TCP socket shutdown race condition
Don Bowman
don at sandvine.com
Fri Aug 1 20:37:55 PDT 2003
> From: Mike Silbersack [mailto:silby at silby.com]
> On Fri, 1 Aug 2003, Scot Loach wrote:
>
> > Earlier this week one of our FreeBSD 4.7 boxes panic'd.
> I've posted the
> > stack trace at the end of this message. Using google, I've
> found several
> > references to this panic over the past three years, but it
> seems its never
> > been taken to root cause.
> >
> > The box crashes because the cr_uidinfo pointer in the
> so_cred structure is
> > null. However, on closer inspection the so_cred structure
> is corrupted
> > (cr_ref=3279453304 for example), so I'm guessing it has
> already been freed.
> > Looking closer at the socket, I see that the SS_NOFDREF
> flag is set, which
> > supports my theory. The tcpcb is in the CLOSED state, and
> has the SENTFIN
> > flag set.
>
> About how many concurrent connections are you pushing this machine to?
>
> There's an unfortunate problem with uidinfo in 4.x:
>
> struct uidinfo {
> LIST_ENTRY(uidinfo) ui_hash;
> rlim_t ui_sbsize; /* socket buffer
> space consumed */
> long ui_proccnt; /* number of processes */
> uid_t ui_uid; /* uid */
> u_short ui_ref; /* reference count */
> };
>
We are pushing in the ~50-~70K TCP connections to this process.
I think i see what you are suggesting :)
--don
More information about the freebsd-net
mailing list