From owner-freebsd-net@FreeBSD.ORG  Sat Oct  9 03:37:17 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E6B3916A4CE; Sat,  9 Oct 2004 03:37:17 +0000 (GMT)
Received: from obsecurity.dyndns.org
	(CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 478E343D48; Sat,  9 Oct 2004 03:37:17 +0000 (GMT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 9412751440; Fri,  8 Oct 2004 20:39:00 -0700 (PDT)
Date: Fri, 8 Oct 2004 20:39:00 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: net@FreeBSD.org, current@FreeBSD.org
Message-ID: <20041009033900.GA6751@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Subject: Infinite loop in tcp_output on RELENG_5
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2004 03:37:18 -0000


--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

pointyhat (SMP machine running RELENG_5) has twice in the past 2 days
gone into an infinite loop in the tcp_output() function (repeatedly
breaking into DDB and continuing, I can see it at different points in
the code).  I made tcp_output keep a counter and increment when it
hits the again: label.  If the counter reaches 1000, it panics.  This
happened again just now:

panic: Looping in tcp_output
cpuid = 0
KDB: enter: panic
[thread 100043]
Stopped at      kdb_enter+0x30: leave
db> tr
kdb_enter(c06de69a,0,c06e973a,ebbd5ba0,c34cd4b0) at kdb_enter+0x30
panic(c06e973a,0,ebbd5b68,0,0) at panic+0x14e
tcp_output(c395f8c0,c395f8c0,c3ed3e10,c05a79f0,ebbd5ca0) at tcp_output+0x19e
tcp_drop(c395f8c0,3c,c06e9fe7,1ab,e) at tcp_drop+0x30
tcp_timer_persist(c395f8c0,0,c06df6ba,f5,0) at tcp_timer_persist+0x14c
softclock(0,0,c06dc037,269,c0738ac0) at softclock+0x1c8
ithread_loop(c345d800,ebbd5d48,c06dbe2a,323,41531744) at ithread_loop+0x172
fork_exit(c04f1210,c345d800,ebbd5d48) at fork_exit+0xc6
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xebbd5d7c, ebp = 0 ---

This might be related to SACK, which is one of the situations where we
loop back to the again label, but that's just a guess.

Kris

--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBZ11UWry0BWjoQKURAqt9AKCLVrQypJYVusvpXcHVteJKaind0wCfYoj4
XwUr29IyzQnD6uUe7ecyzOg=
=sKir
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--