current-users: -current panic: tcp_reass

Subject: -current panic: tcp_reass_lock
To: None <current-users@netbsd.org>
From: Sean Doran <smd@sean.ebone.net>
List: current-users
Date: 07/25/1999 05:29:36
I can reproduce this with netscape by going to a page with lots of Javascript
goodies, sigh.   I can't see where the changes came in which started this
breaking, but it was very recent.

See frame 17 below, and the comment there about TCP_REASS_UNLOCK not
being called before sorwakeup.

	Sean.

#0  0xf01d21e6 in hexdigits.29 ()
#1  0x6f58000 in ?? ()
#2  0xf0187037 in cpu_reboot (howto=260, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1212
#3  0xf012c969 in panic () at ../../../../kern/subr_prf.c:212
#4  0xf0162b2d in tcp_input (m=0xf051f484) at ../../../../netinet/tcp_var.h:247
#5  0xf015bf96 in ip_input (m=0xf051f484) at ../../../../netinet/ip_input.c:663
#6  0xf015ba24 in ipintr () at ../../../../netinet/ip_input.c:334
#7  0xf0101d5e in Xsoftnet ()
#8  0xf018700f in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1199
#9  0xf012c969 in panic () at ../../../../kern/subr_prf.c:212
#10 0xf0162b2d in tcp_input (m=0xf0520808) at ../../../../netinet/tcp_var.h:247
#11 0xf015bf96 in ip_input (m=0xf0520808) at ../../../../netinet/ip_input.c:663
#12 0xf015ba24 in ipintr () at ../../../../netinet/ip_input.c:334
#13 0xf0101d5e in Xsoftnet ()
#14 0xf01227ff in pfind (pid=333) at ../../../../kern/kern_proc.c:337
#15 0xf012fab2 in selwakeup (sip=0xf0631ddc)
    at ../../../../kern/sys_generic.c:982
#16 0xf013b3b8 in sowakeup (so=0xf0631d80, sb=0xf0631dc4)
    at ../../../../kern/uipc_socket2.c:313
#17 0xf0162c13 in tcp_input (m=0xf0520708)
    at ../../../../netinet/tcp_input.c:1878
#18 0xf015bf96 in ip_input (m=0xf0520708) at ../../../../netinet/ip_input.c:663
#19 0xf015ba24 in ipintr () at ../../../../netinet/ip_input.c:334
#20 0xf0101d5e in Xsoftnet ()


frame 18

#18 0xf015bf96 in ip_input (m=0xf0520708) at ../../../../netinet/ip_input.c:663
(gdb) print *m
print *m

$3 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, 
    mh_data = 0xfc52e838 "HTTP/1.0 200 OK\r\nServer: DCLK-AdSvr\r\nContent-Type: application/x-javascript\r\nContent-Length: 337\r\nDate: Sun, 25 Jul 1999 02:46:36 GMT\r\nExpires: Sun, 25 Jul 1999 02:51:36 GMT\r\n\r\ndocument.write('<a targ"..., mh_len = 514, mh_type = 1, mh_flags = 1035}, M_dat = {MH = {MH_pkthdr = {
        rcvif = 0xf050c030, len = 554}, MH_dat = {MH_ext = {
          ext_buf = 0xfc52e800 "ï¾", ext_free = 0, ext_arg = 0x0, 
          ext_size = 2048, ext_type = 0, ext_nextref = 0xf0520708, 
          ext_prevref = 0xf0520708}, 
        MH_databuf = "\000èRü\000\000\000\000\000\000\000\000\000\b\000\000\000\000\000\000\b\aRð\b\aRð\034µI\b\000\000.\000<\000\001\000<\000.\000+\000\001\000\000\000\000\000&\000\000\000\000\000\000\000\020\000\020\000\000\000\000\000\000\000\000\000\034µI\b\000\b\000\000\000\000\000\000\200\001\006\000\000\000\000\000v\002À\000\000\000\000"}}, 
    M_databuf = "0ÀPð*\002\000\000\000èRü\000\000\000\000\000\000\000\000\000\b\000\000\000\000\000\000\b\aRð\b\aRð\034µI\b\000\000.\000<\000\001\000<\000.\000+\000\001\000\000\000\000\000&\000\000\000\000\000\000\000\020\000\020\000\000\000\000\000\000\000\000\000\034µI\b\000\b\000\000\000\000\000\000\200\001\006\000\000\000\000\000v\002À\000\000\000\000"}}

