netbsd-bugs: Re: kern/22002: panic: double tcp_freeq() may happen

Subject: Re: kern/22002: panic: double tcp_freeq() may happen - TAILQ_*
To: None <enami@but-b.or.jp>
From: Havard Eidnes <he@netbsd.org>
List: netbsd-bugs
Date: 07/13/2003 10:52:23

> > > >Fix:
> > > 	Explicitly mark queues as empty when they have been released
> > > 	in tcp_freeq()?
>
> Mark inp_ppcb NULL a bit earlier so that tcp_drain won't pick up this?

I've put the moral equivalent of this fix in place on a couple of
systems, apparently without ill effect.  However, with the time it
took to provoke this, I expect it'll take a while to "prove" that it's
actually fixing it.

Index: tcp_subr.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.140
diff -u -r1.140 tcp_subr.c
--- tcp_subr.c  2003/06/23 11:02:15     1.140
+++ tcp_subr.c  2003/07/13 07:23:25
@@ -1139,7 +1139,6 @@
                m_free(tp->t_template);
                tp->t_template = NULL;
        }
-       pool_put(&tcpcb_pool, tp);
        if (inp) {
                inp->inp_ppcb = 0;
                soisdisconnected(so);
@@ -1152,6 +1151,7 @@
                in6_pcbdetach(in6p);
        }
 #endif
+       pool_put(&tcpcb_pool, tp);
        tcpstat.tcps_closed++;
        return ((struct tcpcb *)0);
 }