From owner-freebsd-net@FreeBSD.ORG  Wed Sep 21 23:58:32 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 34F3516A41F
	for <net@freebsd.org>; Wed, 21 Sep 2005 23:58:32 +0000 (GMT)
	(envelope-from pawel.worach@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A74F643D46
	for <net@freebsd.org>; Wed, 21 Sep 2005 23:58:31 +0000 (GMT)
	(envelope-from pawel.worach@gmail.com)
Received: by zproxy.gmail.com with SMTP id z31so14245nzd
	for <net@freebsd.org>; Wed, 21 Sep 2005 16:58:30 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=SRz/VAX/uOnqYkOK15fa0Cx/vIRpn9Y7xwg5RYSggCxDNsCJ1kGJIJ6Fwnk0c2CVk5tzjTpXnFhkVLtrJuhaw/inV2X1hvhTCLxhB0ZwkoN1ht7CIw+dX5rl6o7ov/6Xf0CSE11t/SrH09dG/iKnjuVRJRZNtdCP8Y41A8ZgOeU=
Received: by 10.54.45.76 with SMTP id s76mr2851379wrs;
	Wed, 21 Sep 2005 16:58:30 -0700 (PDT)
Received: from ?192.168.0.143? ( [80.217.193.226])
	by mx.gmail.com with ESMTP id g9sm32527wra.2005.09.21.16.58.30;
	Wed, 21 Sep 2005 16:58:30 -0700 (PDT)
Message-ID: <4331F3A3.1060707@gmail.com>
Date: Thu, 22 Sep 2005 01:58:27 +0200
From: Pawel Worach <pawel.worach@gmail.com>
User-Agent: Thunderbird 1.4 (X11/20050918)
MIME-Version: 1.0
To: net@freebsd.org
References: <4330711A.4040808@gmail.com>
In-Reply-To: <4330711A.4040808@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: [panic] page fault in tcp_timer_2msl_tw
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2005 23:58:32 -0000

Pawel Worach wrote:

> (kgdb) print *tw
> $1 = {tw_inpcb = 0x0, snd_nxt = 438603527, rcv_nxt = 3383864561,
>   iss = 438603320, irs = 3383863898, cc_recv = 0, cc_send = 0,
>   last_win = 65534, tw_so_options = 4, tw_cred = 0x0, t_recent = 0,
>   t_starttime = 4294952294, tw_time = 0, tw_2msl = {le_next = 0xc24680a8,
>     le_prev = 0xc06a827c}}

I poked a bit more and it looks like the dereference happens here in 
tcp_timer_2msl_tw().

tcp_timer.c:294		INP_LOCK(tw->tw_inpcb);

INP_LOCK macro tries to reference tw->tw_inpcb->inp_mtx while 
tw->tw_inpcb is null. However I have no idea how it got to this point.

-- 
Pawel