Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 09 Apr 2018 13:25:33 -0700
From:      John Baldwin <jhb@freebsd.org>
To:        current@freebsd.org, mjg@freebsd.org, oshogbo@freebsd.org
Subject:   Duplicate free in of file caps data
Message-ID:  <4163881.eBQ6x7P6Ym@ralph.baldwin.cx>

next in thread | raw e-mail | index | archive | help
I updated my laptop to HEAD as of Friday and got the following panic
after a bhyve process using capabilities exited:

panic: Duplicate free of 0xfffff8039515eba0 from zone 0xfffff8000200e540(16) slab 0xfffff8039515ef90(186)
...
(kgdb) where
#0  __curthread () at ./machine/pcpu.h:230
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:361
#2  0xffffffff805e42e2 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:441
#3  0xffffffff805e484d in vpanic (fmt=<optimized out>, ap=0xfffffe008b2f4700)
    at /usr/src/sys/kern/kern_shutdown.c:837
#4  0xffffffff805e4893 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:764
#5  0xffffffff80862a37 in uma_dbg_free (zone=0xfffff8000200e540, 
    slab=0xfffff8039515ef90, item=0xfffff8039515eba0)
    at /usr/src/sys/vm/uma_core.c:3931
#6  0xffffffff80862247 in uma_zfree_arg (zone=0xfffff8000200e540, 
    item=<optimized out>, udata=0xfffff8039515ef90)
    at /usr/src/sys/vm/uma_core.c:2876
#7  0xffffffff805bf715 in free (addr=0xfffff8039515eba0, 
    mtp=0xffffffff80c95ec0 <M_FILECAPS>) at /usr/src/sys/kern/kern_malloc.c:711
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
#9  fdefree_last (fde=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:297
#10 fdescfree_fds (td=0xfffff8039a484000, fdp=0xfffff8039acfe000, 
    needclose=true) at /usr/src/sys/kern/kern_descrip.c:2242
#11 0xffffffff80591f00 in fdescfree (td=0xfffff8039a484000)
    at /usr/src/sys/kern/kern_descrip.c:2307
#12 0xffffffff805a0940 in exit1 (td=0xfffff8039a484000, rval=<optimized out>, 
    signo=0) at /usr/src/sys/kern/kern_exit.c:378
#13 0xffffffff805a044d in sys_sys_exit (td=<unavailable>, uap=<optimized out>)
    at /usr/src/sys/kern/kern_exit.c:180
#14 0xffffffff808bd2e9 in syscallenter (td=0xfffff8039a484000)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:134
#15 amd64_syscall (td=0xfffff8039a484000, traced=0)
    at /usr/src/sys/amd64/amd64/trap.c:936
#16 <signal handler called>
#17 0x0000000800ae3eda in ?? ()
(kgdb) frame 8
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
1580            free(fcaps->fc_ioctls, M_FILECAPS);

Note that I am using a patched bhyve that uses cap_ioctls_limit() on a listen
socket (so the caps will be copied to the new socket during accept()).

I'll see if I can't come up with a simpler program to reproduce this.

-- 
John Baldwin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4163881.eBQ6x7P6Ym>