panic in tcp_drop (and fix for it)
Navdeep Parhar
np at FreeBSD.org
Mon Oct 10 17:36:40 UTC 2011
While stress testing a few systems, I encountered a panic in tcp_drop
due to NULL tp->t_inpcb. tcp_drop had been called by tcp_timer_rexmt.
The problem is that timer_rexmt lets go of the pcbinfo and inp locks and
the inp could be dropped by the time it re-acquires the locks.
The attached patch fixes the problem. I've observed the counter in the
patch go up by 2-3 in 48 hours or so. If someone can review the patch
I can push it (without the counter) to head.
Regards,
Navdeep
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -439,6 +439,8 @@
CURVNET_RESTORE();
}
+static int tcp_rexmt_inpdrop_race = 0;
+
void
tcp_timer_rexmt(void * xtp)
{
@@ -495,6 +497,14 @@
CURVNET_RESTORE();
return;
}
+ if (inp->inp_flags & INP_DROPPED) {
+ tcp_rexmt_inpdrop_race++;
+ INP_WUNLOCK(inp);
+ INP_INFO_WUNLOCK(&V_tcbinfo);
+ CURVNET_RESTORE();
+ return;
+ }
+
tp = tcp_drop(tp, tp->t_softerror ?
tp->t_softerror : ETIMEDOUT);
headlocked = 1;
More information about the freebsd-net
mailing list