Hit this panic on a fresh new freebsd 15-current VM. I will upload the compressed crash folder containing the core file stuff once this PR is created. panic: Assertion !callout_active(&tp->t_callout) failed at /usr/src/sys/netinet/tcp_subr.c:2386 cpuid = 2 time = 1707765690 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe007eb17a80 vpanic() at vpanic+0x135/frame 0xfffffe007eb17bb0 panic() at panic+0x43/frame 0xfffffe007eb17c10 tcp_discardcb() at tcp_discardcb+0x251/frame 0xfffffe007eb17c60 tcp_usr_detach() at tcp_usr_detach+0x51/frame 0xfffffe007eb17c80 sorele_locked() at sorele_locked+0xd1/frame 0xfffffe007eb17cb0 soclose() at soclose+0x17d/frame 0xfffffe007eb17d10 _fdrop() at _fdrop+0x1b/frame 0xfffffe007eb17d30 closef() at closef+0x1e3/frame 0xfffffe007eb17dc0 closefp_impl() at closefp_impl+0x76/frame 0xfffffe007eb17e00 amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe007eb17f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe007eb17f30 --- syscall (6, FreeBSD ELF64, close), rip = 0x15306863c54a, rsp = 0x153063a18438, rbp = 0x153063a18450 --- KDB: enter: panic [ thread pid 5327 tid 100209 ] Stopped at kdb_enter+0x33: movq $0,0xe39ce2(%rip) db> dump Dumping 391 out of 6111 MB:..5%..13%..21%..33%..41%..54%..62%..74%..82%..95% Dump complete db> root@n2fbsd:~ # uname -a FreeBSD n2fbsd 15.0-CURRENT FreeBSD 15.0-CURRENT #3 main-n268194-114ab149e23e: Mon Feb 12 13:02:35 EST 2024 root@n2fbsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 root@n2fbsd:/var/crash # ll total 302800 -rw-r--r-- 1 root wheel 2B Feb 12 14:29 bounds -rw-r--r-- 1 root wheel 5B Jan 18 00:24 minfree lrwxr-xr-x 1 root wheel 6B Feb 12 14:29 info.last -> info.0 lrwxr-xr-x 1 root wheel 8B Feb 12 14:29 vmcore.last -> vmcore.0 -rw-r--r-- 1 root wheel 84B Feb 12 14:29 core.txt.0 -rw------- 1 root wheel 552B Feb 12 14:29 info.0 -rw------- 1 root wheel 391M Feb 12 14:29 vmcore.0
Looks this assert line is added in D43792. Hi Richard, You may take a look. The way I hit it is simply on restarting the wireless interface I use for testing. The test script is as follows. root@n2fbsd:~ # cat test.tcsh #!/bin/tcsh -f set i = 0 while ($i < 10) @ i = $i + 1 echo "($i)" service netif restart && sleep 1 scp /tmp/data.txt root@n1iwlvm:/tmp/ end The uploaded crash folder containing the core file stuff is (in freefall.freebsd.org) here: freefall% readlink -f crash.tgz /home/cc/PRs/PR277009/crash.tgz
*** This bug has been marked as a duplicate of bug 276761 ***
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=57e27ff07aff35289892f79288bebf76a3c31fec commit 57e27ff07aff35289892f79288bebf76a3c31fec Author: Richard Scheffenegger <rscheff@FreeBSD.org> AuthorDate: 2024-02-12 20:43:18 +0000 Commit: Richard Scheffenegger <rscheff@FreeBSD.org> CommitDate: 2024-02-12 21:38:11 +0000 tcp: partially undo D43792 At the destruction of the tcpcb, no timers are supposed to be running. However, it turns out that stopping them in the close() / shutdown() call does not have the desired effect under all circumstances. This partially reverts 62d47d73b7eb to reduce the nuisance caused. PR: 277009 Reported-by: syzbot+9a9aa434a14a2b35c3ba@syzkaller.appspotmail.com Reported-by: syzbot+e82856782410e895bae7@syzkaller.appspotmail.com Reviewed By: glebius, tuexen, #transport Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D43855 sys/netinet/tcp_subr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)