From owner-freebsd-stable@freebsd.org  Tue Aug  8 11:34:03 2017
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9189ADD5A4C;
 Tue,  8 Aug 2017 11:34:03 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 375E881D22;
 Tue,  8 Aug 2017 11:34:03 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD))
 (envelope-from <slw@zxy.spb.ru>)
 id 1df2lk-000Jxr-ET; Tue, 08 Aug 2017 14:33:52 +0300
Date: Tue, 8 Aug 2017 14:33:52 +0300
From: Slawa Olhovchenkov <slw@zxy.spb.ru>
To: Hans Petter Selasky <hps@selasky.org>
Cc: Ben RUBSON <ben.rubson@gmail.com>,
 FreeBSD Net <freebsd-net@freebsd.org>, jch <jch@FreeBSD.org>,
 hiren <hiren@strugglingcoder.info>,
 FreeBSD Stable <freebsd-stable@freebsd.org>
Subject: Re: mlx4en, timer irq @100%... (11.0 stuck on high network load ???)
Message-ID: <20170808113352.GH18123@zxy.spb.ru>
References: <4C91C6E5-0725-42E7-9813-1F3ACF3DDD6E@gmail.com>
 <5840c25e-7472-3276-6df9-1ed4183078ad@selasky.org>
 <2ADA8C57-2C2D-4F97-9F0B-82D53EDDC649@gmail.com>
 <061cdf72-6285-8239-5380-58d9d19a1ef7@selasky.org>
 <92BEE83D-498F-47D5-A53C-39DCDC00A0FD@gmail.com>
 <5d8960d8-e1ff-8719-320f-d3ae84054714@selasky.org>
 <6B4A35F7-5694-4945-9575-19ADB678F9FA@gmail.com>
 <297a784a-3d80-b1a6-652e-a78621fe5a8b@selasky.org>
 <3ECCFBF1-18D9-4E33-8F39-0C366C3BB8B4@gmail.com>
 <c05c2b1c-b5a8-c39c-6dff-e6cc0d8642bf@selasky.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c05c2b1c-b5a8-c39c-6dff-e6cc0d8642bf@selasky.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: slw@zxy.spb.ru
X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 11:34:03 -0000

On Tue, Aug 08, 2017 at 10:31:33AM +0200, Hans Petter Selasky wrote:

> Here is the conclusion:
> 
> The following code is going in an infinite loop:
> 
> 
> >         for (;;) {
> >                 TW_RLOCK(V_tw_lock);
> >                 tw = TAILQ_FIRST(&V_twq_2msl);
> >                 if (tw == NULL || (!reuse && (tw->tw_time - ticks) > 0)) {
> >                         TW_RUNLOCK(V_tw_lock);
> >                         break;
> >                 }
> >                 KASSERT(tw->tw_inpcb != NULL, ("%s: tw->tw_inpcb == NULL",
> >                     __func__));
> > 
> >                 inp = tw->tw_inpcb;
> >                 in_pcbref(inp);
> >                 TW_RUNLOCK(V_tw_lock);
> > 
> >                 if (INP_INFO_TRY_RLOCK(&V_tcbinfo)) {
> > 
> >                         INP_WLOCK(inp);
> >                         tw = intotw(inp);
> >                         if (in_pcbrele_wlocked(inp)) {
> 
> in_pcbrele_wlocked() returns (1) because INP_FREED (16) is set in 
> inp->inp_flags2. I guess you have invariants disabled, because the 
> KASSERT() below should have caused a panic.
> 
> >                                 KASSERT(tw == NULL, ("%s: held last inp "
> >                                     "reference but tw not NULL", __func__));
> >                                 INP_INFO_RUNLOCK(&V_tcbinfo);
> >                                 continue;
> >                         }
> 
> This is a regression issue after:
> 
> > commit 5630210a7f1dbbd903b77b2aef939cd47c63da58
> > Author: jch <jch@FreeBSD.org>
> > Date:   Thu Oct 30 08:53:56 2014 +0000
> > 
> >     Fix a race condition in TCP timewait between tcp_tw_2msl_reuse() and
> >     tcp_tw_2msl_scan().  This race condition drives unplanned timewait
> >     timeout cancellation.  Also simplify implementation by holding inpcb
> >     reference and removing tcptw reference counting.
> 
> Suggested fix attached.

Hmm, I am not sure, IMHO between

TW_RUNLOCK(V_tw_lock);
and
if (INP_INFO_TRY_WLOCK(&V_tcbinfo)) {

`inp` can be invalidated, freed and this pointer may be invalid?


> Index: sys/netinet/tcp_timewait.c
> ===================================================================
> --- sys/netinet/tcp_timewait.c	(revision 321981)
> +++ sys/netinet/tcp_timewait.c	(working copy)
> @@ -709,10 +709,11 @@
>  			INP_WLOCK(inp);
>  			tw = intotw(inp);
>  			if (in_pcbrele_wlocked(inp)) {
> -				KASSERT(tw == NULL, ("%s: held last inp "
> -				    "reference but tw not NULL", __func__));
>  				INP_INFO_RUNLOCK(&V_tcbinfo);
> -				continue;
> +				if (tw == NULL)
> +					continue;
> +				else
> +					break;	/* INP_FREED flag is set */
>  			}
>  
>  			if (tw == NULL) {

> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"