TCP socket shutdown race condition
Mike Silbersack
silby at silby.com
Sat Aug 2 10:45:16 PDT 2003
On Sat, 2 Aug 2003, Scot Loach wrote:
> I don't think that's the problem, although it does seem suspicious.
>
> Here's the struct ucred pointed to by the socket:
>
> (kgdb) p *so.so_cred
> $2 = {cr_ref = 3279453304, cr_uid = 3486088556, cr_ngroups = 1, cr_groups =
> {
> 0, 3276863080, 3277717504, 21162, 0, 0, 0, 0, 0, 4294967295, 4294967295,
> 0, 0, 0, 0, 3279496516}, cr_uidinfo = 0x0}
>
> This looks like garbage, but the cr_uidinfo pointer is null, and the cr_ref
> of _this_ structure is 32 bits.
>
> This doesn't look to me like a problem with the uidinfo, it looks to me like
> the ucred structure has already been freed.
>
> scot.
Well, as ui_ref is the best bet, redoing your tests with it expanded to
ui_int is where we need to start before looking further. :)
I believe that a uidinfo->ui_ref over/underflow could cause random memory
corruption, so maybe the panic you're seeing comes about after a bunch of
memory has already been trashed.
So anyway, promote ui_ref to a u_int and retest. Tell us what happens.
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list