[Bug 290039] syncache_drop() coredumps 15.0-ALPHA4-ish

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 290039] core under load 15.0-ALPHA4-ish"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 07 Oct 2025 19:40:37 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290039

--- Comment #3 from David Gilbert <dave@daveg.ca> ---
I'm tempted to turn on invariants or somesuch, but I'm also wondering if this
is a heizenbug w.r.t. invariants.

So... I'm pretty much just feeling around  Found the definiton of TAILQ_LAST()
--- and sch->sch_bucket->tqh_fist is 0x0.  I've included *sch and *sc below.  I
do note that the size element isn't sensible:

(kgdb) p sch->sch_length
$3 = 4294967295

Even if someone is bashing syns at it (which could be happening --- it has a
public IP) ... that number is large enough to rather be a negative represented
unsigned.

(kgdb) p *sch
$5 = {sch_mtx = {lock_object = {lo_name = 0xffffffff81245932 "tcp_sc_head",
lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, 
    mtx_lock = 18446735281974056832}, sch_bucket = {tqh_first = 0x0, tqh_last =
0xfffffe01f8342f60}, sch_timer = {c_links = {le = {
        le_next = 0xffffffff81bded30 <logsoftc+88>, le_prev =
0xffffffff831893d0}, sle = {
        sle_next = 0xffffffff81bded30 <logsoftc+88>}, tqe = {tqe_next =
0xffffffff81bded30 <logsoftc+88>, 
        tqe_prev = 0xffffffff831893d0}}, c_time = 126973187183134, c_precision
= 268435437, c_arg = 0xfffffe01f8342f40, 
    c_func = 0xffffffff80d6bc90 <syncache_timer>, c_lock = 0xfffffe01f8342f40,
c_flags = 2, c_iflags = 128, c_cpu = 0}, 
  sch_nextc = 28962266, sch_length = 4294967295, sch_sc = 0xfffffe015df0cbb8,
sch_last_overflow = 31307}
(kgdb) p *sc
$6 = {sc_hash = {tqe_next = 0x0, tqe_prev = 0x0}, sc_inc = {inc_flags = 0
'\000', inc_len = 0 '\000', inc_fibnum = 0, inc_ie = {
      ie_fport = 18169, ie_lport = 47873, ie_dependfaddr = {id46_addr =
{ia46_pad32 = {0, 0, 0}, ia46_addr4 = {
            s_addr = 3563381669}}, id6_addr = {__u6_addr = {
            __u6_addr8 = '\000' <repeats 12 times>, "\245\343", <incomplete
sequence \324>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 58277, 
              54372}, __u6_addr32 = {0, 0, 0, 3563381669}}}}, ie_dependladdr =
{id46_addr = {ia46_pad32 = {0, 0, 0}, ia46_addr4 = {
            s_addr = 890527810}}, id6_addr = {__u6_addr = {__u6_addr8 = '\000'
<repeats 12 times>, "B`\0245", __u6_addr16 = {0, 0, 
              0, 0, 0, 0, 24642, 13588}, __u6_addr32 = {0, 0, 0, 890527810}}}},
ie6_zoneid = 0}}, sc_rxttime = 0, sc_rxmits = 0, 
  sc_port = 0, sc_tsreflect = 0, sc_tsoff = 0, sc_flowlabel = 0, sc_irs =
2993914448, sc_iss = 1241750539, sc_ipopts = 0x0, 
  sc_peer_mss = 1200, sc_wnd = 65535, sc_ip_ttl = 64 '@', sc_ip_tos = 0 '\000',
sc_requested_s_scale = 0 '\000', 
  sc_requested_r_scale = 0 '\000', sc_flags = 0, sc_challenge_ack_cnt = 0,
sc_challenge_ack_end = 0, sc_tod = 0x0, sc_todctx = 0x0, 
  sc_label = 0x0, sc_cred = 0xfffff8018db26900, sc_tfo_cookie = 0x0, sc_pspare
= 0x0, sc_spare = {0, 0}}
(kgdb)

-- 
You are receiving this mail because:
You are the assignee for the bug.