Kernel Oops in __inet_twsk_kill()

[Charley (Hao Chuan) Chu]

We have situation on our system. It brings the network interface up and down every a few seconds. Eventually, it brings down the system - the kernel crashed due to BUG on in __inet_twsk_kill(). The debug message show following call flow. 


1) time-wait socket is created by tcp_time_wait() when the socket gets into "TIME_WAIT" state. 
    inet_twsk_alloc()               - refcnt= 0
    inet_twsk_hashdance()  - refcnt = 3
    inet_twsk_schedule()      - refcnt = 4
    inet_twsk_put()                 - refcnt = 3
2) tcp_v4_timewait_ack() is called when sync is received 
    inet_twsk_put()                  - refcnt= 2      <== where we thing the problem is
    occasionally, second sync is received, so the inet_twsk_put is called twice - refcnt = 1 
3) twdr_do_twkill_work() is called when timed out
    call __inet_twsk_kill - BUG_ON!!! as refcnt=2 (supposed to be 3).
    call inet_twsk_put()

In a normal case, the callflow only has step 1 and step 3.  Our understanding is the time-wait socket has three references - ehash, bhash and timer death row. In step 2, none of them are touched. Can anyone here explain to us why the inet_twsk_put() is called in tcp_v4_timewait_ack()?

our system has 3.14 kernel.

Any help would be highly appreciated.

Charley Chu

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/