Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (NFS-related)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Antti Kantee <pooka@cs.hut.fi>
List: netbsd-bugs
Date: 02/20/2007 14:05:03 
The following reply was made to PR kern/35728; it has been noted by GNATS.

From: Antti Kantee <pooka@cs.hut.fi>
To: Arto Selonen <arto+dated+1171977722.42cefd5529de6cc7@selonen.org>
Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (NFS-related)
Date: Tue, 20 Feb 2007 16:00:40 +0200

 On Tue Feb 20 2007 at 15:20:59 +0200, Arto Selonen wrote:
 > >diff -u -r1.123 nfs_serv.c
 > >--- nfs_serv.c	4 Feb 2007 14:48:51 -0000	1.123
 > >+++ nfs_serv.c	20 Feb 2007 12:07:16 -0000
 > >@@ -2706,6 +2706,7 @@
 > >		toff = off;
 > >		siz = fullsiz;
 > >		free(cookies, M_TEMP);
 > >+		cookies = NULL;
 > >		goto again;
 > >	}
 > >
 > >@@ -2975,6 +2976,7 @@
 > >		toff = off;
 > >		siz = fullsiz;
 > >		free(cookies, M_TEMP);
 > >+		cookies = NULL;
 > >		goto again;
 > >	}
 > >
 > 
 > Did not make any practical difference that I could tell. Debugger trace
 > seemed the same, too.
 
 Hmm.... could you provide the source code line it crashes on, if you
 have a dump with symbols?  It would help a bit in trying to figure out
 which free() is to blame.
 
 Ok, my next guess is that ufs_readdir() sets cookies, but frees it because
 of an error.  I am unsure what the exact semantics are supposed to be,
 but returning an error and cookies pointing to garbage can't be a good
 idea.
 (I'm assuming, of course, that you are serving off of ffs)
 
 Index: ufs_vnops.c
 ===================================================================
 RCS file: /cvsroot/src/sys/ufs/ufs/ufs_vnops.c,v
 retrieving revision 1.149
 diff -u -r1.149 ufs_vnops.c
 --- ufs_vnops.c	29 Jan 2007 15:42:50 -0000	1.149
 +++ ufs_vnops.c	20 Feb 2007 13:58:53 -0000
 @@ -1787,10 +1787,12 @@
  	error = uiomove(ndbuf, count, uio);
  out:
  	if (ap->a_cookies) {
 -		if (error)
 +		if (error) {
  			free(*(ap->a_cookies), M_TEMP);
 -		else
 +			*(ap->a_cookies) = NULL;
 +		} else {
  			*ap->a_ncookies = ccp - *(ap->a_cookies);
 +		}
  	}
  	uio->uio_offset = off;
  	free(ndbuf, M_TEMP);
 
 -- 
 Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
 http://www.iki.fi/pooka/                          http://www.NetBSD.org/
     "la qualité la plus indispensable du cuisinier est l'exactitude"