Spin lock lockup issue while disconnecting the data call

by Shirish Agarwal » Tue, 07 Jul 2009 14:47:24 GMT

I am working on donut/2.6.29 kernel release and getting the following
crash while disconnecting the data call.

<6>[ 253.744488] rmnet_stop()
<0>[ 262.856377] BUG: spinlock lockup on CPU#0, er.ServerThread/1006,
<4>[ 262.856443] [<c003015c>] (dump_stack+0x0/0x14) from [<c017f1ec>]
<4>[ 262.856605] [<c017f0f8>] (_raw_spin_lock+0x0/0x130) from
[<c0302874>] (_spin_lock_bh+0x54/0x5c)
<4>[ 262.856742] [<c0302820>] (_spin_lock_bh+0x0/0x5c) from
[<c029dda8>] (inet_unhash+0x68/0xac)
<4>[ 262.856872] r5:cc9f7b04 r4:cbb9e5c0
<4>[ 262.856935] [<c029dd40>] (inet_unhash+0x0/0xac) from
[<c02a0c60>] (tcp_set_state+0xe8/0x170)
<4>[ 262.857063] r5:cbb9e5c0 r4:cbcf0000
<4>[ 262.857125] [<c02a0b78>] (tcp_set_state+0x0/0x170) from
[<c02a0d34>] (tcp_done+0x4c/0x8c)
<4>[ 262.857247] r7:c08ffb04 r6:000006f7 r5:cbb9e5c8 r4:cbb9e5c0
<4>[ 262.857350] [<c02a0ce8>] (tcp_done+0x0/0x8c) from [<c02b2344>]
<4>[ 262.857472] r4:cbb9e5c0
<4>[ 262.857513] [<c02b22b8>] (tcp_v4_nuke_addr+0x0/0xd0) from
[<c02be234>] (devinet_ioctl+0x6d8/0x788)
<4>[ 262.857655] [<c02bdb5c>] (devinet_ioctl+0x0/0x788) from
[<c02becb0>] (inet_ioctl+0xcc/0xfc)
<4>[ 262.857782] [<c02bebe4>] (inet_ioctl+0x0/0xfc) from [<c026e2fc>]
<4>[ 262.857935] [<c026e114>] (sock_ioctl+0x0/0x248) from
[<c00e1800>] (vfs_ioctl+0x38/0x98)
<4>[ 262.858075] r6:45583d4c r5:00008939 r4:c91f8c80
<4>[ 262.858158] [<c00e17c8>] (vfs_ioctl+0x0/0x98) from [<c00e1e6c>]
<4>[ 262.858283] r6:45583d4c r5:cc247120 r4:c91f8c80
<4>[ 262.858368] [<c00e1958>] (do_vfs_ioctl+0x0/0x568) from
[<c00e1f00>] (sys_ioctl+0x40/0x64)
<4>[ 262.858492] r9:cbcf0000 r8:c002bfa8 r7:c91f8c80 r6:00008939
<4>[ 262.858607] r4:00000045
<4>[ 262.858650] [<c00e1ec0>] (sys_ioctl+0x0/0x64) from [<c002be00>]
<4>[ 262.858773] r7:00000036 r6:45583d4c r5:45583d5c r4:adb040c8

Following is my analysis :-

While disabling the data call, android frameworks calls the function
ifc_reset_connections() i.e SIOCKILLADDR ioctl.
The crash occurs while processing the SIOCKILLADDR ioctl in kernel
because it tries to take the same lock two times without releasing the
earlier, one at tcp_v4_nuke_addr() and second at inet_unhash()
function (when sk_state != TCP_LISTEN). This seems to be spin lock
recursion problem.

There are changes done in the locking mechanism as part of the 2.6.29.
earlier it used to take the read/write lock in 2.6.27 but those are
replaced by spin locks in 2.6.29.
tcp_v4_nuke_addr() function in the kernel/net/ipv4/tcp_ipv4.c
inet_unhash function in the kernel/net/ipv4/inet_hashtables.c

I have printed the lock address at both of the above function.

<6>[ 92.246526] rmnet_stop()
<0>[ 92.301602] ----- in tcp_v4_nuke_addr, lock=CBE12658
<0>[ 92.301602] ----- in inet_unhash, lock=CBE12658

It seems to be bug in the 2.6.29 kernel implementation of SIOCKILLADDR
ioctl. Does someone aware of this issue?




Spin lock lockup issue while disconnecting the data call

by jerryfan2000 » Fri, 04 Sep 2009 19:14:56 GMT

I also have similar issue. Just wondering have you solved it? Thanks.

On Jul 7, 8:05pm, Shirish Agarwal <ashir...@gmail.com> wrote:



