From owner-freebsd-current@freebsd.org  Mon Apr  9 20:29:52 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2048FA0F03
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  9 Apr 2018 20:29:52 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 5659E78B2D
 for <freebsd-current@freebsd.org>; Mon,  9 Apr 2018 20:29:52 +0000 (UTC)
 (envelope-from jhb@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 17352FA0F01; Mon,  9 Apr 2018 20:29:52 +0000 (UTC)
Delivered-To: current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04B52FA0F00
 for <current@mailman.ysv.freebsd.org>; Mon,  9 Apr 2018 20:29:52 +0000 (UTC)
 (envelope-from jhb@freebsd.org)
Received: from mail.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A5DB078B24;
 Mon,  9 Apr 2018 20:29:51 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from ralph.baldwin.cx (ralph.baldwin.cx [66.234.199.215])
 by mail.baldwin.cx (Postfix) with ESMTPSA id 5378310AFD3;
 Mon,  9 Apr 2018 16:29:50 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: current@freebsd.org, mjg@freebsd.org, oshogbo@freebsd.org
Subject: Duplicate free in of file caps data
Date: Mon, 09 Apr 2018 13:25:33 -0700
Message-ID: <4163881.eBQ6x7P6Ym@ralph.baldwin.cx>
User-Agent: KMail/4.14.10 (FreeBSD/11.1-STABLE; KDE/4.14.30; amd64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (mail.baldwin.cx); Mon, 09 Apr 2018 16:29:50 -0400 (EDT)
X-Virus-Scanned: clamav-milter 0.99.2 at mail.baldwin.cx
X-Virus-Status: Clean
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 20:29:52 -0000

I updated my laptop to HEAD as of Friday and got the following panic
after a bhyve process using capabilities exited:

panic: Duplicate free of 0xfffff8039515eba0 from zone 0xfffff8000200e540(16) slab 0xfffff8039515ef90(186)
...
(kgdb) where
#0  __curthread () at ./machine/pcpu.h:230
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:361
#2  0xffffffff805e42e2 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:441
#3  0xffffffff805e484d in vpanic (fmt=<optimized out>, ap=0xfffffe008b2f4700)
    at /usr/src/sys/kern/kern_shutdown.c:837
#4  0xffffffff805e4893 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:764
#5  0xffffffff80862a37 in uma_dbg_free (zone=0xfffff8000200e540, 
    slab=0xfffff8039515ef90, item=0xfffff8039515eba0)
    at /usr/src/sys/vm/uma_core.c:3931
#6  0xffffffff80862247 in uma_zfree_arg (zone=0xfffff8000200e540, 
    item=<optimized out>, udata=0xfffff8039515ef90)
    at /usr/src/sys/vm/uma_core.c:2876
#7  0xffffffff805bf715 in free (addr=0xfffff8039515eba0, 
    mtp=0xffffffff80c95ec0 <M_FILECAPS>) at /usr/src/sys/kern/kern_malloc.c:711
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
#9  fdefree_last (fde=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:297
#10 fdescfree_fds (td=0xfffff8039a484000, fdp=0xfffff8039acfe000, 
    needclose=true) at /usr/src/sys/kern/kern_descrip.c:2242
#11 0xffffffff80591f00 in fdescfree (td=0xfffff8039a484000)
    at /usr/src/sys/kern/kern_descrip.c:2307
#12 0xffffffff805a0940 in exit1 (td=0xfffff8039a484000, rval=<optimized out>, 
    signo=0) at /usr/src/sys/kern/kern_exit.c:378
#13 0xffffffff805a044d in sys_sys_exit (td=<unavailable>, uap=<optimized out>)
    at /usr/src/sys/kern/kern_exit.c:180
#14 0xffffffff808bd2e9 in syscallenter (td=0xfffff8039a484000)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:134
#15 amd64_syscall (td=0xfffff8039a484000, traced=0)
    at /usr/src/sys/amd64/amd64/trap.c:936
#16 <signal handler called>
#17 0x0000000800ae3eda in ?? ()
(kgdb) frame 8
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
1580            free(fcaps->fc_ioctls, M_FILECAPS);

Note that I am using a patched bhyve that uses cap_ioctls_limit() on a listen
socket (so the caps will be copied to the new socket during accept()).

I'll see if I can't come up with a simpler program to reproduce this.

-- 
John Baldwin