Opened 3 years ago
Last modified 2 months ago
#17058 new bug
[tcp] crashes in EndpointManager::Unbind on power off
| Reported by: | dasebek | Owned by: | axeld |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | Network & Internet/TCP | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Occasionally, I get an sshd-related kernel panic during the system shutdown. The panic message says "PANIC: bound endpoint 0x... not in hash!" This happens when I repeatedly connect to Haiku over SSH in order to transfer files (scp, rsync), and, after all SSH connections are closed, I power off the system.
I was using an official nightly build of hrev55184 (x86_64). A screenshot is attached.
Attachments (5)
Change History (23)
by , 3 years ago
| Attachment: | ssh_crash.png added |
|---|
comment:1 by , 3 years ago
| Component: | System → Network & Internet/Stack |
|---|---|
| Owner: | changed from to |
| Summary: | [sshd] kernel panic on system power off → [tcp] crashes in EndpointManager::Unbind on power off |
comment:2 by , 9 months ago
| Component: | Network & Internet/Stack → Network & Internet/TCP |
|---|
comment:3 by , 9 months ago
Reproduced for me once with a very similar stack trace (see screenshot) on Haiku R1 beta 4 hrev56578+95 in VirtualBox 7.0.12. Two SSH connections were open when I initiated a shutdown from the console via ACPI power.
comment:4 by , 9 months ago
Reproduced randomly once on hrev57609 after I closed all SSH connections and about a minute later attempted an ACPI power shutdown, which usually works fine. Attaching screenshot...
comment:5 by , 9 months ago
I found a potential problem that could lead to this and fixed it in hrev57616.
comment:6 by , 4 months ago
The crash on shutdown has just reproduced again when I did the following:
- Boot today's revision of Haiku (I think it is hrev57881).
- Open an SSH connection into the VM.
- In the SSH connection run "pkgman update", let it update some packages and exit.
- Close the SSH connection normally via Ctrl-D at the Linux client.
- Initiate an ACPI shutdown via Host-H in VirtualBox.
- Observe a KDL prompt (attached).
comment:7 by , 4 months ago
kdebug> tcp_endpoints tcp_endpoints -------- TCP Domain 0xffffffff890dc298 --------- address local peer recv-q send-q state 0xffffffff80c6e400 0.0.0.0:22 0.0.0.0:0 0 0 closed 0xffffffff80c68100 192.168.0.27:40053 206.189.242.242:443 24 24 time-wait 0xffffffff80c67e00 192.168.0.27:40002 206.189.242.242:443 24 24 time-wait -------- TCP Domain 0xffffffff88eec5b0 --------- address local peer recv-q send-q state kdebug> tcp_endpoints 0xffffffff80c6cf00 tcp_endpoints 0xffffffff80c6cf00 -------- TCP Domain 0xffffffff890dc298 --------- address local peer recv-q send-q state 0xffffffff80c6e400 0.0.0.0:22 0.0.0.0:0 0 0 closed 0xffffffff80c68100 192.168.0.27:40053 206.189.242.242:443 24 24 time-wait 0xffffffff80c67e00 192.168.0.27:40002 206.189.242.242:443 24 24 time-wait -------- TCP Domain 0xffffffff88eec5b0 --------- address local peer recv-q send-q state
comment:8 by , 4 months ago
kdebug> tcp_endpoint 0xffffffff80c6cf00
tcp_endpoint 0xffffffff80c6cf00
TCP endpoint 0xffffffff80c6cf00
state: syn-received
flags: 0x83
lock: { 0xffffffff80c6cf38, holder: 325 }
accept sem: -858993460
options: 0x0
send
window shift: 0
unacknowledged: 0
next: 0
max: 0
urgent offset: 0
window: 0
max window: 0
max segment size: 536
queue: 0 / 65535
last acknowledge sent: 3435973836
initial sequence: 0
receive
window shift: 0
next: 0
max advertised: 0
window: 65535
max segment size: 536
queue: 0 / 65535
initial sequence: 3435973836
duplicate acknowledge count: 0
smoothed round trip time: 0 (deviation 0)
retransmit timeout: 2000000
congestion window: 0
slow start threshold: 0
comment:9 by , 4 months ago
kdebug> dl 0xffffffff80c6cf00+24 dl 0xffffffff80c6cf00+24 [0xffffffff80c6cf18] .6.......^...... ffffffff88ca3610 ffffffff82145e80
comment:10 by , 4 months ago
kdebug> db 0xffffffff80c6cf18+32 db 0xffffffff80c6cf18+32 [0xffffffff80c6cf38] HC.............. 48 43 ac 81 ff ff ff ff 00 00 00 00 00 00 00 00
comment:11 by , 4 months ago
kdebug> socket 0xffffffff80c6cf18 socket 0xffffffff80c6cf18 SOCKET 0xffffffff80c6cf18 family.type.protocol: -2119417016.-1.0 [*** READ FAULT at 0xccccccd8, pc: 0xffffffff80172f1b ***]
comment:12 by , 4 months ago
kdebug> dl 0xffffffff80c6cf00+16 dl 0xffffffff80c6cf00+16 [0xffffffff80c6cf10] .6.......6...... ffffffff88ca3610 ffffffff88ca3610
comment:13 by , 4 months ago
From this and other information in the KDL session it just looks like the socket has been freed already, and so we are using a freed socket with an invalid address.
