netbsd-bugs: kern/34270: Unmounting an NFS filesystem causes a kernel panic

Subject: kern/34270: Unmounting an NFS filesystem causes a kernel panic
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <tron@colwyn.zhadum.org.uk>
List: netbsd-bugs
Date: 08/24/2006 09:45:05

>Number:         34270
>Category:       kern
>Synopsis:       Unmounting an NFS filesystem causes a kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 24 09:45:05 +0000 2006
>Originator:     tron@colwyn.zhadum.org.uk
>Release:        NetBSD 4.99.1 2006-08-24 sources
>Organization:
Matthias Scheler                                  http://zhadum.org.uk/
>Environment:
System: NetBSD lyssa.zhadum.org.uk 4.99.1 NetBSD 4.99.1 (LYSSA) #0: Wed Aug 23 09:36:51 BST 2006 tron@lyssa.zhadum.org.uk:/src/sys/compile/LYSSA i386
Architecture: i386
Machine: i386
>Description:
After upgrading to a kernel built from today's NetBSD-current system my
desktop crashed twice with a panic like this:

multiply freed item 0xc2723600
panic: free: duplicated free

Here is what "gdb" gets out of the crash dump:

(gdb) where
#0  0xc0693000 in ?? ()
#1  0xc038fc1b in cpu_reboot (howto=260, bootstr=0x0)
    at /usr/src/sys/arch/i386/i386/machdep.c:869
#2  0xc030ad48 in panic (fmt=0xc04fcd1e "trap")
    at /usr/src/sys/kern/subr_prf.c:246
#3  0xc0398a4c in trap (frame=0xce246974)
    at /usr/src/sys/arch/i386/i386/trap.c:339
#4  0xc010b191 in calltrap ()
#5  0xc0189614 in db_get_value (addr=128, size=4, is_signed=0)
    at /usr/src/sys/ddb/db_access.c:62
#6  0xc038bf60 in db_numargs (retaddrp=0x80)
    at /usr/src/sys/arch/i386/i386/db_trace.c:151
#7  0xc038c87b in db_stack_trace_print (addr=-836474140, have_addr=1, 
    count=65535, modif=0xc04efddf "", pr=0xc030ab70 <printf>)
    at /usr/src/sys/arch/i386/i386/db_trace.c:462
#8  0xc030ad1f in panic (fmt=0xc04f6b89 "free: duplicated free")
    at /usr/src/sys/kern/subr_prf.c:235
#9  0xc02e5635 in free (addr=0xc27dc600, ksp=0xc0555440)
    at /usr/src/sys/kern/kern_malloc.c:557
#10 0xc0304a0b in iostat_free (stats=0xc27dc600)
    at /usr/src/sys/kern/subr_iostat.c:177
#11 0xc0231e0b in nfs_unmount (mp=<incomplete type>, mntflags=0, l=0xce1ebdac)
    at /usr/src/sys/nfs/nfs_vfsops.c:906
#12 0xc033c187 in dounmount (mp=<incomplete type>, flags=0, l=0xce1ebdac)
    at /usr/src/sys/kern/vfs_syscalls.c:620
#13 0xc033c59e in sys_unmount (l=0xce1ebdac, v=0xce246c48, retval=0xce246c68)
    at /usr/src/sys/kern/vfs_syscalls.c:536
#14 0xc03981d3 in syscall_plain (frame=0xce246c88)
    at /usr/src/sys/arch/i386/i386/syscall.c:144

It looks like the system crashed when amd(8) tried to unmount a filesystem.

>How-To-Repeat:
Boot a kernel build from today's source, mount a filesystem via NFS
and unmount it.

>Fix:
None provided. But it looks like revision 1.160 of "src/sys/nfs/nfs_vfsops.c"
causes this bug.