[Bug 276761] panic: sbsndptr_noadv: sb_mb is NULL

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276761

--- Comment #13 from Richard Scheffenegger <rscheff@freebsd.org> ---
Just a summary of our findings:

Under rare circumstances, tcp_close() is called without being followed up
quickly - prior of any timer going off - by tcp_discardcb(). In tcp_close() the
socket buffers are relinquished, but the clean up of associated state would
only be done later in tcp_discardcb(). 

The change exposing this was to no longer discard the SACK scoreboard
immediately with a Retransmission timeout, in order to avoid unneccessary
retransmissions in such an event. The SACK scoreboard is used for transmission
selection during loss recovery or retransmission timeouts.

Additionally, timers could be restarted after having sent a RST packet from
tcp_drop() - while the session was already closed.

In summary, it appears that there always existed the problem of inconsistent
state in between tcp_close() and tcp_discardcb(), where a timer could trigger.
However, as an RTO would previously clean the SACK scoreboard state, this would
not lead to external visible misbehavior or a panic.

The three commits address these issues individually
- clean any SACK state together with releasing the socket buffer
- stop re-arming any timers in the case of sending a RST (while in CLOSED
state)
- stop timers in tcp_close() instead of waiting for the final clean-up of tcpcb
state in tcp_discardcb().

-- 
You are receiving this mail because:
You are the assignee for the bug.