i386/62374: kernel panic: free: multiple frees

Roberto Trovo' roberto at redix.it
Thu Feb 5 00:30:20 PST 2004 

>Number:         62374
>Category:       i386
>Synopsis:       kernel panic: free: multiple frees
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 05 00:30:14 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Roberto Trovo'
>Release:        FreeBSD 4.9-RELEASE i386
>Organization:
>Environment:
System: FreeBSD microbsd 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27 17:51:09 GMT 2003 root at freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386
>Description:
      FreeBSD 4.9-RELEASE
CPU: VIA EDEN 500MHz (MB CV860A)
RAM: 256MB
DISK: 128MB Compact Flash
No swap 
3 10/100Mbit NIC, realteck on board

Bridge 020214 + ipf 3.4.31 enabled

Two NIC are configured in the bridge and ipf (transparent
filtering) filter the packets through the bridge.
sysctl -a:
net.link.ether.bridge_cfg: rl0:0,rl1:0
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 0
net.link.ether.bridge_ipf: 1
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
-----

The bridge connects two identical LAN with the same IPs but
filter some packet to protect the internal LAN.
Only the NIC on internal LAN is setup with a IP address.

A simple ipf rules are loaded:


block   in log          on rl1  all
block   in log          on rl0  all

pass    in quick        on rl1  proto udp       from 192.168.0.0/16 port = 67 to 255.255.255.255 port = 68
pass    in quick        on rl1  proto udp       from 192.168.0.0/16 port = 67 to 192.168.0.0/16 port = 68
pass    in quick on rl1 proto tcp from 192.168.0.0/16 to 192.168.0.20/32 port = 9100
block   in quick        on rl1  from 10.0.0.0/8         to any
block   in quick        on rl1  from 172.16.0.0/12      to any
block   in quick        on rl1  from 192.168.0.0/16     to any

pass    in quick        on rl0  proto tcp       from 192.168.0.0/16 to any keep state
pass    in quick        on rl0  proto udp       from 192.168.0.0/16 to any keep state
pass    in quick        on rl0  proto icmp      from 192.168.0.0/16 to any keep state
pass    in quick        on rl0  proto gre       from 192.168.0.0/16 to any keep state
pass    in quick        on rl0  proto ip        from 192.168.0.0/16 to any keep state
pass    in quick        on rl0  proto udp       from 0.0.0.0 port = 68   to 255.255.255.255 port = 67
pass    in quick        on rl1  proto udp       from 0.0.0.0 port = 67   to 255.255.255.255 port = 68
pass    in quick        on rl0  proto udp       from 0.0.0.0 port = 68   to 192.168.0.0/16 port = 67

======= end ipf ruleset

>From internal LAN I've started a ping flooding on a host on the external LAN
passing through the bridge.
(ex. ping -f 192.168.0.1 )
In about 5 min. the system crash with the messages:
panic: free: multiple frees
syncing disk...
done
uptime: 4m51s
..

>How-To-Repeat:
      I've repeated the same steps, and in all the test (3-4 times) the systems crash.
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-i386 mailing list