Bug 720489

Summary: tcp timer list corruption (fglrx)
Product: [Fedora] Fedora Reporter: Roberto D'Auria <evfirerob>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: aquini, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:81be13f2f160322a43b855683cd5fa13cdf32f33
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-11 19:54:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Roberto D'Auria 2011-07-11 19:36:33 UTC 
abrt version: 2.0.3
architecture:   x86_64
cmdline:        ro root=/dev/mapper/vg_sonny-lv_root rd_LUKS_UUID=luks-9144da87-3be4-47c6-b27f-5d987b7646e4 rd_LVM_LV=vg_sonny/lv_root rd_LVM_LV=vg_sonny/lv_swap rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=it rhgb quiet radeon.modeset=0
comment:        I have inserted an USB flash storage with an EXT4 partition.
component:      kernel
kernel:         2.6.38.8-32.fc15.x86_64
kernel_tainted: 513
os_release:     Fedora release 15 (Lovelock)
package:        kernel
reason:         WARNING: at lib/list_debug.c:30 __list_add+0x66/0x7f()
time:           Mon Jul 11 21:27:20 2011

backtrace:
:WARNING: at lib/list_debug.c:30 __list_add+0x66/0x7f()
:Hardware name: HP Pavilion dv6 Notebook PC
:list_add corruption. prev->next should be next (ffffffff81ca54a0), but was ffff880114154d58. (prev=ffff880114154d58).
:Modules linked in: tcp_lp fuse cpufreq_ondemand 8021q garp stp llc powernow_k8 freq_table mperf ip6t_REJECT ip6t_ipv6header nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables nf_conntrack_netbios_ns fglrx(P) arc4 snd_hda_codec_hdmi ath9k mac80211 snd_hda_codec_idt ath9k_common hp_wmi sparse_keymap snd_hda_intel snd_hda_codec snd_hwdep ath9k_hw ath snd_seq uvcvideo snd_seq_device cfg80211 hp_accel snd_pcm snd_timer videodev v4l2_compat_ioctl32 microcode snd sp5100_tco rfkill r8169 lis3lv02d wmi edac_core input_polldev edac_mce_amd shpchp mii k10temp soundcore i2c_piix4 snd_page_alloc joydev ipv6 xts gf128mul usb_storage uas dm_crypt video radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
:Pid: 3065, comm: firefox Tainted: P        W   2.6.38.8-32.fc15.x86_64 #1
:Call Trace:
: [<ffffffff8105511a>] warn_slowpath_common+0x83/0x9b
: [<ffffffff810551d5>] warn_slowpath_fmt+0x46/0x48
: [<ffffffff8123776b>] __list_add+0x66/0x7f
: [<ffffffff81060a19>] internal_add_timer+0xbc/0xbe
: [<ffffffff810615a4>] __mod_timer+0x12c/0x14a
: [<ffffffff810616db>] mod_timer+0x8c/0x93
: [<ffffffff813b6879>] sk_reset_timer+0x19/0x2a
: [<ffffffff8140abd5>] inet_csk_reset_xmit_timer.constprop.9+0xa0/0xc5
: [<ffffffff8140ac6d>] tcp_event_new_data_sent+0x73/0x75
: [<ffffffff8140c58a>] tcp_write_xmit+0x6cc/0x7af
: [<ffffffff813ba6bb>] ? __alloc_skb+0x8d/0x133
: [<ffffffff8140c6c4>] __tcp_push_pending_frames+0x23/0x51
: [<ffffffff813ff937>] tcp_push+0x8c/0x8e
: [<ffffffff814015b7>] tcp_sendmsg+0x732/0x826
: [<ffffffff8141d3ff>] inet_sendmsg+0x66/0x6f
: [<ffffffff813b3f18>] __sock_sendmsg+0x69/0x76
: [<ffffffff813b408f>] sock_sendmsg+0xa1/0xb6
: [<ffffffff811227ba>] ? fget_light+0x63/0x7b
: [<ffffffff813b348c>] ? sockfd_lookup_light+0x20/0x58
: [<ffffffff813b4ec9>] sys_sendto+0x12f/0x171
: [<ffffffff81120eca>] ? fsnotify_access+0x5f/0x67
: [<ffffffff81129e21>] ? path_put+0x1f/0x23
: [<ffffffff8109fa68>] ? audit_syscall_entry+0x145/0x171
: [<ffffffff81009bc2>] system_call_fastpath+0x16/0x1b

kernel_tainted_long:
:Proprietary module has been loaded.
:Taint on warning.
Comment 1 Dave Jones 2011-07-11 19:54:29 UTC 
fglrx has a history of memory corruption bugs.  Unless you can reproduce this bug without that module, there's not much we can do about it.

The likelyhood of this being a fglrx bug is high, as this would be showing up on other peoples systems given this is in common networking code. Corruption of packet timers is really sounding like something scribbled where it shouldn't have. (probably a use-after-free bug).