Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Sep 2011 23:00:40 +0300
From:      Mikolaj Golub <trociny@freebsd.org>
To:        "K. Macy" <kmacy@freebsd.org>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Adrian Chadd <adrian@freebsd.org>, Arnaud Lacombe <lacombar@gmail.com>, dave jones <s.dave.jones@gmail.com>
Subject:   Re: Kernel panic on FreeBSD 9.0-beta2
Message-ID:  <8662kcigif.fsf@kopusha.home.net>
In-Reply-To: <CAHM0Q_PZD9_0ZkELZ5XL8Ebh8eD-uFuSjXWKKVpGDeM_JDaqMA@mail.gmail.com> (K. Macy's message of "Mon, 26 Sep 2011 16:12:55 %2B0200")
References:  <CANf5e8aG4go4M_vsRExUsJB_sjaN5x-QK-TCDAhSH64JSo0mdQ@mail.gmail.com> <CACqU3MXStMMEoppvDtZS6hV4WGttbdJiF8E-ORwJ%2BQSmnTy-Yg@mail.gmail.com> <CACqU3MV-t4Va6VWUoXy1Y9FYnNJTUw1X%2BE7ik-2%2BtMVuVOV3RA@mail.gmail.com> <CAJ-Vmom-177OkdUXjz%2BZLqbaqn=p%2BuTGypiVuMqdeXgdOgb4hQ@mail.gmail.com> <CAHM0Q_Mmn3z1V6AtZHQMpgbdY7oQqOChiNt=8NJrZQDnravb7A@mail.gmail.com> <CACqU3MU9ZZtOsdBOa%2BF3SqUaYgO%2BEo0v1ACjY0S4rY4fRQyv5Q@mail.gmail.com> <CAHM0Q_PZD9_0ZkELZ5XL8Ebh8eD-uFuSjXWKKVpGDeM_JDaqMA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--=-=-=


On Mon, 26 Sep 2011 16:12:55 +0200 K. Macy wrote:

 KM> Sorry, didn't look at the images (limited bw), I've seen something
 KM> like this before in timewait. This "can't happen" with UDP so will be
 KM> interested in learning more about the bug.

The panic can be easily triggered by this:


--=-=-=
Content-Type: application/octet-stream
Content-Disposition: inline; filename=test_udp.c
Content-Transfer-Encoding: base64

I2luY2x1ZGUgPHN5cy9wYXJhbS5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5oPgojaW5jbHVkZSA8
c3lzL3RpbWUuaD4KCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+CgojaW5jbHVkZSA8ZXJyLmg+CiNp
bmNsdWRlIDxlcnJuby5oPgojaW5jbHVkZSA8c2lnbmFsLmg+CiNpbmNsdWRlIDxzdGRpby5oPgoj
aW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHVuaXN0ZC5o
PgoKI2RlZmluZSBQT1JUCTY2NjYKCmludAptYWluKGludCBhcmdjLCBjaGFyICoqYXJndikKewoJ
c3RydWN0IHNvY2thZGRyX2luIHNpbjsKCWludCBmZDsKCglpZiAoZm9yaygpID09IC0xKQoJCWVy
cigxLCAiZm9yayIpOwoKCWZvciAoOzspIHsKCQlpZiAoKGZkID0gc29ja2V0KEFGX0lORVQsIFNP
Q0tfREdSQU0sIDApKSA9PSAtMSkKCQkJY29udGludWU7CgoJCW1lbXNldCgmc2luLCAwLCBzaXpl
b2Yoc2luKSk7CgkJc2luLnNpbl9mYW1pbHkgPSBBRl9JTkVUOwoJCXNpbi5zaW5fcG9ydCA9IGh0
b25zKFBPUlQpOwoKCQliaW5kKGZkLCAoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihz
aW4pKTsKCgkJY2xvc2UoZmQpOwoJfQoKCWV4aXQoMCk7Cn0K
--=-=-=


The other thread at that moment is in soclose->sofree->upd_detach->in_pcbfree.

It looks for me that we should call in_pcbdrop() in udp_close() to remove
inpcb from hashed lists, like it is done for tcp_close().

With this patch I don't observe the panic.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline; filename=udp_usrreq.c.in_pcbdrop.patch

Index: sys/netinet/udp_usrreq.c
===================================================================
--- sys/netinet/udp_usrreq.c	(revision 225816)
+++ sys/netinet/udp_usrreq.c	(working copy)
@@ -1486,6 +1486,7 @@ udp_close(struct socket *so)
 	inp = sotoinpcb(so);
 	KASSERT(inp != NULL, ("udp_close: inp == NULL"));
 	INP_WLOCK(inp);
+	in_pcbdrop(inp);
 	if (inp->inp_faddr.s_addr != INADDR_ANY) {
 		INP_HASH_WLOCK(&V_udbinfo);
 		in_pcbdisconnect(inp);

--=-=-=
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit


 KM> On Mon, Sep 26, 2011 at 4:02 PM, Arnaud Lacombe <lacombar@gmail.com> wrote:
 >> Hi,
 >>
 >> On Mon, Sep 26, 2011 at 5:12 AM, K. Macy <kmacy@freebsd.org> wrote:
 >>>
 >>>
 >>> On Monday, September 26, 2011, Adrian Chadd <adrian@freebsd.org> wrote:
 >>>> On 26 September 2011 13:41, Arnaud Lacombe <lacombar@gmail.com> wrote:
 >>>>> š/*
 >>>>> š * XXX
 >>>>> š * This entire block sorely needs a rewrite.
 >>>>> š */
 >>>>> š š š šif (t &&
 >>>>> š š š š š š((t->inp_flags & INP_TIMEWAIT) == 0) &&
 >>>>> š š š š š š(so->so_type != SOCK_STREAM ||
 >>>>> š š š š š š ntohl(t->inp_faddr.s_addr) == INADDR_ANY) &&
 >>>>> š š š š š š(ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
 >>>>> š š š š š š ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
 >>>>> š š š š š š (t->inp_socket->so_options &
 >>>>> š š š š š SO_REUSEPORT) == 0) &&
 >>>>> š š š š š š(inp->inp_cred->cr_uid !=
 >>>>> š š š š š š t->inp_cred->cr_uid))
 >>>>> š š š š šreturn (EADDRINUSE);
 >>>>> š š š}
 >>>>>
 >>>>> more specifically, `t->inp_socket' is NULL. The top comment may not be
 >>>>> relevant, as it's been here for the past 8 years.
 >>>>
 >>>> Why would t->inp_socket be NULL at this point?
 >>>
 >>> TIME_WAIT ...
 >>>
 >> on UDP socket ?
 >>
 >> š- Arnaud
 >>
 KM> _______________________________________________
 KM> freebsd-net@freebsd.org mailing list
 KM> http://lists.freebsd.org/mailman/listinfo/freebsd-net
 KM> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

-- 
Mikolaj Golub

--=-=-=--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8662kcigif.fsf>