Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
To: None <>
From: Arto Selonen <>
List: netbsd-bugs
Date: 02/20/2007 16:49:07

On Tue, 20 Feb 2007, Antti Kantee wrote:

> The following reply was made to PR kern/35728; it has been noted by GNATS=

> From: Antti Kantee <>
> To: Arto Selonen <>
> Cc:,
> Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (N=
> Date: Tue, 20 Feb 2007 16:00:40 +0200

> Hmm.... could you provide the source code line it crashes on, if you
> have a dump with symbols?  It would help a bit in trying to figure out
> which free() is to blame.

This is from a crash dump with the unsuccessfully patched kernel:

# gdb netbsd.gdb
(gdb) target kvm /var/crash/netbsd.5.core
#0  0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
870                     dumpsys();
(gdb) bt
#0  0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
#1  0xc014cb75 in db_reboot_cmd (addr=3D-1069776800, have_addr=3D0, count=
=3D-1072372955, modif=3D0xcd465664 "k\200<=C0k\200<=C0`\200<=C0=A0VF=CDS=E6=
\024=C0\n") at /cvs/src/sys/ddb/db_command.c:775
#2  0xc014c7ea in db_command (last_cmdp=3D0xc03ba8fc, cmd_table=3D0x0) at /=
#3  0xc014cac3 in db_command_loop () at /cvs/src/sys/ddb/db_command.c:299
#4  0xc014f493 in db_trap (type=3D1, code=3D0) at /cvs/src/sys/ddb/db_trap.=
#5  0xc02bb2e8 in kdb_trap (type=3D1, code=3D0, regs=3D0xcd46587c) at /cvs/=
#6  0xc02c62ec in trap (frame=3D0xcd46587c) at /cvs/src/sys/arch/i386/i386/=
#7  0xc0102f75 in calltrap ()
#8  0xc02bb170 in cpu_Debugger () at ./machine/cpufunc.h:332
#9  0xc025b64d in panic (fmt=3D0xc0375d4b "free: duplicated free") at /cvs/=
#10 0xc023b779 in free (addr=3D0xc1068000, ksp=3D0xc03be7c0) at /cvs/src/sy=
#11 0xc01959eb in nfsrv_readdir (nfsd=3D0xcd64dca8, slp=3D0xc0cb5400, lwp=
=3D0xcd43be20, mrq=3D0xcd465b24) at /cvs/src/sys/nfs/nfs_serv.c:2658
#12 0xc01a9630 in nfssvc_nfsd (nsd=3D0xcd465b74, argp=3D0x804a2c0 <Address =
0x804a2c0 out of bounds>, l=3D0xcd43be20) at /cvs/src/sys/nfs/nfs_syscalls.=
#13 0xc01aa13a in sys_nfssvc (l=3D0xcd43be20, v=3D0xcd465c48, retval=3D0xcd=
465c68) at /cvs/src/sys/nfs/nfs_syscalls.c:340
#14 0xc02c5ca0 in syscall_plain (frame=3D0xcd465c88) at /cvs/src/sys/arch/i=
#15 0xc01006c9 in syscall1 ()

(gdb) list *0xc01959eb
0xc01959eb is in nfsrv_readdir (/cvs/src/sys/nfs/nfs_serv.c:2658).
2653            VOP_UNLOCK(vp, 0);
2654            if (error) {
2655                    vrele(vp);
2656                    free((caddr_t)rbuf, M_TEMP);
2657                    if (cookies)
2658                            free((caddr_t)cookies, M_TEMP);
2659                    nfsm_reply(NFSX_POSTOPATTR(v3));
2660                    nfsm_srvpostop_attr(getret, &at);
2661                    return (0);
2662            }

> Ok, my next guess is that ufs_readdir() sets cookies, but frees it becaus=
> of an error.  I am unsure what the exact semantics are supposed to be,
> but returning an error and cookies pointing to garbage can't be a good
> idea.
> (I'm assuming, of course, that you are serving off of ffs)

That is correct, I'm using ffs.

Is your second patch in addition to the first one or instead of it:

> Index: ufs_vnops.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> RCS file: /cvsroot/src/sys/ufs/ufs/ufs_vnops.c,v
> retrieving revision 1.149
> diff -u -r1.149 ufs_vnops.c
> --- ufs_vnops.c=0929 Jan 2007 15:42:50 -0000=091.149
> +++ ufs_vnops.c=0920 Feb 2007 13:58:53 -0000

#######=3D=3D=3D=3D=3D=3D------  --------=3D=
Everstinkuja 5 B 35                               Don't mind doing it.
FI-02600 Espoo         Don't mind not doing it.
Finland              tel +358 50 560 4826     Don't know anything about it.