From owner-freebsd-net@freebsd.org Thu Sep 24 09:39:14 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A744A08464 for ; Thu, 24 Sep 2015 09:39:14 +0000 (UTC) (envelope-from girgen@FreeBSD.org) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by mx1.freebsd.org (Postfix) with ESMTP id EA2A21A90; Thu, 24 Sep 2015 09:39:13 +0000 (UTC) (envelope-from girgen@FreeBSD.org) Received: from [10.0.1.12] (h-155-4-74-242.na.cust.bahnhof.se [155.4.74.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 34E0DEFE6; Thu, 24 Sep 2015 11:39:08 +0200 (CEST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Kernel panics in tcp_twclose From: Palle Girgensohn In-Reply-To: <5603ACF7.7040403@freebsd.org> Date: Thu, 24 Sep 2015 11:39:08 +0200 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <97E97774-842B-440A-BBA4-808FF821EC98@FreeBSD.org> References: <26B0FF93-8AE3-4514-BDA1-B966230AAB65@FreeBSD.org> <55FC1809.3070903@freebsd.org> <20150918160605.GN67105@kib.kiev.ua> <55FFBE01.6060706@freebsd.org> <3721F099-F45D-4DCD-8AB3-84D1ABC44145@FreeBSD.org> <73856F2B-3E70-483C-9988-C84E798CEB44@FreeBSD.org> <44EBAC98-4761-4E47-8E47-5032430A1C8A@FreeBSD.org> <56019AF8.8000705@freebsd.org> <5601CF2D.9030307@freebsd.org> <5602E90A.9050504@freebsd.org> <0931591A-23EC-40CB-A109-72E9308B1A2D@pingpong.net> <5602F044.5010606@freebsd.org> <54767991-9D3B-4ECB-A07E-CFA21A54BBDD@pingpong.net> <4E148E2E-F8D2-41C2-B232-9FD1548AA20B@pingpong.net> <30AD333B-EC8B-4EEF-8FE2-8EA8C216601E@FreeBSD.org> <5603A03B.4060002@freebsd.org> <5603ACF7.7040403@freebsd.org> To: Julien Charbon X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Sep 2015 09:39:14 -0000 > 24 sep 2015 kl. 09:57 skrev Julien Charbon : >=20 >=20 > Hi -net, >=20 > On 24/09/15 09:03, Julien Charbon wrote: >> On 24/09/15 08:55, Palle Girgensohn wrote: >>>> 24 sep 2015 kl. 07:51 skrev Palle Girgensohn >>>> : >>>>> 24 sep 2015 kl. 00:05 skrev Palle Girgensohn >>>>> : >>>>>> 23 sep 2015 kl. 20:32 skrev Julien Charbon :=20 >>>>>> On 23/09/15 20:26, Palle Girgensohn wrote: >>>>> Kernels and userland are updated to 10.2-p3 with the patch >>>>> removing the suspicous KASSERT. >>>>> dtrace running continously redirecting to a log file. >>> Just had a crash. Unfortunately, the kernel was stuck at the db> >>> prompt, and the remote keyboard was unresponsive (HP ILO, not >>> impressed). So I had to reset the power and never got a core dump... >>>=20 >>> panic: tcp_tw_2msl_stop: inp should not be released here >>> cpuid =3D 0 >>> KDB: stack backtrace: >>> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame >>> 0xfffffe175acd16a0 kdb_backtrace() at kdb_backtrace+0x39/frame >>> 0xfffffe175acd1750 vpanic() at vpanic+0x126/frame 0xfffffe175acd1790 >>> kassert_panic() at kassert_panic+0x139/frame 0xfffffe175acd1800 >>> tcp_twclose() at tcp_twclose+0x2cb/frame 0xfffffe175acd1850 >>> tcp_tw_2msl_scan() at tcp_tw_2msl_scan+0x13b/frame >>> 0xfffffe175acd1890 tcp_slowtimo() at tcp_slowtimo+0x68/frame >>> 0xfffffe175acd18c0 pfslowtimo() at pfslowtimo+0x54/frame >>> 0xfffffe175acd18f0 softclock_call_cc() at >>> softclock_call_cc+0x193/frame 0xfffffe175acd19d0 softclock() at >>> softclock+0x47/frame 0xfffffe175acd19f0 = intr_event_execute_handlers() >>> at intr_event_execute_handlers+0x93/frame 0xfffffe 175acd1a30 >>> ithread_loop() at ithread_loop+0xa6/frame 0xfffffe175acd1a70 >>> fork_exit() at fork_exit+0x84/frame 0xfffffe175acd1ab0 >>> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe175acd1ab0 >>> --- trap 0, rip =3D 0, rsp =3D 0xfffffe175acd1b70, rbp =3D 0 --- >>> KDB: enter: panic >>> [ thread pid 12 tid 100043 ] >>> Stopped at kdb_enter+0x3e: movq $0,kdb_why >>> db> >>=20 >> Thanks a log for this backstrace. This is what at expected, when >> tcp_close() in call in INP_TIMEWAIT case, in_pcbfree() can be called = one >> extra time that leads to: >>=20 >> tcp_tw_2msl_stop: inp should not be released here >>=20 >> Let me try to come with a tentative fix for this case. >=20 > See joined my tentative patch for these case. It is only a first > tentative patch as I am still waiting on -net feedbacks on what should > be the rule here. >=20 > By the way: >=20 > - I see nothing specific to VIMAGE here >=20 > - Anyone aware of tcp_close() (or tcp_drop()) calls = modified/introduced > recently in 10.2 that could explained why this issue only appears only = now? >=20 > -- > Julien > Running a machine with the patch now (it just crashed and rebooted with = the new kernel). Hoping it will have a "soothing" effect... ;-) dtrace running as previously. No output yet, though. Palle