Date: Sat, 2 Aug 2003 12:43:06 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Scot Loach <sloach@sandvine.com> Cc: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: RE: TCP socket shutdown race condition Message-ID: <20030802123049.Y2165@odysseus.silby.com> In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C8533701AE86BF@mail.sandvine.com> References: <FE045D4D9F7AED4CBFF1B3B813C8533701AE86BF@mail.sandvine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Aug 2003, Scot Loach wrote: > I don't think that's the problem, although it does seem suspicious. > > Here's the struct ucred pointed to by the socket: > > (kgdb) p *so.so_cred > $2 = {cr_ref = 3279453304, cr_uid = 3486088556, cr_ngroups = 1, cr_groups = > { > 0, 3276863080, 3277717504, 21162, 0, 0, 0, 0, 0, 4294967295, 4294967295, > 0, 0, 0, 0, 3279496516}, cr_uidinfo = 0x0} > > This looks like garbage, but the cr_uidinfo pointer is null, and the cr_ref > of _this_ structure is 32 bits. > > This doesn't look to me like a problem with the uidinfo, it looks to me like > the ucred structure has already been freed. > > scot. Well, as ui_ref is the best bet, redoing your tests with it expanded to ui_int is where we need to start before looking further. :) I believe that a uidinfo->ui_ref over/underflow could cause random memory corruption, so maybe the panic you're seeing comes about after a bunch of memory has already been trashed. So anyway, promote ui_ref to a u_int and retest. Tell us what happens. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030802123049.Y2165>