: 000000000000041e RCX: 00000000000000c6
[19808.657115] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffffff8185cf14
[19808.657117] RBP: 000000000000102a R08: 0000000000000000 R09: 0000000000000000
[19808.657120] R10: 0000000000000000 R11: 0000000000002000 R12: ffff88003f893180
[19808.657123] R13: ffff88003111f6c0 R14: 0000000000008160 R15: 0000000000000000
[19808.657127] FS:  00007ff7dc027700(0000) GS:ffff88007dc00000(0000) knlGS:0000000000000000
[19808.657130] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[19808.657132] CR2: 00007ff5a5b0e900 CR3: 000000004925d000 CR4: 00000000000007f0
[19808.657135] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[19808.657137] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[19808.657140] Process tor (pid: 2659, threadinfo ffff88003f8ee000, task ffff88004933ce00)
[19808.657142] Stack:
[19808.657144]  0000000000000708 00000000000006c0 ffffffff817310ce ffff88003111f6c0
[19808.657148]  0000000000000001 ffffffff814de8fa 0000000000000000 ffffea000000024a
[19808.657151]  000000000000024a 0000000000000002 ffff88003f8efd02 00007ff7e396a396
[19808.657154] Call Trace:
[19808.657161]  [<ffffffff814de8fa>] ? tcp_sendmsg+0x3ba/0xda0
[19808.657166]  [<ffffffff81490223>] ? sock_aio_write+0x103/0x130
[19808.657172]  [<ffffffff810b77f0>] ? do_sync_write+0xc0/0x100
[19808.657177]  [<ffffffff81050fc5>] ? set_next_entity+0x35/0x70
[19808.657180]  [<ffffffff810b7995>] ? vfs_write+0x165/0x180
[19808.657184]  [<ffffffff810b7a87>] ? sys_write+0x47/0x90
[19808.657189]  [<ffffffff81595b62>] ? system_call_fastpath+0x16/0x1b
[19808.657191] Code: 4c 24 10 8b 8f bc 00 00 00 48 89 4c 24 08 8b bf b8 00 00 00 89 f1 48 8b 74 24 28 48 89 3c 24 48 c7 c7 d0 49 73 81 e8 04 58 0f 00 <0f> 0b 0f 1f 84 00 00 00 00 00 41 55 b9 ff ff ff ff 41 54 41 89
[19808.657215] RIP  [<ffffffff81498a76>] skb_put+0x86/0x90
[19808.657218]  RSP <ffff88003f8efc78>
[19808.665073] ---[ end trace 2770b033a903dfd1 ]---

Comment 5 El Goretto 2013-03-19 10:21:34 UTC

I forgot to mention the network card related info:

02:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10)
        Subsystem: Hewlett-Packard Company NC107i Integrated PCI Express Gigabit Server Adapter
        Flags: bus master, fast devsel, latency 0, IRQ 42
        Memory at fe9f0000 (64-bit, non-prefetchable) [size=64K]
        Capabilities: [48] Power Management version 3
        Capabilities: [40] Vital Product Data
        Capabilities: [60] Vendor Specific Information: Len=6c <?>
        Capabilities: [50] MSI: Enable+ Count=1/1 Maskable- 64bit+
        Capabilities: [cc] Express Endpoint, MSI 00
        Capabilities: [100] Advanced Error Reporting
        Capabilities: [13c] Virtual Channel
        Capabilities: [160] Device Serial Number 00-9c-02-ff-fe-9f-8a-ac
        Capabilities: [16c] Power Budgeting <?>
        Kernel driver in use: tg3

Numeric version:
02:00.0 0200: 14e4:165b (rev 10)
        Subsystem: 103c:705d

I'll remove the "3.7.5" mention in the bug summary as soon as I confirm it on a 3.8 kernel too.

Comment 6 El Goretto 2013-03-20 09:29:04 UTC

Same issue with a 3.8.3 kernel.

