Date: Sat, 11 Jun 2022 17:40:23 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 264257] [tcp] Panic: Fatal trap 12: page fault while in kernel mode (if_io_tqg_4) - m_copydata ... at /usr/src/sys/kern/uipc_mbuf.c:659 Message-ID: <bug-264257-7501-0FUJA4SsE9@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-264257-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-264257-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264257 --- Comment #27 from Richard Scheffenegger <rscheff@freebsd.org> --- (In reply to iron.udjin from comment #25) I've prepared a patch against main (may need some manual tweaking to apply = to 13.1-RELEASE as of now)=20 wget https://reviews.freebsd.org/D35446?id=3D106838&download=3Dtrue If the kernel is built with INVARIANTS, it should panic early on, once an inconsistency between the socket sendbuffer and tcp state variables is dete= cted - instead of panicing a few packets later, when that inconsistency results = in a invalid pointer access... If the kernel is built without INVARIANTS, the kernel log buffer (dmesg) sh= ould provide some hints as to when/where the inconsistency first occured, which = may gve more indirect clues. But it would address the inconsistency right away,= and continue operation. If the panic was observed during a DDOS, this strengthens the clue that the= re exists a race condition (double-accounting for the FIN bit). However, prior= to the introduction of SACK rescue retransmissions, this never materially affe= cted TCP operations, as the socket buffer data would be used directly to see what sequence range to send, rather than the SACK scoreboard data. --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264257-7501-0FUJA4SsE9>