Re: KASSERT in tcp_input

[Peter Haag]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
Two days ago I had the fourth kernel panic - again in tcp_input - same 
statement. It looks like the running 5.5 kernel
does no longer survive than a couple of days .. This time I have full kernel 
dump. However, it looks a bit wired to
me. So here the details:

tcp_input patched:
 643         }
 644     }
 645 // XXX PH: add panic instead of KASSERT
 646 //  KASSERT(sotoinpcb(inp->inp_socket) == inp);
 647 //  KASSERT(intotcpcb(inp)->t_inpcb == inp);
 648
 649     if (sotoinpcb(inp->inp_socket) != inp) {
 650         panic("%s:%d: %p != %p", __func__, __LINE__, inp->inp_socket, inp);
 651     }
 652     if (intotcpcb(inp)->t_inpcb != inp) {
 653         panic("%s:%d: %p != %p", __func__, __LINE__, 
intotcpcb(inp)->t_inpcb, inp);
 654     }
 655     /* Check the minimum TTL for socket. */

May 30 07:11:29 savecore: reboot after panic: tcp_input:650: 0xfffffe852c102790 
!= 0xfffffe851758a050

struct      inpcb => 0xfffffe851758a050
inpcb->inp_socket => 0xfffffe852c102790

in gdb:
(gdb) bt
#0  0xffffffff8131a954 in dumpsys () at 
../../../../arch/amd64/amd64/machdep.c:993
#1  0xffffffff8131aaa7 in boot (howto=256) at 
../../../../arch/amd64/amd64/machdep.c:787
#2  0xffffffff811a7af6 in panic (fmt=0xffffffff817df223 "%s:%d: %p != %p") at 
../../../../kern/subr_prf.c:220
#3  0xffffffff812530ce in tcp_input (m=0xfffffe80a6686100) at 
../../../../netinet/tcp_input.c:650
#4  0xffffffff812475e1 in ip_ours (m=0xfffffe80a6686100) at 
../../../../netinet/ip_input.c:641
#5  0xffffffff81247a67 in ipv4_input (m=0xfffffe80a6686100) at 
../../../../netinet/ip_input.c:411
#6  0xffffffff81247bff in ipintr () at ../../../../netinet/ip_input.c:214
#7  0xffffffff81203375 in netintr (unused=Variable "unused" is not available.
) at ../../../../net/netisr.c:49
#8  0xffffffff81324fdd in softintr_dispatch (which=Variable "which" is not 
available.
) at ../../../../arch/amd64/amd64/softintr.c:96
#9  0xffffffff8133decd in Xsoftnet ()
#10 0xffffffff81daf280 in cpuset_infos ()
#11 0x0000000000000001 in ?? ()
#12 0xffff800000130300 in ?? ()
#13 0x0000000000000000 in ?? ()

==> print inpcb at 0xfffffe851758a050
(gdb) p {struct inpcb} 0xfffffe851758a050
$3 = {inp_hash = {le_next = 0xfffffe852c0ae8b0, le_prev = 0xffff8000005ac790}, 
inp_lhash = {le_next = 0xfffffe852c0aece8,
    le_prev = 0xfffffe852c699450}, inp_queue = {tqe_next = 0xfffffe84eb5cc490, 
tqe_prev = 0xfffffe852c699460},
  inp_table = 0xffffffff81dd3380, inp_faddru = {iau_addr6 = {__u6_addr = 
{__u6_addr8 = '\0' <repeats 12 times>, "Õ¼
Õ", __u6_addr16 = {0,
          0, 0, 0, 0, 0, 48341, 54560}, __u6_addr32 = {0, 0, 0, 3575692501}}}, 
iau_a4u = {pad = '\0' <repeats 11
times>, inaddr = {
        s_addr = 3575692501}}}, inp_laddru = {iau_addr6 = {__u6_addr = 
{__u6_addr8 = '\0' <repeats 12 times>, "Õ¼ -",
__u6_addr16 = {0,
          0, 0, 0, 0, 0, 48341, 11552}, __u6_addr32 = {0, 0, 0, 757120213}}}, 
iau_a4u = {pad = '\0' <repeats 11
times>, inaddr = {
        s_addr = 757120213}}}, inp_fport = 52715, inp_lport = 20480, inp_socket 
= 0xfffffe852c102790, inp_ppcb =
0xfffffe852b69c6a8 "",
  inp_ru = {ru_route = {ro_rt = 0xfffffe84f4ac4190, ro_tableid = 0, ro_dst = 
{sa_len = 16 '\020', sa_family = 2 '\002',
        sa_data = "\000\000Õ¼ Õ\000\000\000\000\000\000\000"}}, ru_route6 = 
{ro_rt = 0xfffffe84f4ac4190, ro_tableid =
0, ro_dst = {
        sin6_len = 16 '\020', sin6_family = 2 '\002', sin6_port = 0, 
sin6_flowinfo = 3575692501, sin6_addr =
{__u6_addr = {
            __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 
0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}},
        sin6_scope_id = 0}}}, inp_flags = 0, inp_hu = {hu_ip = {ip_hl = 0, ip_v 
= 0, ip_tos = 0 '\0', ip_len = 0,
ip_id = 0, ip_off = 0,
      ip_ttl = 64 '@', ip_p = 0 '\0', ip_sum = 0, ip_src = {s_addr = 0}, ip_dst 
= {s_addr = 0}}, hu_ipv6 = {ip6_ctlun
= {ip6_un1 = {
          ip6_un1_flow = 0, ip6_un1_plen = 0, ip6_un1_nxt = 0 '\0', 
ip6_un1_hlim = 0 '\0'}, ip6_un2_vfc = 0 '\0'},
ip6_src = {
        __u6_addr = {__u6_addr8 = "@", '\0' <repeats 14 times>, __u6_addr16 = 
{64, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 =
{64, 0, 0, 0}}},
      ip6_dst = {__u6_addr = {__u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 
= {0, 0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0,
            0}}}}}, inp_options = 0x0, inp_outputopts6 = 0x0, inp_hops = -1, 
inp_mou = {mou_mo = 0x0, mou_mo6 = 0x0},
  inp_seclevel = "\001\001\001\001", inp_secrequire = 0, inp_secresult = 0, 
inp_ip_minttl = 0 '\0', inp_tdb_in_next =
{tqe_next = 0x0,
    tqe_prev = 0x0}, inp_tdb_out_next = {tqe_next = 0x0, tqe_prev = 0x0}, 
inp_tdb_in = 0x0, inp_tdb_out = 0x0, inp_ipo
= 0x0,
  inp_ipsec_remotecred = 0x0, inp_ipsec_remoteauth = 0x0, inp_cksum6 = -1, 
inp_icmp6filt = 0x0, inp_pf_sk =
0xfffffe852c092c48,
  inp_rtableid = 0, inp_pipex = 0, inp_divertfl = 0}


