kern/81324: panic: "Duplicate free of item %p from zone %p(%s)\n"

[Giorgos Keramidas]

On 2005-05-20 20:26, Tilman Linneweh <arved at arved.at> wrote:
> This bug has been reproducable since 5.3.  The Machine is an
> ipfilter/ipnat Firewall.  The panic happens when another machine
> behind a different Firewall opens an SSH Session to a machine behind
> the ipnat-Gateway.  and does not terminate it correctly (because it
> crashed itself, or because a laptop is put into sleep) mode)
>
> #22 0xc0532dbb in panic (
>     fmt=0xc06e28f8 "Duplicate free of item %p from zone %p(%s)\n")
>     at /usr/src/sys/kern/kern_shutdown.c:550
> #23 0xc0657260 in uma_dbg_free (zone=0xc0c6aae0, slab=0xc1355fa8,
>     item=0xc1355e00) at /usr/src/sys/vm/uma_dbg.c:301
> #24 0xc065602f in uma_zfree_arg (zone=0xc0c6aae0, item=0xc1355e00, udata=0x0)
>     at /usr/src/sys/vm/uma_core.c:2273
> #25 0xc0564b82 in m_freem (mb=0x0) at uma.h:304
> #26 0xc044f864 in fr_check (ip=0xc1355e50, hlen=25, ifp=0xc1120000, out=0,
>     mp=0xca869c88) at /usr/src/sys/contrib/ipfilter/netinet/fil.c:1387
> #27 0xc0451302 in fr_check_wrapper (arg=0x0, mp=0x0, ifp=0xc1120000, dir=1,
>     inp=0x0) at /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:345
> #28 0xc059cfad in pfil_run_hooks (ph=0xc0760c20, mp=0xca869cd4,
>     ifp=0xc1120000, dir=1, inp=0x0) at /usr/src/sys/net/pfil.c:137
> #29 0xc05b2dd5 in ip_input (m=0xc1355e00)
>     at /usr/src/sys/netinet/ip_input.c:457

That's odd...

The pfil_run_hooks() function passes the address of a local struct mbuf,
which should be on the stack.  How can this ever appear as a null pointer
(mp=0x0) in frame #27 ?!