panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8)

panic: Duplicate free of ADDR from zone ADDR(mbuf) slab ADDR(8)
Status: fixed on 2020/04/11 06:25
Reported-by: syzbot+3b44abc8ab5f48beb411@syzkaller.appspotmail.com
Fix commit: 3d36b367cfb6 sbappendcontrol() needs to avoid clearing M_NOTREADY on data mbufs.
First crash: 1155d, last: 1155d

Sample crash report:

panic: Duplicate free of 0xfffff800049ad800 from zone 0xfffff800041e82c0(mbuf) slab 0xfffff800049adf90(8)

cpuid = 0
time = 1552920091
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0016b2c4a0
vpanic() at vpanic+0x1e0/frame 0xfffffe0016b2c500
panic() at panic+0x43/frame 0xfffffe0016b2c560
uma_dbg_free() at uma_dbg_free+0x246/frame 0xfffffe0016b2c5b0
uma_zfree_arg() at uma_zfree_arg+0x1aa/frame 0xfffffe0016b2c640
uipc_ready() at uipc_ready+0x19f/frame 0xfffffe0016b2c690
sendfile_iodone() at sendfile_iodone+0x342/frame 0xfffffe0016b2c6f0
vnode_pager_generic_getpages_done_async() at vnode_pager_generic_getpages_done_async+0x4a/frame 0xfffffe0016b2c720
bufdone() at bufdone+0xa1/frame 0xfffffe0016b2c7a0
g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c800
g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c860
g_io_deliver() at g_io_deliver+0x35b/frame 0xfffffe0016b2c8c0
g_disk_done() at g_disk_done+0x179/frame 0xfffffe0016b2c910
dadone() at dadone+0x655/frame 0xfffffe0016b2c9a0
xpt_done_process() at xpt_done_process+0x5b2/frame 0xfffffe0016b2ca00
xpt_done_td() at xpt_done_td+0x175/frame 0xfffffe0016b2ca60
fork_exit() at fork_exit+0xb0/frame 0xfffffe0016b2cab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0016b2cab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 5 tid 100031 ]
Stopped at      kdb_enter+0x6a: movq    $0,kdb_why

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-freebsd-main	2019/03/18 14:44	freebsd	b24a98cb7ea8	4656beca		log	report	syz	C