Re: panic in tcp_mss() on run detachment

Sun, 04 Mar 2012 07:09:33 -0800 

On Wed, Nov 30, 2011 at 01:19:17AM +0100, Claudio Jeker wrote:
> On Wed, Nov 30, 2011 at 03:54:18AM +0400, Alexander Polakov wrote:
> > From time to time I get this panic when detaching run device, while
> > traffic is flowing through it.
> > 
> > run0 detached
> > uvm_fault(0xffffffff80xfcc00, 0xffff800001008000, 0, 1) -> e
> > kernel: page fault trap, code=0
> > Stopped at tcp_mss+0x129: testb 0x8, 0xa4(%r14)
> > ddb{0}> trace
> > tcp_mss() at tcp_mss+0x129
> > tcp_output() at tcp_output+0xbb6
> > tcp_timer_rexmt() at tcp_timer_rexmt+0x2f3
> > softclock() at softclock+0x291
> > softintr_dispatch() at softintr_dispatch+0x5d
> > Xsoftclock() at Xsoftclock+0x2d
> > 
> > I tried debugging it myself and found that it is tcp_input.c:3080 (if I
> > didn't screw up).
> > 
> > 3073         if (!ifp)
> > 3074                 /*
> > 3075                  * ifp may be null and rmx_mtu may be zero in certain
> > 3076                  * v6 cases (e.g., if ND wasn't able to resolve the
> > 3077                  * destination host.
> > 3078                  */
> > 3079                 goto out;
> > 3080         else if (ifp->if_flags & IFF_LOOPBACK)
> > 3081                 mss = ifp->if_mtu - iphlen - sizeof(struct tcphdr);
> > 
> 
> Can you try the following diff?
> It is scary that we never checked if the cached route is valid in
> in_pcbrtentry(). It always reliad on the check in ip_output().
> 

This is still open, I think this diff should go in.

OKs?
-- 
:wq Claudio

Index: in_pcb.c
===================================================================
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.125
diff -u -p -r1.125 in_pcb.c
--- in_pcb.c    11 Jan 2012 17:45:05 -0000      1.125
+++ in_pcb.c    9 Feb 2012 09:30:02 -0000
@@ -748,6 +748,12 @@ in_pcbrtentry(struct inpcb *inp)
 
        ro = &inp->inp_route;
 
+       /* check if route is still valid */
+       if (ro->ro_rt && (ro->ro_rt->rt_flags & RTF_UP) == 0) {
+               RTFREE(ro->ro_rt);
+               ro->ro_rt = NULL;
+       }
+
        /*
         * No route yet, so try to acquire one.
         */
@@ -767,6 +773,7 @@ in_pcbrtentry(struct inpcb *inp)
                        ro->ro_dst.sa_len = sizeof(struct sockaddr_in6);
                        ((struct sockaddr_in6 *) &ro->ro_dst)->sin6_addr =
                            inp->inp_faddr6;
+                       ro->ro_tableid = inp->inp_rtableid;
                        rtalloc_mpath(ro, &inp->inp_laddr6.s6_addr32[0]);
                        break;
 #endif /* INET6 */

Reply via email to