28386.789181] skbuff: skb_over_panic: text:ffffffff8159a3f9 len:1568 put:768 head:ffff8800723e0000 data:ffff8800723e01a0 tail:0x7c0 end:0x6c0 dev:<NULL>
[28386.791595] invalid opcode: 0000 [#1] SMP
[28386.792826] CPU 1
[28386.792827] Pid: 2040, comm: java Not tainted 3.8.3-hardened #1 HP ProLiant MicroServer
[...]
[28386.792891] Call Trace:
[28386.792901]  [<ffffffff8159a3f9>] ? tcp_sendmsg+0x759/0x1700
[28386.792909]  [<ffffffff81065a05>] ? set_next_entity+0x35/0x80
[28386.792914]  [<ffffffff8103c9ed>] ? current_fs_time+0xd/0x50
[28386.792921]  [<ffffffff8105abd8>] ? __remove_hrtimer+0x58/0xc0
[28386.792925]  [<ffffffff81538749>] ? sock_aio_write+0x109/0x140
[28386.792933]  [<ffffffff81115d4b>] ? ep_scan_ready_list.isra.18+0x17b/0x180
[28386.792938]  [<ffffffff810d356a>] ? do_sync_write+0x9a/0xe0
[28386.792943]  [<ffffffff810d3759>] ? vfs_write+0x1a9/0x220
[28386.792949]  [<ffffffff8165947e>] ? sysret_check+0x1c/0x58
[28386.792953]  [<ffffffff810d38c0>] ? sys_write+0x50/0xa0
[28386.792958]  [<ffffffff81659458>] ? system_call_fastpath+0x18/0x1d
[...]
[28386.801016] ---[ end trace db66e185ec8bacfe ]---

Comment 7 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-04-16 17:13:01 UTC

Have you tried to update java or use a different implementation?

I don't see anything wrong with the skb_put function nor can much be found about it upstream, since it is so common I assume the problem not to be in that function. Therefore I assume that java is calling the function in a wrong way, likely with incorrect information.

Comment 8 El Goretto 2013-04-16 18:16:41 UTC

(In reply to comment #7)
> Have you tried to update java or use a different implementation?
> 
> I don't see anything wrong with the skb_put function nor can much be found
> about it upstream, since it is so common I assume the problem not to be in
> that function. Therefore I assume that java is calling the function in a
> wrong way, likely with incorrect information.

As I said (in a verrrrry concise way in first message :)), I verified that the JVM wasn't in cause (sun/oracle or icedtea and different versions (1.6/1.7)). Plus, Tor (no java at all) triggers the same issue.

Comment 9 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-08-12 21:55:12 UTC

Hmm, I really don't have a clue on this one especially since the call traces differ so there is some randomization in how it comes to that point, sounds like something you would need to look into with a kernel debugger but that comes more tricky with a random bug like this; could you try the most recent upstream stable kernel =sys-kernel/gentoo-sources-3.10.6 and upstream development kernel =sys-kernel/git-sources-3.11_rc5 to see if it has since been fixed?

If not, then please file this upstream at https://bugzilla.kernel.org and leave us a link behind to the upstream bug; thank you very much in advance.

Comment 10 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-10-14 15:47:03 UTC

(In reply to Tom Wijsman (TomWij) from comment #9)
> Hmm, I really don't have a clue on this one especially since the call traces
> differ so there is some randomization in how it comes to that point, sounds
> like something you would need to look into with a kernel debugger but that
> comes more tricky with a random bug like this; could you try the most recent
> upstream stable kernel =sys-kernel/gentoo-sources-3.10.6 and upstream
> development kernel =sys-kernel/git-sources-3.11_rc5 to see if it has since
> been fixed?
> 
> If not, then please file this upstream at https://bugzilla.kernel.org and
> leave us a link behind to the upstream bug; thank you very much in advance.

As this doesn't occur too often and it kind of hard to pinpoint; as well as no further information, I am closing this for now until it becomes more apparent. When it does happen again, consider filing a bug upstream and letting us know about that. Good luck and thank you in advance.

Comment 11 El Goretto 2014-12-31 11:48:25 UTC

(In reply to Tom Wijsman (TomWij) from comment #10)
> As this doesn't occur too often and it kind of hard to pinpoint; as well as
> no further information, I am closing this for now until it becomes more
> apparent. When it does happen again, consider filing a bug upstream and
> letting us know about that. Good luck and thank you in advance.

I do not intend to reopen this bug, only to write down some of the latest thoughts I had while reading this: http://staff.psc.edu/mathis/MTU/
Especially about the "Opportunistic jumbo MTU discovery" that is in fact describing the mecanism behind net.ipv4.tcp_mtu_probing I think.

I can't prove it because the machine was decommissioned, but here is what I think:
- this broadcom chip (tg3 driver) doesn't support MTU beyond 1500. I should have seen that! I only saw that when getting the machine offline...
- net.ipv4.tcp_mtu_probing=1 makes the problem not correctly reproducible. Of course! I should have read the documentation carefully: 1 - Disabled by default, enabled when an ICMP black hole detected. Back then, I should have set it to 2 (2 - Always enabled, use initial MSS of tcp_base_mss).

So, my guess is that when an ICMP black hole was detected (only once in a while, making it so hard to reproduce it reliably), "TCP Packetization-Layer Path MTU Discovery" was triggered but maybe the mecanisme wasn't take care of the case that the NIC doesn't support the MTU it is supposed to test.

Well, that's not much, but that only to write it down somewhere.

Anyway, thank you very much for your help Tom, back then.