On Wed, Nov 30, 2011 at 01:19:17AM +0100, Claudio Jeker wrote:
> On Wed, Nov 30, 2011 at 03:54:18AM +0400, Alexander Polakov wrote:
> > From time to time I get this panic when detaching run device, while
> > traffic is flowing through it.
> >
> > run0 detached
> > uvm_fault(0xffffffff80xfcc00, 0xffff800001008000, 0, 1) -> e
> > kernel: page fault trap, code=0
> > Stopped at tcp_mss+0x129: testb 0x8, 0xa4(%r14)
> > ddb{0}> trace
> > tcp_mss() at tcp_mss+0x129
> > tcp_output() at tcp_output+0xbb6
> > tcp_timer_rexmt() at tcp_timer_rexmt+0x2f3
> > softclock() at softclock+0x291
> > softintr_dispatch() at softintr_dispatch+0x5d
> > Xsoftclock() at Xsoftclock+0x2d
> >
> > I tried debugging it myself and found that it is tcp_input.c:3080 (if I
> > didn't screw up).
> >
> > 3073 if (!ifp)
> > 3074 /*
> > 3075 * ifp may be null and rmx_mtu may be zero in certain
> > 3076 * v6 cases (e.g., if ND wasn't able to resolve the
> > 3077 * destination host.
> > 3078 */
> > 3079 goto out;
> > 3080 else if (ifp->if_flags & IFF_LOOPBACK)
> > 3081 mss = ifp->if_mtu - iphlen - sizeof(struct tcphdr);
> >
>
> Can you try the following diff?
> It is scary that we never checked if the cached route is valid in
> in_pcbrtentry(). It always reliad on the check in ip_output().
>
This is still open, I think this diff should go in.
OKs?
--
:wq Claudio
Index: in_pcb.c
===================================================================
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.125
diff -u -p -r1.125 in_pcb.c
--- in_pcb.c 11 Jan 2012 17:45:05 -0000 1.125
+++ in_pcb.c 9 Feb 2012 09:30:02 -0000
@@ -748,6 +748,12 @@ in_pcbrtentry(struct inpcb *inp)
ro = &inp->inp_route;
+ /* check if route is still valid */
+ if (ro->ro_rt && (ro->ro_rt->rt_flags & RTF_UP) == 0) {
+ RTFREE(ro->ro_rt);
+ ro->ro_rt = NULL;
+ }
+
/*
* No route yet, so try to acquire one.
*/
@@ -767,6 +773,7 @@ in_pcbrtentry(struct inpcb *inp)
ro->ro_dst.sa_len = sizeof(struct sockaddr_in6);
((struct sockaddr_in6 *) &ro->ro_dst)->sin6_addr =
inp->inp_faddr6;
+ ro->ro_tableid = inp->inp_rtableid;
rtalloc_mpath(ro, &inp->inp_laddr6.s6_addr32[0]);
break;
#endif /* INET6 */