hostap / ath: duplicate free in mbuf_jumbo_page

From: Andriy Gapon <avg_at_FreeBSD.org>
Date: Wed, 05 Jan 2022 11:18:26 UTC
Unfortunately I only have a text dump for this panic, so I do not have much hope 
of root causing it.  Reporting just in case.

This is on recent-ish stable/13 amd64:

panic: Duplicate free of 0xfffff80021593000 from zone 
0xfffffe0003573000(mbuf_jumbo_page) slab 0xfffff800213ffb08(0) 
 

cpuid = 3 
 

time = 1641348396 
 

KDB: stack backtrace: 
 

db_trace_self_wrapper() at 0xffffffff805b632b = db_trace_self_wrapper+0x2b/frame 
0xfffffe005115c7e0 

kdb_backtrace() at 0xffffffff8088c7b7 = kdb_backtrace+0x37/frame 
0xfffffe005115c890 
 

vpanic() at 0xffffffff8084946c = vpanic+0x18c/frame 0xfffffe005115c8f0 
 

panic() at 0xffffffff80849083 = panic+0x43/frame 0xfffffe005115c950 
 

uma_dbg_free() at 0xffffffff80b48076 = uma_dbg_free+0xd6/frame 
0xfffffe005115c990 
 

item_dtor() at 0xffffffff80b41cc3 = item_dtor+0x43/frame 0xfffffe005115c9d0 
 

uma_zfree_arg() at 0xffffffff80b416ee = uma_zfree_arg+0x9e/frame 
0xfffffe005115ca10 
 

uma_zfree() at 0xffffffff808296ab = uma_zfree+0xb/frame 0xfffffe005115ca20 
 

mb_free_ext() at 0xffffffff808295eb = mb_free_ext+0xfb/frame 0xfffffe005115ca50 
 

m_free() at 0xffffffff80828e4b = m_free+0x8b/frame 0xfffffe005115ca70 
 

m_freem() at 0xffffffff808293b8 = m_freem+0x38/frame 0xfffffe005115ca90 
 

ieee80211_defrag() at 0xffffffff809a6bc0 = ieee80211_defrag+0x170/frame 
0xfffffe005115cae0 

hostap_input() at 0xffffffff8099af0a = hostap_input+0x98a/frame 
0xfffffe005115cb80 
 

ampdu_dispatch() at 0xffffffff8099f648 = ampdu_dispatch+0x18/frame 
0xfffffe005115cb90 

ampdu_dispatch_slot() at 0xffffffff809a2bc6 = ampdu_dispatch_slot+0x56/frame 
0xfffffe005115cbc0 

ampdu_rx_flush() at 0xffffffff8099f772 = ampdu_rx_flush+0x52/frame 
0xfffffe005115cc00 

ieee80211_ht_node_age() at 0xffffffff809a009c = ieee80211_ht_node_age+0x6c/frame 
0xfffffe005115cc30 

node_age() at 0xffffffff809b41f7 = node_age+0x47/frame 0xfffffe005115cc50 
 

timeout_stations() at 0xffffffff809b826e = timeout_stations+0xde/frame 
0xfffffe005115cc80 

ieee80211_iterate_nodes_vap() at 0xffffffff809b73e2 = 
ieee80211_iterate_nodes_vap+0xf2/frame 0xfffffe005115ccd0 
 

ieee80211_iterate_nodes() at 0xffffffff809b7461 = 
ieee80211_iterate_nodes+0x11/frame 0xfffffe005115cce0 
 

ieee80211_timeout_stations() at 0xffffffff809b7299 = 
ieee80211_timeout_stations+0x19/frame 0xfffffe005115ccf0 
 

ieee80211_node_timeout() at 0xffffffff809b3f06 = 
ieee80211_node_timeout+0x26/frame 0xfffffe005115cd20 
 

softclock_call_cc() at 0xffffffff8086453a = softclock_call_cc+0x23a/frame 
0xfffffe005115cde0 

softclock() at 0xffffffff808648ec = softclock+0x7c/frame 0xfffffe005115ce10 
 

intr_event_execute_handlers() at 0xffffffff8081136f = 
intr_event_execute_handlers+0x18f/frame 0xfffffe005115ce60 
 

ithread_execute_handlers() at 0xffffffff808110e2 = 
ithread_execute_handlers+0x32/frame 0xfffffe005115ce80 
 

ithread_loop() at 0xffffffff80810eff = ithread_loop+0x9f/frame 
0xfffffe005115cef0 
 

fork_exit() at 0xffffffff8080d85c = fork_exit+0xcc/frame 0xfffffe005115cf30 
 

fork_trampoline() at 0xffffffff80ba5c5e = fork_trampoline+0xe/frame 
0xfffffe005115cf30

-- 
Andriy Gapon