netbsd-bugs: Re: kern/35728: repeated kernel panics: free: duplicated free

Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Arto Selonen <arto@selonen.org>
List: netbsd-bugs
Date: 02/20/2007 14:50:02
The following reply was made to PR kern/35728; it has been noted by GNATS.

From: Arto Selonen <arto@selonen.org>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
	netbsd-bugs@netbsd.org
Subject: Re: kern/35728: repeated kernel panics: free: duplicated free
	(NFS-related)
Date: Tue, 20 Feb 2007 16:49:07 +0200 (EET)

 Hi!
 
 On Tue, 20 Feb 2007, Antti Kantee wrote:
 
 > The following reply was made to PR kern/35728; it has been noted by GNATS=
 =2E
 
 > From: Antti Kantee <pooka@cs.hut.fi>
 > To: Arto Selonen <arto+dated+1171977722.42cefd5529de6cc7@selonen.org>
 > Cc: gnats-bugs@NetBSD.org, christos@netbsd.org
 > Subject: Re: kern/35728: repeated kernel panics: free: duplicated free (N=
 FS-related)
 > Date: Tue, 20 Feb 2007 16:00:40 +0200
 
 > Hmm.... could you provide the source code line it crashes on, if you
 > have a dump with symbols?  It would help a bit in trying to figure out
 > which free() is to blame.
 
 This is from a crash dump with the unsuccessfully patched kernel:
 
 # gdb netbsd.gdb
 (gdb) target kvm /var/crash/netbsd.5.core
 #0  0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
 h/i386/i386/machdep.c:870
 870                     dumpsys();
 (gdb) bt
 #0  0xc02be746 in cpu_reboot (howto=3D0, bootstr=3D0x0) at /cvs/src/sys/arc=
 h/i386/i386/machdep.c:870
 #1  0xc014cb75 in db_reboot_cmd (addr=3D-1069776800, have_addr=3D0, count=
 =3D-1072372955, modif=3D0xcd465664 "k\200<=C0k\200<=C0`\200<=C0=A0VF=CDS=E6=
 \024=C0\n") at /cvs/src/sys/ddb/db_command.c:775
 #2  0xc014c7ea in db_command (last_cmdp=3D0xc03ba8fc, cmd_table=3D0x0) at /=
 cvs/src/sys/ddb/db_command.c:511
 #3  0xc014cac3 in db_command_loop () at /cvs/src/sys/ddb/db_command.c:299
 #4  0xc014f493 in db_trap (type=3D1, code=3D0) at /cvs/src/sys/ddb/db_trap.=
 c:101
 #5  0xc02bb2e8 in kdb_trap (type=3D1, code=3D0, regs=3D0xcd46587c) at /cvs/=
 src/sys/arch/i386/i386/db_interface.c:226
 #6  0xc02c62ec in trap (frame=3D0xcd46587c) at /cvs/src/sys/arch/i386/i386/=
 trap.c:308
 #7  0xc0102f75 in calltrap ()
 #8  0xc02bb170 in cpu_Debugger () at ./machine/cpufunc.h:332
 #9  0xc025b64d in panic (fmt=3D0xc0375d4b "free: duplicated free") at /cvs/=
 src/sys/kern/subr_prf.c:243
 #10 0xc023b779 in free (addr=3D0xc1068000, ksp=3D0xc03be7c0) at /cvs/src/sy=
 s/kern/kern_malloc.c:620
 #11 0xc01959eb in nfsrv_readdir (nfsd=3D0xcd64dca8, slp=3D0xc0cb5400, lwp=
 =3D0xcd43be20, mrq=3D0xcd465b24) at /cvs/src/sys/nfs/nfs_serv.c:2658
 #12 0xc01a9630 in nfssvc_nfsd (nsd=3D0xcd465b74, argp=3D0x804a2c0 <Address =
 0x804a2c0 out of bounds>, l=3D0xcd43be20) at /cvs/src/sys/nfs/nfs_syscalls.=
 c:669
 #13 0xc01aa13a in sys_nfssvc (l=3D0xcd43be20, v=3D0xcd465c48, retval=3D0xcd=
 465c68) at /cvs/src/sys/nfs/nfs_syscalls.c:340
 #14 0xc02c5ca0 in syscall_plain (frame=3D0xcd465c88) at /cvs/src/sys/arch/i=
 386/i386/syscall.c:148
 #15 0xc01006c9 in syscall1 ()
 
 (gdb) list *0xc01959eb
 0xc01959eb is in nfsrv_readdir (/cvs/src/sys/nfs/nfs_serv.c:2658).
 2653            VOP_UNLOCK(vp, 0);
 2654            if (error) {
 2655                    vrele(vp);
 2656                    free((caddr_t)rbuf, M_TEMP);
 2657                    if (cookies)
 2658                            free((caddr_t)cookies, M_TEMP);
 2659                    nfsm_reply(NFSX_POSTOPATTR(v3));
 2660                    nfsm_srvpostop_attr(getret, &at);
 2661                    return (0);
 2662            }
 
 
 > Ok, my next guess is that ufs_readdir() sets cookies, but frees it becaus=
 e
 > of an error.  I am unsure what the exact semantics are supposed to be,
 > but returning an error and cookies pointing to garbage can't be a good
 > idea.
 > (I'm assuming, of course, that you are serving off of ffs)
 
 That is correct, I'm using ffs.
 
 
 Is your second patch in addition to the first one or instead of it:
 
 > Index: ufs_vnops.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > RCS file: /cvsroot/src/sys/ufs/ufs/ufs_vnops.c,v
 > retrieving revision 1.149
 > diff -u -r1.149 ufs_vnops.c
 > --- ufs_vnops.c=0929 Jan 2007 15:42:50 -0000=091.149
 > +++ ufs_vnops.c=0920 Feb 2007 13:58:53 -0000
 
 
 Artsi
 --=20
 #######=3D=3D=3D=3D=3D=3D------  http://www.selonen.org/arto/  --------=3D=
 =3D=3D=3D=3D=3D=3D=3D########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FI-02600 Espoo         arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.