Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Feb 2000 13:23:27 +0900
From:      Yoshinobu Inoue <shin@nd.net.fujitsu.co.jp>
To:        asmodai@bart.nl
Cc:        freebsd-current@FreeBSD.ORG, freebsd-net@FreeBSD.ORG
Subject:   Re: Panic (TCP)
Message-ID:  <20000222132327B.shin@nd.net.fujitsu.co.jp>
In-Reply-To: <20000221144858.O84100@lucifer.bart.nl>
References:  <20000221134724.J84100@lucifer.bart.nl> <20000221223459W.shin@nd.net.fujitsu.co.jp> <20000221144858.O84100@lucifer.bart.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
> >Woops sorry I was worng.
> >tp->tt_rexmt->c_flags is actually causing the panic, and the
> >necessary data is the contents of the tp->tt_rexmt->c_flags.
> 
> (kgdb) print tp->tt_rexmt->c_flags
> $1 = 6
> 
> (kgdb) print tp->tt_rexmt         
> $2 = (struct callout *) 0xd5ce6c2c
> 
> (kgdb) print (*tp->tt_rexmt)
> $3 = {c_links = {sle = {sle_next = 0xd5cd7c2c}, tqe = {tqe_next = 0xd5cd7c2c,
>       tqe_prev = 0xd5cd83ac}}, c_time = 22275144, c_arg = 0xd5ce6b60, 
>   c_func = 0xc018bcdc <tcp_timer_rexmt>, c_flags = 6}

Wmm, the contents of tp->tt_rexmt not seems to be broken.

As the result of more review, I found one part which might
cause the problem in very delicate timing, tcp_output.c around line 776.

		if (!callout_active(tp->tt_rexmt) &&
		    tp->snd_nxt != tp->snd_una) {
			callout_reset(tp->tt_rexmt, tp->t_rxtcur,
				      tcp_timer_rexmt, tp);
			if (callout_active(tp->tt_persist)) {
				callout_stop(tp->tt_persist);
				tp->t_rxtshift = 0;
			}
		}

If persist timer is working, and if it happen to timeout between
			callout_reset(tp->tt_rexmt, tp->t_rxtcur,
				      tcp_timer_rexmt, tp);
and
				callout_stop(tp->tt_persist);
then the panic might happen at tcp_setpersist().

This is same as Jan 5 version, but in more previous version,
the code was like below,

		if (tp->t_timer[TCPT_REXMT] == 0 &&
		    tp->snd_nxt != tp->snd_una) {
			tp->t_timer[TCPT_REXMT] = tp->t_rxtcur;
			if (tp->t_timer[TCPT_PERSIST]) {
				tp->t_timer[TCPT_PERSIST] = 0;
				tp->t_rxtshift = 0;
			}
		}

Same problem might also happen in this case but the running
step were more fewer than now, so it was more difficult to
happen.

I think applying following patch will be safer.
Please review this patch.
(Same kind of patch might better to be applied into stable also.)

Thanks,
Yoshinobu Inoue

Index: tcp_output.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_output.c,v
retrieving revision 1.39
diff -u -r1.39 tcp_output.c
--- tcp_output.c	2000/02/09 00:34:40	1.39
+++ tcp_output.c	2000/02/22 04:13:32
@@ -775,12 +775,12 @@
 		 */
 		if (!callout_active(tp->tt_rexmt) &&
 		    tp->snd_nxt != tp->snd_una) {
-			callout_reset(tp->tt_rexmt, tp->t_rxtcur,
-				      tcp_timer_rexmt, tp);
 			if (callout_active(tp->tt_persist)) {
 				callout_stop(tp->tt_persist);
 				tp->t_rxtshift = 0;
 			}
+			callout_reset(tp->tt_rexmt, tp->t_rxtcur,
+				      tcp_timer_rexmt, tp);
 		}
 	} else
 		if (SEQ_GT(tp->snd_nxt + len, tp->snd_max))


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000222132327B.shin>