From owner-freebsd-stable@FreeBSD.ORG Mon Apr 6 07:57:15 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 618661065674 for ; Mon, 6 Apr 2009 07:57:15 +0000 (UTC) (envelope-from Martin.Blapp@t-systems.ch) Received: from mail100.t-systems.ch (mail109.t-systems.ch [193.108.232.23]) by mx1.freebsd.org (Postfix) with ESMTP id E9D798FC0C for ; Mon, 6 Apr 2009 07:57:14 +0000 (UTC) (envelope-from Martin.Blapp@t-systems.ch) Received: from wsairz0042.t-systems.ch (Not Verified[53.250.54.32]) by mail100.t-systems.ch with MailMarshal (using TLS: SSLv23) id ; Mon, 06 Apr 2009 09:57:13 +0200 Received: from TSS-EXCH01.t-systems.ch ([53.250.54.26]) by wsairz0042.t-systems.ch ([53.250.54.32]) with mapi; Mon, 6 Apr 2009 09:57:13 +0200 From: "Blapp, Martin" To: "freebsd-stable@freebsd.org" Date: Mon, 6 Apr 2009 09:57:13 +0200 Thread-Topic: FreeBSD 7.2-BETA1 tcp retransmit crash Thread-Index: Acm2HJcg8SN2w9OcQLSgg80fc/r40AAb5zJM Message-ID: <509A7CA1EA3EA046B1A5BA2FCFDB3C8EC764853902@TSS-EXCH01.t-systems.ch> References: <509A7CA1EA3EA046B1A5BA2FCFDB3C8EC764853900@TSS-EXCH01.t-systems.ch> <20090405163705.U15361@maildrop.int.zabbadoz.net>, <20090405180621.F15361@maildrop.int.zabbadoz.net> In-Reply-To: <20090405180621.F15361@maildrop.int.zabbadoz.net> Accept-Language: de-DE, de-CH Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, de-CH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 HC: x Subject: AW: FreeBSD 7.2-BETA1 tcp retransmit crash X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2009 07:57:15 -0000 Hi, (kgdb) frame 7 #7 0xc07c6cb0 in sbsndptr (sb=3D0xc342ede4, off=3D112, len=3D113, moff=3D0= xc2f9ca04) at /usr/src/sys/kern/uipc_sockbuf.c:939 This is also interesting. Is this an OffByOne somewhere ? As I said it's just a workaround, and for now it didn't crash anymore :-) I could modify this patch to see what happens exactly, dumpping the mbuf. The workaround I currently use is just skipping and dropping this mbuf: --- sys/kern/uipc_sockbuf.c.orig 2009-04-05 18:01:35.000000000 +0200 +++ sys/kern/uipc_sockbuf.c 2009-04-05 18:01:46.000000000 +0200 @@ -930,6 +930,13 @@ return (sb->sb_mb); } + /* + * Try to avoid some retransmit panics + */ + if (sb->sb_sndptr =3D=3D NULL && sb->sb_mb =3D=3D NULL) { + return (NULL); + } + /* Return closest mbuf in chain for current offset. */ *moff =3D off - sb->sb_sndptroff; m =3D ret =3D sb->sb_sndptr ? sb->sb_sndptr : sb->sb_mb; --- sys/netinet/tcp_output.c.orig 2009-04-05 18:01:29.000000000 +0200 +++ sys/netinet/tcp_output.c 2009-04-05 18:04:17.000000000 +0200 @@ -797,6 +797,17 @@ */ mb =3D sbsndptr(&so->so_snd, off, len, &moff); + + /* + * Avoid panics. Mask the error with ENETDOWN + */ + if (mb =3D=3D NULL) { + SOCKBUF_UNLOCK(&so->so_snd); + (void) m_free(m); + error =3D ENETDOWN; + goto out; + } + if (len <=3D MHLEN - hdrlen - max_linkhdr) { m_copydata(mb, moff, (int)len, mtod(m, caddr_t) + hdrlen);