From owner-freebsd-bugs@FreeBSD.ORG Sat May 21 12:10:51 2005 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C99216A4CE for ; Sat, 21 May 2005 12:10:51 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0871D43DAC for ; Sat, 21 May 2005 12:10:49 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) j4LCAlDJ028363 for ; Sat, 21 May 2005 15:10:47 +0300 Received: from gothmog.gr (patr530-a216.otenet.gr [212.205.215.216]) j4LC8uXq006548 for ; Sat, 21 May 2005 15:08:57 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.3/8.13.3) with ESMTP id j4L369Tt021623 for ; Sat, 21 May 2005 06:06:09 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.3/8.13.3/Submit) id j4L2rJSD017938; Sat, 21 May 2005 05:53:19 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 21 May 2005 05:53:19 +0300 From: Giorgos Keramidas To: Tilman Linneweh Message-ID: <20050521025318.GB1264@gothmog.gr> References: <200505202026.j4KKQZgd002218@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200505202026.j4KKQZgd002218@freefall.freebsd.org> cc: freebsd-bugs@freebsd.org Subject: Re: kern/81324: panic: "Duplicate free of item %p from zone %p(%s)\n" X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 12:10:51 -0000 On 2005-05-20 20:26, Tilman Linneweh wrote: > This bug has been reproducable since 5.3. The Machine is an > ipfilter/ipnat Firewall. The panic happens when another machine > behind a different Firewall opens an SSH Session to a machine behind > the ipnat-Gateway. and does not terminate it correctly (because it > crashed itself, or because a laptop is put into sleep) mode) > > #22 0xc0532dbb in panic ( > fmt=0xc06e28f8 "Duplicate free of item %p from zone %p(%s)\n") > at /usr/src/sys/kern/kern_shutdown.c:550 > #23 0xc0657260 in uma_dbg_free (zone=0xc0c6aae0, slab=0xc1355fa8, > item=0xc1355e00) at /usr/src/sys/vm/uma_dbg.c:301 > #24 0xc065602f in uma_zfree_arg (zone=0xc0c6aae0, item=0xc1355e00, udata=0x0) > at /usr/src/sys/vm/uma_core.c:2273 > #25 0xc0564b82 in m_freem (mb=0x0) at uma.h:304 > #26 0xc044f864 in fr_check (ip=0xc1355e50, hlen=25, ifp=0xc1120000, out=0, > mp=0xca869c88) at /usr/src/sys/contrib/ipfilter/netinet/fil.c:1387 > #27 0xc0451302 in fr_check_wrapper (arg=0x0, mp=0x0, ifp=0xc1120000, dir=1, > inp=0x0) at /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:345 > #28 0xc059cfad in pfil_run_hooks (ph=0xc0760c20, mp=0xca869cd4, > ifp=0xc1120000, dir=1, inp=0x0) at /usr/src/sys/net/pfil.c:137 > #29 0xc05b2dd5 in ip_input (m=0xc1355e00) > at /usr/src/sys/netinet/ip_input.c:457 That's odd... The pfil_run_hooks() function passes the address of a local struct mbuf, which should be on the stack. How can this ever appear as a null pointer (mp=0x0) in frame #27 ?!