Date: Fri, 04 Nov 2005 11:48:51 +0100 From: Andre Oppermann <andre@freebsd.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.org Subject: Re: panic: mb_dtor_pack: ref_cnt != 1 Message-ID: <436B3C93.4000905@freebsd.org> In-Reply-To: <20051104092724.GA33945@xor.obsecurity.org> References: <20051104092724.GA33945@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > I got this panic shortly after boot on a freshly-updated amd64 > machine: > > FreeBSD/amd64 (fbsd-amd64.isc.org) (ttyd0) > > login: panic: mb_dtor_pack: ref_cnt != 1 > cpuid = 3 > KDB: enter: panic > [thread pid 1021 tid 100131 ] > Stopped at kdb_enter+0x31: leave > db> wh > Tracing pid 1021 tid 100131 td 0xffffff0323816a40 > kdb_enter() at kdb_enter+0x31 > panic() at panic+0x1e6 > mb_dtor_pack() at mb_dtor_pack+0x103 > uma_zfree_arg() at uma_zfree_arg+0x34 > mb_free_ext() at mb_free_ext+0xe9 > soreceive() at soreceive+0xafb > soo_read() at soo_read+0x5e > dofileread() at dofileread+0x9e > kern_readv() at kern_readv+0x4f > read() at read+0x4b > syscall() at syscall+0x350 > Xfast_syscall() at Xfast_syscall+0xa8 > --- syscall (3, FreeBSD ELF64, read), rip = 0x800b7e23c, rsp = 0x7fffffffe1a8, rbp = 0x400 --- There is some modify-after-free going on with that mbuf cluster. The mandatory mbuf cluster refcounting bringing it to the light. Something is smelly in the socket buffer code and we have to out what exactly goes wrong. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?436B3C93.4000905>