From owner-freebsd-current Mon Feb 21 20:22:53 2000 Delivered-To: freebsd-current@freebsd.org Received: from fgwmail7.fujitsu.co.jp (fgwmail7.fujitsu.co.jp [192.51.44.37]) by hub.freebsd.org (Postfix) with ESMTP id 2ECE137B67F; Mon, 21 Feb 2000 20:22:44 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m5.gw.fujitsu.co.jp by fgwmail7.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id NAA25932; Tue, 22 Feb 2000 13:22:39 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from chisato.nd.net.fujitsu.co.jp by m5.gw.fujitsu.co.jp (8.9.3/3.7W-0002-Fujitsu Domain Master) id NAA25301; Tue, 22 Feb 2000 13:22:37 +0900 (JST) Received: from localhost (dhcp7194.nd.net.fujitsu.co.jp [10.18.7.194]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id NAA23872; Tue, 22 Feb 2000 13:22:36 +0900 (JST) To: asmodai@bart.nl Cc: freebsd-current@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Panic (TCP) In-Reply-To: <20000221144858.O84100@lucifer.bart.nl> References: <20000221134724.J84100@lucifer.bart.nl> <20000221223459W.shin@nd.net.fujitsu.co.jp> <20000221144858.O84100@lucifer.bart.nl> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000222132327B.shin@nd.net.fujitsu.co.jp> Date: Tue, 22 Feb 2000 13:23:27 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 82 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > >Woops sorry I was worng. > >tp->tt_rexmt->c_flags is actually causing the panic, and the > >necessary data is the contents of the tp->tt_rexmt->c_flags. > > (kgdb) print tp->tt_rexmt->c_flags > $1 = 6 > > (kgdb) print tp->tt_rexmt > $2 = (struct callout *) 0xd5ce6c2c > > (kgdb) print (*tp->tt_rexmt) > $3 = {c_links = {sle = {sle_next = 0xd5cd7c2c}, tqe = {tqe_next = 0xd5cd7c2c, > tqe_prev = 0xd5cd83ac}}, c_time = 22275144, c_arg = 0xd5ce6b60, > c_func = 0xc018bcdc , c_flags = 6} Wmm, the contents of tp->tt_rexmt not seems to be broken. As the result of more review, I found one part which might cause the problem in very delicate timing, tcp_output.c around line 776. if (!callout_active(tp->tt_rexmt) && tp->snd_nxt != tp->snd_una) { callout_reset(tp->tt_rexmt, tp->t_rxtcur, tcp_timer_rexmt, tp); if (callout_active(tp->tt_persist)) { callout_stop(tp->tt_persist); tp->t_rxtshift = 0; } } If persist timer is working, and if it happen to timeout between callout_reset(tp->tt_rexmt, tp->t_rxtcur, tcp_timer_rexmt, tp); and callout_stop(tp->tt_persist); then the panic might happen at tcp_setpersist(). This is same as Jan 5 version, but in more previous version, the code was like below, if (tp->t_timer[TCPT_REXMT] == 0 && tp->snd_nxt != tp->snd_una) { tp->t_timer[TCPT_REXMT] = tp->t_rxtcur; if (tp->t_timer[TCPT_PERSIST]) { tp->t_timer[TCPT_PERSIST] = 0; tp->t_rxtshift = 0; } } Same problem might also happen in this case but the running step were more fewer than now, so it was more difficult to happen. I think applying following patch will be safer. Please review this patch. (Same kind of patch might better to be applied into stable also.) Thanks, Yoshinobu Inoue Index: tcp_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_output.c,v retrieving revision 1.39 diff -u -r1.39 tcp_output.c --- tcp_output.c 2000/02/09 00:34:40 1.39 +++ tcp_output.c 2000/02/22 04:13:32 @@ -775,12 +775,12 @@ */ if (!callout_active(tp->tt_rexmt) && tp->snd_nxt != tp->snd_una) { - callout_reset(tp->tt_rexmt, tp->t_rxtcur, - tcp_timer_rexmt, tp); if (callout_active(tp->tt_persist)) { callout_stop(tp->tt_persist); tp->t_rxtshift = 0; } + callout_reset(tp->tt_rexmt, tp->t_rxtcur, + tcp_timer_rexmt, tp); } } else if (SEQ_GT(tp->snd_nxt + len, tp->snd_max)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message