Date: Mon, 10 Oct 2011 20:08:38 +0200 From: Andre Oppermann <andre@freebsd.org> To: np@FreeBSD.org Cc: freebsd-net@freebsd.org Subject: Re: panic in tcp_drop (and fix for it) Message-ID: <4E9334A6.2050907@freebsd.org> In-Reply-To: <20111010173640.GA79248@hub.freebsd.org> References: <20111010173640.GA79248@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10.10.2011 19:36, Navdeep Parhar wrote:
> While stress testing a few systems, I encountered a panic in tcp_drop
> due to NULL tp->t_inpcb. tcp_drop had been called by tcp_timer_rexmt.
> The problem is that timer_rexmt lets go of the pcbinfo and inp locks and
> the inp could be dropped by the time it re-acquires the locks.
>
> The attached patch fixes the problem. I've observed the counter in the
> patch go up by 2-3 in 48 hours or so. If someone can review the patch
> I can push it (without the counter) to head.
Looks good w/o the counter.
> Regards,
> Navdeep
>
> --- a/sys/netinet/tcp_timer.c
> +++ b/sys/netinet/tcp_timer.c
> @@ -439,6 +439,8 @@
> CURVNET_RESTORE();
> }
>
> +static int tcp_rexmt_inpdrop_race = 0;
> +
> void
> tcp_timer_rexmt(void * xtp)
> {
> @@ -495,6 +497,14 @@
> CURVNET_RESTORE();
> return;
> }
> + if (inp->inp_flags& INP_DROPPED) {
> + tcp_rexmt_inpdrop_race++;
> + INP_WUNLOCK(inp);
> + INP_INFO_WUNLOCK(&V_tcbinfo);
> + CURVNET_RESTORE();
> + return;
> + }
> +
> tp = tcp_drop(tp, tp->t_softerror ?
> tp->t_softerror : ETIMEDOUT);
> headlocked = 1;
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E9334A6.2050907>