Infinite loop in tcp_output on RELENG_5

Kris Kennaway kris at obsecurity.org
Fri Oct 8 20:37:18 PDT 2004


pointyhat (SMP machine running RELENG_5) has twice in the past 2 days
gone into an infinite loop in the tcp_output() function (repeatedly
breaking into DDB and continuing, I can see it at different points in
the code).  I made tcp_output keep a counter and increment when it
hits the again: label.  If the counter reaches 1000, it panics.  This
happened again just now:

panic: Looping in tcp_output
cpuid = 0
KDB: enter: panic
[thread 100043]
Stopped at      kdb_enter+0x30: leave
db> tr
kdb_enter(c06de69a,0,c06e973a,ebbd5ba0,c34cd4b0) at kdb_enter+0x30
panic(c06e973a,0,ebbd5b68,0,0) at panic+0x14e
tcp_output(c395f8c0,c395f8c0,c3ed3e10,c05a79f0,ebbd5ca0) at tcp_output+0x19e
tcp_drop(c395f8c0,3c,c06e9fe7,1ab,e) at tcp_drop+0x30
tcp_timer_persist(c395f8c0,0,c06df6ba,f5,0) at tcp_timer_persist+0x14c
softclock(0,0,c06dc037,269,c0738ac0) at softclock+0x1c8
ithread_loop(c345d800,ebbd5d48,c06dbe2a,323,41531744) at ithread_loop+0x172
fork_exit(c04f1210,c345d800,ebbd5d48) at fork_exit+0xc6
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xebbd5d7c, ebp = 0 ---

This might be related to SACK, which is one of the situations where we
loop back to the again label, but that's just a guess.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20041008/eaa471a5/attachment.bin


More information about the freebsd-current mailing list