Date: Mon, 10 Oct 2011 17:36:40 +0000 From: Navdeep Parhar <np@FreeBSD.org> To: freebsd-net@freebsd.org Subject: panic in tcp_drop (and fix for it) Message-ID: <20111010173640.GA79248@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
While stress testing a few systems, I encountered a panic in tcp_drop
due to NULL tp->t_inpcb. tcp_drop had been called by tcp_timer_rexmt.
The problem is that timer_rexmt lets go of the pcbinfo and inp locks and
the inp could be dropped by the time it re-acquires the locks.
The attached patch fixes the problem. I've observed the counter in the
patch go up by 2-3 in 48 hours or so. If someone can review the patch
I can push it (without the counter) to head.
Regards,
Navdeep
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -439,6 +439,8 @@
CURVNET_RESTORE();
}
+static int tcp_rexmt_inpdrop_race = 0;
+
void
tcp_timer_rexmt(void * xtp)
{
@@ -495,6 +497,14 @@
CURVNET_RESTORE();
return;
}
+ if (inp->inp_flags & INP_DROPPED) {
+ tcp_rexmt_inpdrop_race++;
+ INP_WUNLOCK(inp);
+ INP_INFO_WUNLOCK(&V_tcbinfo);
+ CURVNET_RESTORE();
+ return;
+ }
+
tp = tcp_drop(tp, tp->t_softerror ?
tp->t_softerror : ETIMEDOUT);
headlocked = 1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111010173640.GA79248>