Date: Thu, 10 Jan 2019 19:22:21 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234296] FreeBSD 12.0-STABLE r342216 Fatal trap 12 Message-ID: <bug-234296-227-nWc70IVXaR@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-234296-227@https.bugs.freebsd.org/bugzilla/> References: <bug-234296-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234296 --- Comment #7 from Mark Johnston <markj@FreeBSD.org> --- I looked at the kernel dumps. In all three cases, we crashed while process= ing a callout that had been mostly zeroed out. However, in all cases, at offset 0x10 into the callout there is a pointer in the direct map. Following that pointer leads me to the middle of a ZFS vnode: (kgdb) frame 9 #9 0xffffffff805dd328 in callout_process (now=3D91167878320709) at /usr/src/sys/kern/kern_timeout.c:510 510 LIST_REMOVE(tmp, c_links.le= ); (kgdb) p/x *cc->cc_callwheel[firstb & callwheelmask].lh_first $21 =3D { c_links =3D { le =3D { le_next =3D 0x0,=20 le_prev =3D 0x0 },=20 sle =3D { sle_next =3D 0x0 },=20 tqe =3D { tqe_next =3D 0x0,=20 tqe_prev =3D 0x0 } },=20 c_time =3D 0xfffff803773850c0,=20 c_precision =3D 0x0,=20 c_arg =3D 0x0,=20 c_func =3D 0x0,=20 c_lock =3D 0x0,=20 c_flags =3D 0x0,=20 c_iflags =3D 0x0,=20 c_cpu =3D 0x0 } (kgdb) x/32g 0xfffff803773850c0 0xfffff803773850c0: 0x0000000000000000 0xfffff8000a161de0 0xfffff803773850d0: 0xffffffff809bf965 0x0000000005230000 0xfffff803773850e0: 0x0000000000000000 0x0000000000000001 0xfffff803773850f0: 0xffffffff80c96170 0xfffff80463b90100 0xfffff80377385100: 0x0000000000000000 0x0000000000000000 0xfffff80377385110: 0xfffff80377385000 0x0000000000000000 0xfffff80377385120: 0xfffff80377385118 0x0000000000000000 0xfffff80377385130: 0x0000000000000000 0x0000000000000000 0xfffff80377385140: 0xfffff80377385138 0x0000000000000000 0xfffff80377385150: 0x0000000000000000 0x0000000000000000 0xfffff80377385160: 0x0000000300000000 0x0000000000020000 0xfffff80377385170: 0x0000000000000000 0x0000000000000000 0xfffff80377385180: 0x0000000000000000 0x0000000000000000 0xfffff80377385190: 0xfffff80377385188 0x0000000000000000 0xfffff803773851a0: 0x0000000000000000 0x0000000000000000 0xfffff803773851b0: 0x0000000000000000 0x0000000200000000 0xffffffff809bf965 is a pointer to the string "bufobj interlock". So the pointer in this callout is to the v_actfreelist member of a vnode. Indeed, 0xfffff803773850c0 & ~0xff is a pointer to a ZFS vnode. So, the pointer in the callout structure is probably the prev pointer, which means the callout structure is actually embedded in a vnode. (kgdb) p *(struct vnode * )((uintptr_t)$23 & ~0xff) $24 =3D {=20 v_tag =3D 0x0,=20=20=20 v_op =3D 0x0,=20=20=20=20=20=20 v_data =3D 0x0, v_mount =3D 0xfffff8000a3fb000, v_nmntvnodes =3D { tqe_next =3D 0x0,=20=20 tqe_prev =3D 0x0 },=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ... v_vnlock =3D 0x0, v_actfreelist =3D { tqe_next =3D 0x0, tqe_prev =3D 0xfffff803773850c0 }, ... v_iflag =3D 0, v_vflag =3D 0, v_mflag =3D 0, v_writecount =3D 0, v_hash =3D 0, v_type =3D VMARKER } So the only non-zero fields are those of a marker vnode initialized in __mnt_vnode_first_active(). Those vnodes are allocated using malloc(), not the vnode zone. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234296-227-nWc70IVXaR>