From owner-freebsd-net@FreeBSD.ORG Mon Oct 10 17:36:40 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1205) id 8A5741065676; Mon, 10 Oct 2011 17:36:40 +0000 (UTC) Date: Mon, 10 Oct 2011 17:36:40 +0000 From: Navdeep Parhar To: freebsd-net@freebsd.org Message-ID: <20111010173640.GA79248@hub.freebsd.org> Mail-Followup-To: freebsd-net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: panic in tcp_drop (and fix for it) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 17:36:40 -0000 While stress testing a few systems, I encountered a panic in tcp_drop due to NULL tp->t_inpcb. tcp_drop had been called by tcp_timer_rexmt. The problem is that timer_rexmt lets go of the pcbinfo and inp locks and the inp could be dropped by the time it re-acquires the locks. The attached patch fixes the problem. I've observed the counter in the patch go up by 2-3 in 48 hours or so. If someone can review the patch I can push it (without the counter) to head. Regards, Navdeep --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -439,6 +439,8 @@ CURVNET_RESTORE(); } +static int tcp_rexmt_inpdrop_race = 0; + void tcp_timer_rexmt(void * xtp) { @@ -495,6 +497,14 @@ CURVNET_RESTORE(); return; } + if (inp->inp_flags & INP_DROPPED) { + tcp_rexmt_inpdrop_race++; + INP_WUNLOCK(inp); + INP_INFO_WUNLOCK(&V_tcbinfo); + CURVNET_RESTORE(); + return; + } + tp = tcp_drop(tp, tp->t_softerror ? tp->t_softerror : ETIMEDOUT); headlocked = 1;