Date: Tue, 17 Apr 2001 14:53:09 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Terry Lambert <tlambert@primenet.com> Cc: current@FreeBSD.ORG Subject: Re: BAD BUG: Second try Message-ID: <200104172153.f3HLr9s09698@earth.backplane.com> References: <200104172037.NAA27919@usr09.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:Oops.
:
:NOTE: I don't follow this lists for weeks at a time, so please
:include me directly in any responses. Thanks.
:
:Matt Dillon was looking at this, but I haven't heard from him
:for a while on it.
:
:Here is a patch to make it panic, instead of really, really
:trashing memory (ignore the version, I'm using a vendor import
:locally); the patch is to "crfree() and should be obvious:
Sorry, ran out of time on the weekend. It's still on my TODO list.
-Matt
:===================================================================
:diff -c -r1.2 kern_prot.c
:*** kern/kern_prot.c 2001/03/21 02:33:03 1.2
:--- kern/kern_prot.c 2001/04/17 02:22:48
:***************
:*** 1001,1006 ****
:--- 1001,1009 ----
: int s;
:
: s = splhigh();
:+ if ( cr->cr_ref == 0) {
:+ panic("Freeing already free credential!\n");
:+ }
: if (--cr->cr_ref == 0) {
: /*
: * Some callers of crget(), such as nfs_statfs(),
:===================================================================
:
:
:Unfortunately, There's also a nameidata structure (it's the
:only data structure that's exactly 72 bytes long, which I was
:able to determine by printing sizeof() information for all
:kernel structures, and gre'ping for "72") getting freed and
:then either continued to be used, or being used as a result
:of an unchecked allocation failure (I'm still looking for
:that one).
:
:Basically, the second causes invariants to whine about data
:modified on the freelist to my console, while the first one
:results in an eventual panic dues to spammed memory (for the
:obvious reason that you can't free the same thing twice).
:
:The problems only become obvious when you open and then close
:around 30,000 TCP connections; sometimes it takes a couple of
:tries before it panics your machine.
:
:I have some programs that demonstrate the bug, if anyone is
:interested in repeating it on their machines locally (you will
:need appropriate open file limits and bump up to 40,000 or so
:net.inet.ip.portrange.last, e.g.:
:
: sysctl -w net.inet.ip.portrange.last=45000
:
:Which means your box will need about a gig of memory.
:
:
: Terry Lambert
: terry@lambert.org
:---
:Any opinions in this posting are my own and not those of my present
:or previous employers.
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-current" in the body of the message
:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104172153.f3HLr9s09698>