The following reply was made to PR kern/35728; it has been noted by GNATS.

From: Arto Selonen <arto@selonen.org>
To: Antti Kantee <pooka@cs.hut.fi>
Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
	(NFS-related)
Date: Tue, 20 Feb 2007 15:20:59 +0200 (EET)

 Hi!
 
 On Tue, 20 Feb 2007, Antti Kantee wrote:
 
 > Hi, I'm guessing this is because of rev. 1.115 of sys/nfs/nfs_serv.c.
 > Seems like the backend readdir can in some cases leave cookies untouched
 > and if we "goto again", we have a dangling value in cookies, which then
 > gets freed twice.
 >
 > Can you try the following patch?  (untested)
 >
 > Index: nfs_serv.c
 > ===================================================================
 > RCS file: /cvsroot/src/sys/nfs/nfs_serv.c,v
 > retrieving revision 1.123
 > diff -u -r1.123 nfs_serv.c
 > --- nfs_serv.c	4 Feb 2007 14:48:51 -0000	1.123
 > +++ nfs_serv.c	20 Feb 2007 12:07:16 -0000
 > @@ -2706,6 +2706,7 @@
 > 		toff = off;
 > 		siz = fullsiz;
 > 		free(cookies, M_TEMP);
 > +		cookies = NULL;
 > 		goto again;
 > 	}
 >
 > @@ -2975,6 +2976,7 @@
 > 		toff = off;
 > 		siz = fullsiz;
 > 		free(cookies, M_TEMP);
 > +		cookies = NULL;
 > 		goto again;
 > 	}
 >
 
 Did not make any practical difference that I could tell. Debugger trace
 seemed the same, too.
 
 
 Artsi
 -- 
 #######======------  http://www.selonen.org/arto/  --------========########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FI-02600 Espoo         arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.