Re: Panic in the udp_input() under heavy load

From: Bjoern A. Zeeb <bz_at_FreeBSD.ORG>
Date: Mon, 7 Nov 2011 18:24:14 +0000 (UTC)
On Mon, 7 Nov 2011, Maxim Sobolev wrote:

> Hi Gang,
>
> We are seeing repeatable panics under high PPS load on our production 
> systems. It happens when the traffic gets into the range or 200MBps and 
> 150-200K PPS. We have been managed to track it down to the following piece of 
> code:
>
> (gdb) l *udp_input+0x5d2
> 0xffffffff806f6202 is in udp_input (/usr/src/sys/netinet/udp_usrreq.c:628).
> 623             if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl) {
> 624                     INP_RUNLOCK(inp);
> 625                     goto badunlocked;
> 626             }
> 627             up = intoudpcb(inp);
> 628             if (up->u_tun_func == NULL) {
> 629                     udp_append(inp, ip, m, iphlen + sizeof(struct 
> udphdr), &udp_in);
> 630             } else {
> 631                     /*
> 632                      * Engage the tunneling protocol.
>
> The faulty line appears to be 628, with up value is being NULL, attempt to 
> deference it causes NULL pointer exception. I believe this particular piece 
> of code has been introduced here:

Unlikely; the inp is properly locked there and the udp info attach
better still be valid there; your problem is most likely elsewhere;
try to see if you have other threads and see what they do at the same
time, etc.  You would need to race with udp_detach();  you also want
to make sure that the inp still looks sane from either ddb or a dump
and we are not talking about random memory corruption here.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.
Received on Mon Nov 07 2011 - 17:42:07 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:20 UTC