Duplicate free in of file caps data

From: John Baldwin <jhb_at_freebsd.org>
Date: Mon, 09 Apr 2018 13:25:33 -0700
I updated my laptop to HEAD as of Friday and got the following panic
after a bhyve process using capabilities exited:

panic: Duplicate free of 0xfffff8039515eba0 from zone 0xfffff8000200e540(16) slab 0xfffff8039515ef90(186)
...
(kgdb) where
#0  __curthread () at ./machine/pcpu.h:230
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:361
#2  0xffffffff805e42e2 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:441
#3  0xffffffff805e484d in vpanic (fmt=<optimized out>, ap=0xfffffe008b2f4700)
    at /usr/src/sys/kern/kern_shutdown.c:837
#4  0xffffffff805e4893 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:764
#5  0xffffffff80862a37 in uma_dbg_free (zone=0xfffff8000200e540, 
    slab=0xfffff8039515ef90, item=0xfffff8039515eba0)
    at /usr/src/sys/vm/uma_core.c:3931
#6  0xffffffff80862247 in uma_zfree_arg (zone=0xfffff8000200e540, 
    item=<optimized out>, udata=0xfffff8039515ef90)
    at /usr/src/sys/vm/uma_core.c:2876
#7  0xffffffff805bf715 in free (addr=0xfffff8039515eba0, 
    mtp=0xffffffff80c95ec0 <M_FILECAPS>) at /usr/src/sys/kern/kern_malloc.c:711
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
#9  fdefree_last (fde=<optimized out>) at /usr/src/sys/kern/kern_descrip.c:297
#10 fdescfree_fds (td=0xfffff8039a484000, fdp=0xfffff8039acfe000, 
    needclose=true) at /usr/src/sys/kern/kern_descrip.c:2242
#11 0xffffffff80591f00 in fdescfree (td=0xfffff8039a484000)
    at /usr/src/sys/kern/kern_descrip.c:2307
#12 0xffffffff805a0940 in exit1 (td=0xfffff8039a484000, rval=<optimized out>, 
    signo=0) at /usr/src/sys/kern/kern_exit.c:378
#13 0xffffffff805a044d in sys_sys_exit (td=<unavailable>, uap=<optimized out>)
    at /usr/src/sys/kern/kern_exit.c:180
#14 0xffffffff808bd2e9 in syscallenter (td=0xfffff8039a484000)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:134
#15 amd64_syscall (td=0xfffff8039a484000, traced=0)
    at /usr/src/sys/amd64/amd64/trap.c:936
#16 <signal handler called>
#17 0x0000000800ae3eda in ?? ()
(kgdb) frame 8
#8  0xffffffff805923ba in filecaps_free (fcaps=<optimized out>)
    at /usr/src/sys/kern/kern_descrip.c:1580
1580            free(fcaps->fc_ioctls, M_FILECAPS);

Note that I am using a patched bhyve that uses cap_ioctls_limit() on a listen
socket (so the caps will be copied to the new socket during accept()).

I'll see if I can't come up with a simpler program to reproduce this.

-- 
John Baldwin
Received on Mon Apr 09 2018 - 18:29:52 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:15 UTC