Date: Sat, 2 Aug 2003 12:43:06 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Scot Loach <sloach@sandvine.com> Cc: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: RE: TCP socket shutdown race condition Message-ID: <20030802123049.Y2165@odysseus.silby.com> In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C8533701AE86BF@mail.sandvine.com> References: <FE045D4D9F7AED4CBFF1B3B813C8533701AE86BF@mail.sandvine.com>
index | next in thread | previous in thread | raw e-mail
On Sat, 2 Aug 2003, Scot Loach wrote:
> I don't think that's the problem, although it does seem suspicious.
>
> Here's the struct ucred pointed to by the socket:
>
> (kgdb) p *so.so_cred
> $2 = {cr_ref = 3279453304, cr_uid = 3486088556, cr_ngroups = 1, cr_groups =
> {
> 0, 3276863080, 3277717504, 21162, 0, 0, 0, 0, 0, 4294967295, 4294967295,
> 0, 0, 0, 0, 3279496516}, cr_uidinfo = 0x0}
>
> This looks like garbage, but the cr_uidinfo pointer is null, and the cr_ref
> of _this_ structure is 32 bits.
>
> This doesn't look to me like a problem with the uidinfo, it looks to me like
> the ucred structure has already been freed.
>
> scot.
Well, as ui_ref is the best bet, redoing your tests with it expanded to
ui_int is where we need to start before looking further. :)
I believe that a uidinfo->ui_ref over/underflow could cause random memory
corruption, so maybe the panic you're seeing comes about after a bunch of
memory has already been trashed.
So anyway, promote ui_ref to a u_int and retest. Tell us what happens.
Mike "Silby" Silbersack
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030802123049.Y2165>