Date: Mon, 09 Apr 2018 13:25:33 -0700 From: John Baldwin <jhb@freebsd.org> To: current@freebsd.org, mjg@freebsd.org, oshogbo@freebsd.org Subject: Duplicate free in of file caps data Message-ID: <4163881.eBQ6x7P6Ym@ralph.baldwin.cx>
next in thread | raw e-mail | index | archive | help
I updated my laptop to HEAD as of Friday and got the following panic after a bhyve process using capabilities exited: panic: Duplicate free of 0xfffff8039515eba0 from zone 0xfffff8000200e540(16) slab 0xfffff8039515ef90(186) ... (kgdb) where #0 __curthread () at ./machine/pcpu.h:230 #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:361 #2 0xffffffff805e42e2 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:441 #3 0xffffffff805e484d in vpanic (fmt=<optimized out>, ap=0xfffffe008b2f4700) at /usr/src/sys/kern/kern_shutdown.c:837 #4 0xffffffff805e4893 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:764 #5 0xffffffff80862a37 in uma_dbg_free (zone=0xfffff8000200e540, slab=0xfffff8039515ef90, item=0xfffff8039515eba0) at /usr/src/sys/vm/uma_core.c:3931 #6 0xffffffff80862247 in uma_zfree_arg (zone=0xfffff8000200e540, item=<optimized out>, udata=0xfffff8039515ef90) at /usr/src/sys/vm/uma_core.c:2876 #7 0xffffffff805bf715 in free (addr=0xfffff8039515eba0, mtp=0xffffffff80c95ec0 <M_FILECAPS>) at /usr/src/sys/kern/kern_malloc.c:711 #8 0xffffffff805923ba in filecaps_free (fcaps=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:1580 #9 fdefree_last (fde=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:297 #10 fdescfree_fds (td=0xfffff8039a484000, fdp=0xfffff8039acfe000, needclose=true) at /usr/src/sys/kern/kern_descrip.c:2242 #11 0xffffffff80591f00 in fdescfree (td=0xfffff8039a484000) at /usr/src/sys/kern/kern_descrip.c:2307 #12 0xffffffff805a0940 in exit1 (td=0xfffff8039a484000, rval=<optimized out>, signo=0) at /usr/src/sys/kern/kern_exit.c:378 #13 0xffffffff805a044d in sys_sys_exit (td=<unavailable>, uap=<optimized out>) at /usr/src/sys/kern/kern_exit.c:180 #14 0xffffffff808bd2e9 in syscallenter (td=0xfffff8039a484000) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:134 #15 amd64_syscall (td=0xfffff8039a484000, traced=0) at /usr/src/sys/amd64/amd64/trap.c:936 #16 <signal handler called> #17 0x0000000800ae3eda in ?? () (kgdb) frame 8 #8 0xffffffff805923ba in filecaps_free (fcaps=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:1580 1580 free(fcaps->fc_ioctls, M_FILECAPS); Note that I am using a patched bhyve that uses cap_ioctls_limit() on a listen socket (so the caps will be copied to the new socket during accept()). I'll see if I can't come up with a simpler program to reproduce this. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4163881.eBQ6x7P6Ym>