Date: Wed, 28 Sep 2011 23:00:40 +0300 From: Mikolaj Golub <trociny@freebsd.org> To: "K. Macy" <kmacy@freebsd.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Adrian Chadd <adrian@freebsd.org>, Arnaud Lacombe <lacombar@gmail.com>, dave jones <s.dave.jones@gmail.com> Subject: Re: Kernel panic on FreeBSD 9.0-beta2 Message-ID: <8662kcigif.fsf@kopusha.home.net> In-Reply-To: <CAHM0Q_PZD9_0ZkELZ5XL8Ebh8eD-uFuSjXWKKVpGDeM_JDaqMA@mail.gmail.com> (K. Macy's message of "Mon, 26 Sep 2011 16:12:55 %2B0200") References: <CANf5e8aG4go4M_vsRExUsJB_sjaN5x-QK-TCDAhSH64JSo0mdQ@mail.gmail.com> <CACqU3MXStMMEoppvDtZS6hV4WGttbdJiF8E-ORwJ%2BQSmnTy-Yg@mail.gmail.com> <CACqU3MV-t4Va6VWUoXy1Y9FYnNJTUw1X%2BE7ik-2%2BtMVuVOV3RA@mail.gmail.com> <CAJ-Vmom-177OkdUXjz%2BZLqbaqn=p%2BuTGypiVuMqdeXgdOgb4hQ@mail.gmail.com> <CAHM0Q_Mmn3z1V6AtZHQMpgbdY7oQqOChiNt=8NJrZQDnravb7A@mail.gmail.com> <CACqU3MU9ZZtOsdBOa%2BF3SqUaYgO%2BEo0v1ACjY0S4rY4fRQyv5Q@mail.gmail.com> <CAHM0Q_PZD9_0ZkELZ5XL8Ebh8eD-uFuSjXWKKVpGDeM_JDaqMA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
KM> Sorry, didn't look at the images (limited bw), I've seen something
KM> like this before in timewait. This "can't happen" with UDP so will be
KM> interested in learning more about the bug.
The panic can be easily triggered by this:
[-- Attachment #2 --]
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <err.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PORT 6666
int
main(int argc, char **argv)
{
struct sockaddr_in sin;
int fd;
if (fork() == -1)
err(1, "fork");
for (;;) {
if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
continue;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(PORT);
bind(fd, (struct sockaddr *) &sin, sizeof(sin));
close(fd);
}
exit(0);
}
[-- Attachment #3 --]
It looks for me that we should call in_pcbdrop() in udp_close() to remove
inpcb from hashed lists, like it is done for tcp_close().
With this patch I don't observe the panic.
[-- Attachment #4 --]
Index: sys/netinet/udp_usrreq.c
===================================================================
--- sys/netinet/udp_usrreq.c (revision 225816)
+++ sys/netinet/udp_usrreq.c (working copy)
@@ -1486,6 +1486,7 @@ udp_close(struct socket *so)
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("udp_close: inp == NULL"));
INP_WLOCK(inp);
+ in_pcbdrop(inp);
if (inp->inp_faddr.s_addr != INADDR_ANY) {
INP_HASH_WLOCK(&V_udbinfo);
in_pcbdisconnect(inp);
[-- Attachment #5 --]
KM> On Mon, Sep 26, 2011 at 4:02 PM, Arnaud Lacombe <lacombar@gmail.com> wrote:
>> Hi,
>>
>> On Mon, Sep 26, 2011 at 5:12 AM, K. Macy <kmacy@freebsd.org> wrote:
>>>
>>>
>>> On Monday, September 26, 2011, Adrian Chadd <adrian@freebsd.org> wrote:
>>>> On 26 September 2011 13:41, Arnaud Lacombe <lacombar@gmail.com> wrote:
>>>>> /*
>>>>> * XXX
>>>>> * This entire block sorely needs a rewrite.
>>>>> */
>>>>> if (t &&
>>>>> ((t->inp_flags & INP_TIMEWAIT) == 0) &&
>>>>> (so->so_type != SOCK_STREAM ||
>>>>> ntohl(t->inp_faddr.s_addr) == INADDR_ANY) &&
>>>>> (ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
>>>>> ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
>>>>> (t->inp_socket->so_options &
>>>>> SO_REUSEPORT) == 0) &&
>>>>> (inp->inp_cred->cr_uid !=
>>>>> t->inp_cred->cr_uid))
>>>>> return (EADDRINUSE);
>>>>> }
>>>>>
>>>>> more specifically, `t->inp_socket' is NULL. The top comment may not be
>>>>> relevant, as it's been here for the past 8 years.
>>>>
>>>> Why would t->inp_socket be NULL at this point?
>>>
>>> TIME_WAIT ...
>>>
>> on UDP socket ?
>>
>> - Arnaud
>>
KM> _______________________________________________
KM> freebsd-net@freebsd.org mailing list
KM> http://lists.freebsd.org/mailman/listinfo/freebsd-net
KM> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
--
Mikolaj Golub
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8662kcigif.fsf>