Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Arto Selonen <arto@selonen.org>
List: netbsd-bugs
Date: 02/20/2007 15:20:02
The following reply was made to PR kern/35728; it has been noted by GNATS.
From: Arto Selonen <arto@selonen.org>
To: Antti Kantee <pooka@cs.hut.fi>
Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
(NFS-related)
Date: Tue, 20 Feb 2007 15:20:59 +0200 (EET)
Hi!
On Tue, 20 Feb 2007, Antti Kantee wrote:
> Hi, I'm guessing this is because of rev. 1.115 of sys/nfs/nfs_serv.c.
> Seems like the backend readdir can in some cases leave cookies untouched
> and if we "goto again", we have a dangling value in cookies, which then
> gets freed twice.
>
> Can you try the following patch? (untested)
>
> Index: nfs_serv.c
> ===================================================================
> RCS file: /cvsroot/src/sys/nfs/nfs_serv.c,v
> retrieving revision 1.123
> diff -u -r1.123 nfs_serv.c
> --- nfs_serv.c 4 Feb 2007 14:48:51 -0000 1.123
> +++ nfs_serv.c 20 Feb 2007 12:07:16 -0000
> @@ -2706,6 +2706,7 @@
> toff = off;
> siz = fullsiz;
> free(cookies, M_TEMP);
> + cookies = NULL;
> goto again;
> }
>
> @@ -2975,6 +2976,7 @@
> toff = off;
> siz = fullsiz;
> free(cookies, M_TEMP);
> + cookies = NULL;
> goto again;
> }
>
Did not make any practical difference that I could tell. Debugger trace
seemed the same, too.
Artsi
--
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FI-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.