Hi, I have a core dump from a not quite OpenBSD 5.2 crash. There the pointers to socket, inpcb, tcpcb on the stack of tcp_input() and tcp_output() look very inconsistent. Especially the so->so_pcb is NULL, which can only happen after the inp has been detached. The whole thing reminds me of the old panic: pool_do_get(inpcbpl): free list modified.
http://marc.info/?l=openbsd-bugs&m=132630237316970&w=2 To get more information, I would like to add some asserts that guarantee the consistency of the socket, inpcb, tcpcb linking. I suspect that we might have a freed inp stored in the pcbhashes. ok? bluhm Index: netinet/tcp_input.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.267 diff -u -p -u -p -r1.267 tcp_input.c --- netinet/tcp_input.c 13 Aug 2013 09:52:53 -0000 1.267 +++ netinet/tcp_input.c 5 Sep 2013 21:20:22 -0000 @@ -641,6 +641,8 @@ findpcb: goto dropwithreset_ratelim; } } + KASSERT(sotoinpcb(inp->inp_socket) == inp); + KASSERT(intotcpcb(inp)->t_inpcb == inp); /* Check the minimum TTL for socket. */ if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl) Index: netinet/udp_usrreq.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.165 diff -u -p -u -p -r1.165 udp_usrreq.c --- netinet/udp_usrreq.c 31 Jul 2013 15:41:52 -0000 1.165 +++ netinet/udp_usrreq.c 5 Sep 2013 21:20:50 -0000 @@ -592,6 +592,7 @@ udp_input(struct mbuf *m, ...) return; } } + KASSERT(sotoinpcb(inp->inp_socket) == inp); #if NPF > 0 /* The statekey has finished finding the inp, it is no longer needed. */