Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
To: None <gnats-bugs@NetBSD.org>
From: Arto Selonen <arto@selonen.org>
List: netbsd-bugs
Date: 02/20/2007 16:49:07
Hi!
On Tue, 20 Feb 2007, Antti Kantee wrote:
> The following reply was made to PR kern/35728; it has been noted by GNATS=
=2E
> From: Antti Kantee <pooka@cs.hut.fi>
> To: Arto Selonen <arto+dated+1171977722.42cefd5529de6cc7@selonen.org>
> Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
> Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (N=
FS-related)
> Date: Tue, 20 Feb 2007 16:00:40 +0200
> Hmm.... could you provide the source code line it crashes on, if you
> have a dump with symbols? It would help a bit in trying to figure out
> which free() is to blame.
This is from a crash dump with the unsuccessfully patched kernel:
# gdb netbsd.gdb
(gdb) target kvm /var/crash/netbsd.5.core
#0 0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
h/i386/i386/machdep.c:870
870 dumpsys();
(gdb) bt
#0 0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
h/i386/i386/machdep.c:870
#1 0xc014cb75 in db_reboot_cmd (addr=3D-1069776800, have_addr=3D0, count=
=3D-1072372955, modif=3D0xcd465664 "k\200<=C0k\200<=C0`\200<=C0=A0VF=CDS=E6=
\024=C0\n") at /cvs/src/sys/ddb/db_command.c:775
#2 0xc014c7ea in db_command (last_cmdp=3D0xc03ba8fc, cmd_table=3D0x0) at /=
cvs/src/sys/ddb/db_command.c:511
#3 0xc014cac3 in db_command_loop () at /cvs/src/sys/ddb/db_command.c:299
#4 0xc014f493 in db_trap (type=3D1, code=3D0) at /cvs/src/sys/ddb/db_trap.=
c:101
#5 0xc02bb2e8 in kdb_trap (type=3D1, code=3D0, regs=3D0xcd46587c) at /cvs/=
src/sys/arch/i386/i386/db_interface.c:226
#6 0xc02c62ec in trap (frame=3D0xcd46587c) at /cvs/src/sys/arch/i386/i386/=
trap.c:308
#7 0xc0102f75 in calltrap ()
#8 0xc02bb170 in cpu_Debugger () at ./machine/cpufunc.h:332
#9 0xc025b64d in panic (fmt=3D0xc0375d4b "free: duplicated free") at /cvs/=
src/sys/kern/subr_prf.c:243
#10 0xc023b779 in free (addr=3D0xc1068000, ksp=3D0xc03be7c0) at /cvs/src/sy=
s/kern/kern_malloc.c:620
#11 0xc01959eb in nfsrv_readdir (nfsd=3D0xcd64dca8, slp=3D0xc0cb5400, lwp=
=3D0xcd43be20, mrq=3D0xcd465b24) at /cvs/src/sys/nfs/nfs_serv.c:2658
#12 0xc01a9630 in nfssvc_nfsd (nsd=3D0xcd465b74, argp=3D0x804a2c0 <Address =
0x804a2c0 out of bounds>, l=3D0xcd43be20) at /cvs/src/sys/nfs/nfs_syscalls.=
c:669
#13 0xc01aa13a in sys_nfssvc (l=3D0xcd43be20, v=3D0xcd465c48, retval=3D0xcd=
465c68) at /cvs/src/sys/nfs/nfs_syscalls.c:340
#14 0xc02c5ca0 in syscall_plain (frame=3D0xcd465c88) at /cvs/src/sys/arch/i=
386/i386/syscall.c:148
#15 0xc01006c9 in syscall1 ()
(gdb) list *0xc01959eb
0xc01959eb is in nfsrv_readdir (/cvs/src/sys/nfs/nfs_serv.c:2658).
2653 VOP_UNLOCK(vp, 0);
2654 if (error) {
2655 vrele(vp);
2656 free((caddr_t)rbuf, M_TEMP);
2657 if (cookies)
2658 free((caddr_t)cookies, M_TEMP);
2659 nfsm_reply(NFSX_POSTOPATTR(v3));
2660 nfsm_srvpostop_attr(getret, &at);
2661 return (0);
2662 }
> Ok, my next guess is that ufs_readdir() sets cookies, but frees it becaus=
e
> of an error. I am unsure what the exact semantics are supposed to be,
> but returning an error and cookies pointing to garbage can't be a good
> idea.
> (I'm assuming, of course, that you are serving off of ffs)
That is correct, I'm using ffs.
Is your second patch in addition to the first one or instead of it:
> Index: ufs_vnops.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/src/sys/ufs/ufs/ufs_vnops.c,v
> retrieving revision 1.149
> diff -u -r1.149 ufs_vnops.c
> --- ufs_vnops.c=0929 Jan 2007 15:42:50 -0000=091.149
> +++ ufs_vnops.c=0920 Feb 2007 13:58:53 -0000
Artsi
--=20
#######=3D=3D=3D=3D=3D=3D------ http://www.selonen.org/arto/ --------=3D=
=3D=3D=3D=3D=3D=3D=3D########
Everstinkuja 5 B 35 Don't mind doing it.
FI-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.