Re: [PANIC]: rw_lock panic in in_pcballoc() in r185864

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Wed, 10 Dec 2008 19:23:49 +0000 (GMT)
On Wed, 10 Dec 2008, Roman Divacky wrote:

> #9  0xc06bd28b in calltrap () at ../../../i386/i386/exception.s:165
> #10 0xc0528cc9 in _rw_wlock_hard (rw=0xc45a00a4, tid=3293569600, file=0x0,
>    line=0) at ../../../kern/kern_rwlock.c:616
> #11 0xc05eae42 in in_pcballoc (so=0xc459e000, pcbinfo=0xc0794b40)
>    at ../../../netinet/in_pcb.c:238
> #12 0xc060b403 in udp_attach (so=0xc459e000, proto=0, td=0xc44fe240)
>    at ../../../netinet/udp_usrreq.c:1131
> #13 0xc0586df5 in socreate (dom=2, aso=0xc3e77c6c, type=2, proto=0,
> #14 0xc058d974 in socket (td=0xc44fe240, uap=0xc3e77cf8)
> ---Type <return> to continue, or q <return> to quit---Dec 10 17:29:23 witten log
> in: ROOT LOGIN (root) ON ttyv1
>
>    at ../../../kern/uipc_syscalls.c:178
> #15 0xc06d8010 in syscall (frame=0xc3e77d38) at ../../../i386/i386/trap.c:1076
> #16 0xc06bd320 in Xint0x80_syscall () at ../../../i386/i386/exception.s:261
> #17 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
>
> (kgdb) p *pcbinfo
> $2 = {ipi_listhead = 0xc0794b24, ipi_count = 1, ipi_hashbase = 0xc42fe000,
>  ipi_hashmask = 127, ipi_porthashbase = 0xc42fce00, ipi_porthashmask = 127,
>  ipi_lastport = 0, ipi_lastlow = 0, ipi_lasthi = 0, ipi_zone = 0xc1471360,
>  ipi_gencnt = 0, ipi_lock = {lock_object = {lo_name = 0xc0713b87 "udp",
>      lo_flags = 69926928, lo_data = 0, lo_witness = 0x0},
>    rw_lock = 3293569600}, ipi_pspare = {
> (kgdb) p *pcbinfo->ipi_zone
> $4 = {uz_name = 0xc0716712 "udpcb", uz_lock = 0xc147ed88,
>  uz_keg = 0xc147ed80, uz_link = {le_next = 0x0, le_prev = 0xc147eda8},
>  uz_full_bucket = {lh_first = 0x0}, uz_free_bucket = {lh_first = 0x0},
>  uz_ctor = 0, uz_dtor = 0, uz_init = 0, uz_fini = 0, uz_allocs = 0,
>  uz_frees = 0, uz_fails = 0, uz_fills = 0, uz_count = 23, uz_cpu = {{
>      uc_freebucket = 0x0, uc_allocbucket = 0x0, uc_allocs = 0,
>      uc_frees = 0}}}
>
> the code tries to rw_rwlock() the inp->inp_lock, the inp is allocated from 
> an UMA zone which has no constructor and in the in_pcballoc() the rwlock is 
> never initialized. I believe that's why it crashes
>
> can someone confirm/fix that?

Hmm.  I disagree with the diagnosis, although clearly there's a problem here 
of some sort since panicking is, well, bad.  Each protocol using the inpcb 
framework provides its own UMA zone and is responsible for initializing the 
lock on the inpcb when memory is first pulled into the cache.  For UDP, that 
occurs in udp_inpcb_init(), the init function passed into uma_zcreate() in 
udp_init().  Notice that when in_pcballoc() zeroes the inpcb, it stops at 
inp_zero_size, which is before inp_lock, and since the inpcb zone for UDP is 
set to be a no-free zone, there's no INP lock destroy.

So, given that this code has worked for quite a long time for many people, 
this really raises two questions: (1) how reproduceable is this and at what 
point does it kick in during the boot/runtime, and (2) when did this start 
happening in terms of updating your source?

Robert N M Watson
Computer Laboratory
University of Cambridge
Received on Wed Dec 10 2008 - 18:23:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:38 UTC