From owner-freebsd-current@FreeBSD.ORG Fri Nov 4 10:48:04 2005 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC18216A41F for ; Fri, 4 Nov 2005 10:48:04 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2887B43D45 for ; Fri, 4 Nov 2005 10:48:03 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 71305 invoked from network); 4 Nov 2005 10:50:47 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2005 10:50:47 -0000 Message-ID: <436B3C93.4000905@freebsd.org> Date: Fri, 04 Nov 2005 11:48:51 +0100 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Kris Kennaway References: <20051104092724.GA33945@xor.obsecurity.org> In-Reply-To: <20051104092724.GA33945@xor.obsecurity.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: current@FreeBSD.org Subject: Re: panic: mb_dtor_pack: ref_cnt != 1 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2005 10:48:05 -0000 Kris Kennaway wrote: > I got this panic shortly after boot on a freshly-updated amd64 > machine: > > FreeBSD/amd64 (fbsd-amd64.isc.org) (ttyd0) > > login: panic: mb_dtor_pack: ref_cnt != 1 > cpuid = 3 > KDB: enter: panic > [thread pid 1021 tid 100131 ] > Stopped at kdb_enter+0x31: leave > db> wh > Tracing pid 1021 tid 100131 td 0xffffff0323816a40 > kdb_enter() at kdb_enter+0x31 > panic() at panic+0x1e6 > mb_dtor_pack() at mb_dtor_pack+0x103 > uma_zfree_arg() at uma_zfree_arg+0x34 > mb_free_ext() at mb_free_ext+0xe9 > soreceive() at soreceive+0xafb > soo_read() at soo_read+0x5e > dofileread() at dofileread+0x9e > kern_readv() at kern_readv+0x4f > read() at read+0x4b > syscall() at syscall+0x350 > Xfast_syscall() at Xfast_syscall+0xa8 > --- syscall (3, FreeBSD ELF64, read), rip = 0x800b7e23c, rsp = 0x7fffffffe1a8, rbp = 0x400 --- There is some modify-after-free going on with that mbuf cluster. The mandatory mbuf cluster refcounting bringing it to the light. Something is smelly in the socket buffer code and we have to out what exactly goes wrong. -- Andre