so inp_socket is at 0xfffffe852c102790

==> print inpcb->inp_socket at 0xfffffe852c102790
(gdb)  p {struct socket} 0xfffffe852c102790
$4 = {so_type = 1, so_options = 4, so_linger = 0, so_state = 387, so_pcb = 
0xfffffe851758a050, so_proto =
0xffffffff81a54790,
  so_head = 0xfffffe852c752780, so_onq = 0xfffffe852c7527b8, so_q0 = {tqh_first 
= 0x0, tqh_last = 0x0}, so_q =
{tqh_first = 0x0,
    tqh_last = 0x0}, so_qe = {tqe_next = 0xfffffe84f677e6a8, tqe_prev = 
0xfffffe852c7527b8}, so_q0len = 0, so_qlen =
0, so_qlimit = 0,
  so_timeo = 0, so_error = 0, so_pgid = 0, so_siguid = 0, so_sigeuid = 0, 
so_oobmark = 0, so_splice = 0x0,
so_spliceback = 0x0,
  so_splicelen = 0, so_splicemax = 0, so_idletv = {tv_sec = 0, tv_usec = 0}, 
so_idleto = {to_list = {next = 0x0, prev
= 0x0},
    to_func = 0, to_arg = 0x0, to_time = 0, to_flags = 0}, so_rcv = {sb_cc = 
205, sb_datacc = 205, sb_hiwat = 17520,
sb_wat = 16384,
    sb_mbcnt = 2304, sb_mbmax = 35040, sb_lowat = 1, sb_mb = 
0xfffffe80ac88b200, sb_mbtail = 0xfffffe80ac88b200,
    sb_lastrecord = 0xfffffe80ac88b200, sb_sel = {si_selpid = 0, si_note = 
{slh_first = 0x0}, si_flags = 0},
sb_flagsintr = 0,
    sb_flags = 0, sb_timeo = 0}, so_snd = {sb_cc = 0, sb_datacc = 0, sb_hiwat = 
17520, sb_wat = 16384, sb_mbcnt = 0,
sb_mbmax = 35040,
    sb_lowat = 2048, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_sel 
= {si_selpid = 0, si_note = {slh_first
= 0x0},
      si_flags = 0}, sb_flagsintr = 0, sb_flags = 0, sb_timeo = 0}, so_upcall = 
0, so_upcallarg = 0x0, so_euid = 0,
so_ruid = 0,
  so_egid = 0, so_rgid = 0, so_cpid = 5271}


Her I see so_pcb at 0xfffffe851758a050 which is exactly what was expected:
struct inpcb => 0xfffffe851758a050

So for my understanding sotoinpcb(inp->inp_socket) == inp and therefore the 
panic should not have happen - theoretically!
Obviously at the time of the check - the two were not identical, but in the 
dump they are.

According to this fact I decided to remove the panics and replace them with 
logs, so I see, when it would have happen
again.
The KASSERTS where introduced in 5.5.

However, any help is appreciated. If someone needs any further information from 
the core, let me know. I'd happily
will provide them.


Regards

        - Peter
Comment: GPGTools - http://gpgtools.org

iD8DBQFTi2Q+ZFR7Ae3oDfYRArunAJ9g2RS5j4CxOUHrzaSUBPC5cKE22wCgj6nK
O0PBYaP0j9pMqlfM5L5dh9U=
=2mcR
-----END PGP SIGNATURE-----