Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (NFS-related)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Antti Kantee <pooka@cs.hut.fi>
List: netbsd-bugs
Date: 02/20/2007 12:10:02 
The following reply was made to PR kern/35728; it has been noted by GNATS.

From: Antti Kantee <pooka@cs.hut.fi>
To: arto@selonen.org
Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (NFS-related)
Date: Tue, 20 Feb 2007 14:09:12 +0200

 On Tue Feb 20 2007 at 07:30:01 +0000, arto@selonen.org wrote:
 > The system was upgraded on February 6th (after kern/35542 was fixed;
 > earlier history of the system can be found there) and ran without problems for roughly two weeks. Then on February 18th, it paniced
 > ("panic: free: duplicated free"). Repeated reboots resulted
 > in similar panics pretty much as soon as network interface went up.
 > Booting to single user and turning NFS services off made system stable
 > (and NFS disks inaccessible).
 > 
 > multiply freed item 0xc105c000
 > panic: free: duplicated free
 > Stopped in pid 543.1 (nfsd)
 > db> tr
 > cpu_Debugger
 > panic
 > free
 > nfssrv_readdir
 > nfssvc_nfsd
 > sys_nfssvc
 > syscall_plain
 > --- syscall (number 155) ---
 
 Hi, I'm guessing this is because of rev. 1.115 of sys/nfs/nfs_serv.c.
 Seems like the backend readdir can in some cases leave cookies untouched
 and if we "goto again", we have a dangling value in cookies, which then
 gets freed twice.
 
 Can you try the following patch?  (untested)
 
 Index: nfs_serv.c
 ===================================================================
 RCS file: /cvsroot/src/sys/nfs/nfs_serv.c,v
 retrieving revision 1.123
 diff -u -r1.123 nfs_serv.c
 --- nfs_serv.c	4 Feb 2007 14:48:51 -0000	1.123
 +++ nfs_serv.c	20 Feb 2007 12:07:16 -0000
 @@ -2706,6 +2706,7 @@
  		toff = off;
  		siz = fullsiz;
  		free(cookies, M_TEMP);
 +		cookies = NULL;
  		goto again;
  	}
  
 @@ -2975,6 +2976,7 @@
  		toff = off;
  		siz = fullsiz;
  		free(cookies, M_TEMP);
 +		cookies = NULL;
  		goto again;
  	}
  
 
 -- 
 Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
 http://www.iki.fi/pooka/                          http://www.NetBSD.org/
     "la qualité la plus indispensable du cuisinier est l'exactitude"