panic with tcpdrop

Robert Watson rwatson at FreeBSD.org
Sat Nov 24 08:23:31 PST 2007 

On Fri, 23 Nov 2007, Rako wrote:

> Sorry for not send this before.
>
> The connection that i kill was in TIME_WAIT or FIN_WAIT_? state
>
> Any other information, please, tell me.
> Javier

Javier,

Indeed, it looks like sysctl_drop is not handling certain TCP states properly 
with respect to locking.  This is probably my fault, as it looks like perhaps 
this was fallout from the socket<->inpcb reference cleanup work in 7.x.  The 
attached patch may help, could you give it a try?

Robert N M Watson
Computer Laboratory
University of Cambridge


>
> (kgdb) bt
> #0  doadump () at pcpu.h:195
> #1  0xc0788594 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> #2  0xc07887bf in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:563
> #3  0xc09ccb43 in trap_fatal (frame=0xd66589c0, eva=24) at 
> /usr/src/sys/i386/i386/trap.c:872
> #4  0xc09cd4dd in trap (frame=0xd66589c0) at 
> /usr/src/sys/i386/i386/trap.c:277
> #5  0xc09b68fb in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #6  0xc07b8644 in turnstile_broadcast (ts=0x0, queue=0) at 
> /usr/src/sys/kern/subr_turnstile.c:834
> #7  0xc077ba02 in _mtx_unlock_sleep (m=0xc4c35288, opts=0, file=0x0, line=0) 
> at /usr/src/sys/kern/kern_mutex.c:593
> #8  0xc086ba27 in sysctl_drop (oidp=0xc0b0d2e0, arg1=0x0, arg2=0, 
> req=0xd6658ba4) at /usr/src/sys/netinet/tcp_subr.c:2057
> #9  0xc0791a87 in sysctl_root (oidp=Variable "oidp" is not available.
> ) at /usr/src/sys/kern/kern_sysctl.c:1306
> #10 0xc0791bd4 in userland_sysctl (td=0xc38c0210, name=0xd6658c14, namelen=4, 
> old=0x0, oldlenp=0x0, inkernel=0, new=0xbfbfeb90, newlen=256,
>    retval=0xd6658c10, flags=0) at /usr/src/sys/kern/kern_sysctl.c:1401
> #11 0xc07928fd in __sysctl (td=0xc38c0210, uap=0xd6658cfc) at 
> /usr/src/sys/kern/kern_sysctl.c:1336
> #12 0xc09cd0f5 in syscall (frame=0xd6658d38) at 
> /usr/src/sys/i386/i386/trap.c:1008
> #13 0xc09b6960 in Xint0x80_syscall () at 
> /usr/src/sys/i386/i386/exception.s:196
> #14 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
>
> (kgdb) f 8
> #8  0xc086ba27 in sysctl_drop (oidp=0xc0b0d2e0, arg1=0x0, arg2=0, 
> req=0xd6658ba4) at /usr/src/sys/netinet/tcp_subr.c:2057
> 2057                    INP_UNLOCK(inp);
> (kgdb) l
> 2052                    } else if (!(inp->inp_vflag & INP_DROPPED) &&
> 2053                               !(inp->inp_socket->so_options & 
> SO_ACCEPTCONN)) {
> 2054                            tp = intotcpcb(inp);
> 2055                            tcp_drop(tp, ECONNABORTED);
> 2056                    }
> 2057                    INP_UNLOCK(inp);
> 2058            } else
> 2059                    error = ESRCH;
> 2060            INP_INFO_WUNLOCK(&tcbinfo);
> 2061            return (error);
> (kgdb)
>
>> 
>> On Fri, 23 Nov 2007, Javier wrote:
>> 
>>> Hi, a got a panic with tcpdrop command.
>> 
>> Javier,
>> 
>> I see you may have a coredump -- could you provide a backtrace from gdb for 
>> the below?  Specifically, I'd like to know what line sysctl_drop+0x207 is.
>> 
>> Thanks,
>> 
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>> 
>> 
>>> Regards,
>>> Javier
>>> 
>>> uname  -a
>>> FreeBSD odin.valhala 7.0-BETA3 FreeBSD 7.0-BETA3 #0: Mon Nov 19 15:40:35 
>>> ART 2007
>>> 
>>> Fatal trap 12: page fault while in kernel mode
>>> fault virtual address   = 0x18
>>> fault code              = supervisor read, page not present
>>> instruction pointer     = 0x20:0xc07b8644
>>> stack pointer           = 0x28:0xd6658a00
>>> frame pointer           = 0x28:0xd6658a0c
>>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>>                       = DPL 0, pres 1, def32 1, gran 1
>>> processor eflags        = resume, IOPL = 0
>>> current process         = 77347 (tcpdrop)
>>> trap number             = 12
>>> panic: page fault
>>> KDB: stack backtrace:
>>> db_trace_self_wrapper(c0a5f1ea,d66588e0,c078878a,c0a5d5f4,c0b5bcc0,...) at 
>>> db_trace_self_wrapper+0x26
>>> kdb_backtrace(c0a5d5f4,c0b5bcc0,c0a1fb8c,d66588ec,d66588ec,...) at 
>>> kdb_backtrace+0x29
>>> panic(c0a1fb8c,c0a7c54d,c39ac220,1,1,...) at panic+0xaa
>>> trap_fatal(c0a7c44f,c,246,c38c0210,c,...) at trap_fatal+0x303
>>> trap(d66589c0) at trap+0x10d
>>> calltrap() at calltrap+0x6
>>> --- trap 0xc, eip = 0xc07b8644, esp = 0xd6658a00, ebp = 0xd6658a0c ---
>>> turnstile_broadcast(0,0,c4c351f8,0,d6658b54,...) at 
>>> turnstile_broadcast+0x34
>>> _mtx_unlock_sleep(c4c35288,0,0,0,e103,...) at _mtx_unlock_sleep+0x52
>>> sysctl_drop(c0b0d2e0,0,0,d6658ba4,d6658ba4,...) at sysctl_drop+0x207
>>> sysctl_root(d6658ba4,100,1,c0937524,c1fbb1e0,...) at sysctl_root+0x127
>>> userland_sysctl(c38c0210,d6658c14,4,0,0,...) at userland_sysctl+0x134
>>> __sysctl(c38c0210,d6658cfc,18,c38c0210,d6658d2c,...) at __sysctl+0xdd
>>> syscall(d6658d38) at syscall+0x335
>>> Xint0x80_syscall() at Xint0x80_syscall+0x20
>>> --- syscall (202, FreeBSD ELF32, __sysctl), eip = 0x28148a3b, esp = 
>>> 0xbfbfe32c, ebp = 0xbfbfe358 ---
>>> Uptime: 2d20h23m41s
>>> Physical memory: 495 MB
>>> Dumping 129 MB: 114 98 82 66 50 34 18 2
>>> 
>>> #0  doadump () at pcpu.h:195
>>> 195     pcpu.h: No such file or directory.
>>>       in pcpu.h
>>> (kgdb)
>>> 
>>> _______________________________________________
>>> freebsd-current at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>>> 
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcp_drop.diff
Type: text/x-diff
Size: 795 bytes
Desc: 
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20071124/208ead15/tcp_drop.bin

More information about the freebsd-current mailing list