From nobody@FreeBSD.org  Tue Sep 12 16:54:51 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DD78716A417
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 12 Sep 2006 16:54:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A02BD43D6D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 12 Sep 2006 16:54:49 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k8CGsnoE026513
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 12 Sep 2006 16:54:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k8CGsnne026512;
	Tue, 12 Sep 2006 16:54:49 GMT
	(envelope-from nobody)
Message-Id: <200609121654.k8CGsnne026512@www.freebsd.org>
Date: Tue, 12 Sep 2006 16:54:49 GMT
From: Jos Backus <jos@catnook.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: panic: Duplicate free of item 0xc4d1e800 from zone 0xc0c45080(mbuf_packet)
X-Send-Pr-Version: www-2.3

>Number:         103198
>Category:       kern
>Synopsis:       panic: Duplicate free of item 0xc4d1e800 from zone 0xc0c45080(mbuf_packet)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 12 17:00:33 GMT 2006
>Closed-Date:    Sun Mar 02 06:02:53 UTC 2008
>Last-Modified:  Sun Mar  2 22:10:01 UTC 2008
>Originator:     Jos Backus
>Release:        -current
>Organization:
>Environment:
FreeBSD lizzy.catnook.local 7.0-CURRENT FreeBSD 7.0-CURRENT #41: Sat Sep  9 15:57:17 PDT 2006     root@lizzy.catnook.local:/usr/obj/usr/src/sys/LIZZY  i386
>Description:
This happens while doing some downloads using Opera on an otherwise quiet
system running KDE. With a little effort it's very reproducible.

lizzy:~% sudo kgdb /usr/obj/usr/src/sys/LIZZY/kernel.debug crash/vmcore.0       
kgdb: kvm_nlist(_stopped_cpus):                                                 
kgdb: kvm_nlist(_stoppcbs):                                                     
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:     
+Undefined symbol "ps_pglobal_lookup"]                                          
GNU gdb 6.1.1 [FreeBSD]                                                         
Copyright 2004 Free Software Foundation, Inc.                                   
GDB is free software, covered by the GNU General Public License, and you are    
welcome to change it and/or distribute copies of it under certain conditions.   
Type "show copying" to see the conditions.                                      
There is absolutely no warranty for GDB.  Type "show warranty" for details.     
This GDB was configured as "i386-marcel-freebsd".                               
                                                                                
Unread portion of the kernel message buffer:                                    
Slab at 0xc4d1efa8, freei 8 = 0.                                                
panic: Duplicate free of item 0xc4d1e800 from zone 0xc0c45080(mbuf_packet)      
                                                                                
Uptime: 8h43m17s                                                                
Physical memory: 1018 MB                                                        
Dumping 172 MB: 157 141 125 109 93 77 61 45 29 13                               
                                                                                
#0  doadump () at pcpu.h:166                                                    
166     pcpu.h: No such file or directory.                                      
        in pcpu.h                                                               
(kgdb) bt
#0  doadump () at pcpu.h:166                                                    
#1  0xc04c4250 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc04c44fb in panic (                                                       
    fmt=0xc0610aa7 "Duplicate free of item %p from zone %p(%s)\n")              
    at /usr/src/sys/kern/kern_shutdown.c:565                                    
#3  0xc058cc0c in uma_dbg_free (zone=0xc0c45080, slab=0xc4d1efa8,               
    item=0xc4d1e800) at /usr/src/sys/vm/uma_dbg.c:302                           
#4  0xc058b43f in uma_zfree_arg (zone=0xc0c45080, item=0xc4d1e800, udata=0x0)   
    at /usr/src/sys/vm/uma_core.c:2269                                          
#5  0xc04ff1c1 in mb_free_ext (m=0xc4d1e800) at uma.h:303                       
#6  0xc04ff02e in m_freem (mb=0x0) at mbuf.h:446                                
#7  0xc0723b4c in ?? ()                                                         
#8  0xc4d1e800 in ?? ()                                                         
#9  0xc30ae800 in ?? ()                                                         
#10 0x00000100 in ?? ()                                                         
#11 0xc3080000 in ?? ()                                                         
#12 0xc3080000 in ?? ()                                                         
#13 0xc30801cc in ?? ()                                                         
#14 0x00000018 in ?? ()                                                         
#15 0xe35bdcc8 in ?? ()                                                         
#16 0xc072852b in ?? ()                                                         
#17 0xc30801cc in ?? ()                                                         
#18 0x00000000 in ?? ()                                                         
#19 0xc0733ae5 in ?? ()                                                         
#20 0x000004e9 in ?? ()                                                         
#21 0xc3032780 in ?? ()                                                         
#22 0x00000001 in ?? ()                                                         
#23 0xe35bdca8 in ?? ()                                                         
#24 0xc04d9bcf in critical_exit () at kern_switch.c:625                         
Previous frame inner to this frame (corrupt stack?)                             
(kgdb) 

I'll keep the vmcore.0 and kernel.debug files around in case more information
can be extracted from them.

>How-To-Repeat:
Use Opera under KDE to download several files at once.
>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 02:13:56 UTC 2007 
State-Changed-Why:  

Need to confirm that this still occurs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103198 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Mar 2 06:02:34 UTC 2008 
State-Changed-Why:  
Feedback timeout (> 3 months). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103198 

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/103198: panic: Duplicate free of item 0xc4d1e800 from zone 0xc0c45080(mbuf_packet)
Date: Sun, 2 Mar 2008 16:00:54 -0600

 ----- Forwarded message from Jos Backus <jos@catnook.com> -----
 
 From: Jos Backus <jos@catnook.com>
 
 Sorry, I had totally forgotten about this PR. I haven't used Opera in quite
 some time so I can't tell whether the bug still exists. If the same problem
 reappears down the road (in -current) I'll report back.
 
 Thanks!
 
 -- 
 Jos Backus
 jos at catnook.com
 
 ----- End forwarded message -----
>Unformatted:
Does this still occur with RELENG_7?