#17 0xf0162c13 in tcp_input (m=0xf0520708)
    at ../../../../netinet/tcp_input.c:1878
(gdb) print *tp
print *tp

$6 = {t_family = 2, segq = {lh_first = 0x0}, t_timer = {0, 0, 15080, 0}, 
  t_state = 4, t_rxtshift = 0, t_rxtcur = 3, t_dupacks = 0, t_peermss = 1460, 
  t_ourmss = 1460, t_segsz = 1460, t_force = 0 '\000', t_flags = 30882, 
  t_template = 0xf04eae00, t_inpcb = 0xf0568960, t_in6pcb = 0x0, t_delack = {
    le_next = 0x0, le_prev = 0xf0230f1c}, snd_una = 2994486700, 
  snd_nxt = 2994486700, snd_up = 2994486358, snd_wl1 = 298340515, 
  snd_wl2 = 2994486700, iss = 2994486357, snd_wnd = 8418, 
  snd_recover = 2994486357, rcv_wnd = 130886, rcv_nxt = 298340515, 
  rcv_up = 298340515, irs = 298340000, rcv_adv = 298405536, 
  snd_max = 2994486700, snd_cwnd = 7300, snd_ssthresh = 1073725440, 
  t_idle = 0, t_rtt = 0, t_rtseq = 2994486358, t_srtt = 28, t_rttvar = 10, 
  t_rttmin = 2, max_sndwnd = 8760, t_oobflags = 0 '\000', t_iobc = 0 '\000', 
  t_softerror = 0, snd_scale = 0 '\000', rcv_scale = 0 '\000', 
  request_r_scale = 2 '\002', requested_s_scale = 0 '\000', ts_recent = 0, 
  ts_recent_age = 0, last_ack_sent = 298340001, timeq = {lh_first = 0x0}}
(gdb) print *so
print *so

$8 = {so_type = 1, so_options = 0, so_linger = 0, so_state = 130, 
  so_pcb = 0xf0568960, so_proto = 0xf01f3528, so_head = 0x0, so_onq = 0x0, 
  so_q0 = {tqh_first = 0x0, tqh_last = 0xf0631d98}, so_q = {tqh_first = 0x0, 
    tqh_last = 0xf0631da0}, so_qe = {tqe_next = 0x0, tqe_prev = 0x0}, 
  so_q0len = 0, so_qlen = 0, so_qlimit = 0, so_timeo = 0, so_error = 0, 
  so_pgid = 0, so_oobmark = 0, so_rcv = {sb_cc = 514, sb_hiwat = 131400, 
    sb_mbcnt = 2176, sb_mbmax = 262144, sb_lowat = 1, sb_mb = 0xf0520708, 
    sb_sel = {si_pid = 333, si_flags = 0}, sb_flags = 8, sb_timeo = 0}, 
  so_snd = {sb_cc = 0, sb_hiwat = 131400, sb_mbcnt = 0, sb_mbmax = 262144, 
    sb_lowat = 2048, sb_mb = 0x0, sb_sel = {si_pid = 0, si_flags = 0}, 
    sb_flags = 0, sb_timeo = 0}, so_internal = 0x0, so_upcall = 0, 
  so_upcallarg = 0x0, so_send = 0xf01396ec <sosend>, 
  so_receive = 0xf0139e14 <soreceive>, so_uid = 1113}

This code looks suspicious... shouldn't we unlock before sorwakeup?

		/* NOTE: this was TCP_REASS() macro, but used only once */
		TCP_REASS_LOCK(tp);
		if (th->th_seq == tp->rcv_nxt &&
		    tp->segq.lh_first == NULL &&
		    tp->t_state == TCPS_ESTABLISHED) {
			TCP_SETUP_ACK(tp, th);
			tp->rcv_nxt += tlen;
			tiflags = th->th_flags & TH_FIN;
			tcpstat.tcps_rcvpack++;\
			tcpstat.tcps_rcvbyte += tlen;\
			sbappend(&(so)->so_rcv, m);
=>			sorwakeup(so);
		} else {
			tiflags = tcp_reass(tp, th, m, &tlen);
			tp->t_flags |= TF_ACKNOW;
		}
		TCP_REASS_UNLOCK(tp);