I will add some more assertions to try and catch this.
comment:14 by , 3 months ago
dovsienko reported the build with the extra asserts didn't seem to trigger anything. It's possible my changes to TCP (especially the one to keepalive timers) somehow fixed this.
Anyway, here's the patch with extra asserts I had created for testing:
diff --git a/src/add-ons/kernel/network/stack/net_socket.cpp b/src/add-ons/kernel/network/stack/net_socket.cpp
index f6d588f509..c0d06ef71c 100644
--- a/src/add-ons/kernel/network/stack/net_socket.cpp
+++ b/src/add-ons/kernel/network/stack/net_socket.cpp
@@ -36,6 +36,8 @@
#include "ancillary_data.h"
#include "utility.h"
+#include "../../../../system/kernel/slab/slab_debug.h"
+
//#define TRACE_SOCKET
#ifdef TRACE_SOCKET
@@ -54,6 +56,8 @@ struct net_socket_private : net_socket,
net_socket_private();
~net_socket_private();
+ static void operator delete(void* mem) { fill_freed_block(mem, sizeof(net_socket_private)); }
+
void RemoveFromParent();
BWeakReference<net_socket_private> parent;
@@ -128,9 +132,11 @@ net_socket_private::~net_socket_private()
// also delete all children of this socket
while (net_socket_private* child = pending_children.RemoveHead()) {
+ ASSERT(child->parent == this);
child->RemoveFromParent();
}
while (net_socket_private* child = connected_children.RemoveHead()) {
+ ASSERT(child->parent == this);
child->RemoveFromParent();
}
diff --git a/src/add-ons/kernel/network/stack/stack.cpp b/src/add-ons/kernel/network/stack/stack.cpp
index 1efd538432..82391f561d 100644
--- a/src/add-ons/kernel/network/stack/stack.cpp
+++ b/src/add-ons/kernel/network/stack/stack.cpp
@@ -418,6 +418,10 @@ uninit_domain_protocols(net_socket* socket)
net_protocol* protocol = socket->first_protocol;
while (protocol != NULL) {
net_protocol* next = protocol->next;
+
+ ASSERT_PRINT(protocol->socket == socket,
+ "protocol: %p, socket: %p, protocol->socket: %p",
+ protocol, socket, protocol->socket);
protocol->module->uninit_protocol(protocol);
protocol = next;
comment:15 by , 2 months ago
The problem has just reproduced on the latest nightly build. The steps that lead to it were as follows:
- Keep the VM running for some time (possibly open and close some SSH connections, but cannot remember).
- Run a terminal in the Haiku desktop.
- Open 3 or 4 SSH sessions from a Linux client.
- Do some unrelated debugging.
- Close the Haiku desktop terminal.
- Close all SSH sessions normally (Ctrl-D from the Linux end).
- In the last remaining SSH session run "shutdown".
- The shutdown proceeds as usual, then nearly at the moment of the power off the KDL prompt appears (attached just before).
comment:16 by , 2 months ago
kdebug> tcp_endpoint 0xffffffff80c6de00
tcp_endpoint 0xffffffff80c6de00
TCP endpoint 0xffffffff80c6de00
socket: 0xffffffff87712b70
state: closed
flags: 0x0
lock: { 0xffffffff80c6de38, holder: -1 }
accept sem: -2017802768
options: 0xff
send
window shift: 255
unacknowledged: 2272722560
next: 4294967295
max: 0
urgent offset: 0
window: 0
max window: 0
max segment size: 0
queue: 18446744071690971168 / 18446744071691678296
last acknowledge sent: 2276219624
initial sequence: 4294967295
receive
window shift: 255
next: 0
max advertised: 0
window: 0
max segment size: 0
queue: 0 / 18446744071691673088
initial sequence: 0
duplicate acknowledge count: 0
smoothed round trip time: 0 (deviation -2022282456)
retransmit timeout: 0
congestion window: 4294967295
slow start threshold: 0
kdebug>
kdebug> socket 0xffffffff87712b70
socket 0xffffffff87712b70
SOCKET 0xffffffff87712b70
family.type.protocol: 0.0.0
[*** READ FAULT at 0x20000000c, pc: 0xffffffff80175aed ***]
kdebug>
comment:17 by , 2 months ago
kdebug> slab_object 0xffffffff80c6de00 0xffffffff80c6de00 does not seem to be in an object_cache
The socket address was in an object cache, but a packagefs one. It seems the memory was freed and reused.
Note:
See TracTickets
for help on using tickets.
Panic screenshot