Date: Wed, 08 Apr 2026 14:59:32 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293382] Dead lock and kernel crash around closefp_impl Message-ID: <bug-293382-227-drfetny0vl@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-293382-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382 --- Comment #43 from Paul <devgs@ukr.net> --- Hi! We have another panic. Fatal trap 12: page fault while in kernel mode cpuid = 7; apic id = 13 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80b72503 stack pointer = 0x28:0xfffffe069ae28d40 frame pointer = 0x28:0xfffffe069ae28d70 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 29500 (asy:http:s) rdi: ff01000107b11500 rsi: 0000000000000008 rdx: 0000000000000001 rcx: 0000000000000000 r8: 0000000000000002 r9: ffffffff82252ef0 rax: 0000000000000000 rbx: ff0100772fd78668 rbp: fffffe069ae28d70 r10: 0000000000000000 r11: 0000000000000004 r12: ff01000107b11500 r13: ff0100772fd78668 r14: ff01007278e4e780 r15: ff01000107b11518 trap number = 12 panic: page fault cpuid = 7 time = 1775658023 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069ae28a70 vpanic() at vpanic+0x136/frame 0xfffffe069ae28ba0 panic() at panic+0x43/frame 0xfffffe069ae28c00 trap_pfault() at trap_pfault+0x422/frame 0xfffffe069ae28c70 calltrap() at calltrap+0x8/frame 0xfffffe069ae28c70 --- trap 0xc, rip = 0xffffffff80b72503, rsp = 0xfffffe069ae28d40, rbp = 0xfffffe069ae28d70 --- knote_drop_detached() at knote_drop_detached+0x113/frame 0xfffffe069ae28d70 knote_fdclose() at knote_fdclose+0x17f/frame 0xfffffe069ae28dc0 closefp_impl() at closefp_impl+0xa8/frame 0xfffffe069ae28e00 amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe069ae28f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe069ae28f30 --- syscall (6, FreeBSD ELF64, close), rip = 0x82d1d232a, rsp = 0x858670b98, rbp = 0x858670bb0 --- KDB: enter: panic (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xffffffff804b60a8 in db_fncall_generic (nargs=0, args=0xfffffe069ae28490, addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:631 #3 db_fncall (dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>) at /usr/src/sys/ddb/db_command.c:679 #4 0xffffffff804b5b2d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:508 #5 0xffffffff804b5c76 in db_command_script (command=command@entry=0xffffffff81bd7722 <db_recursion_data+18> "call doadump") at /usr/src/sys/ddb/db_command.c:573 #6 0xffffffff804bba58 in db_script_exec (scriptname=scriptname@entry=0xfffffe069ae28660 "kdb.enter.panic", warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:301 #7 0xffffffff804bb952 in db_script_kdbenter (eventname=<optimized out>) at /usr/src/sys/ddb/db_script.c:323 #8 0xffffffff804b91e1 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:266 #9 0xffffffff80c23c0f in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe069ae289b0) at /usr/src/sys/kern/subr_kdb.c:790 #10 0xffffffff811318fd in trap (frame=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:697 #11 <signal handler called> #12 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556 #13 0xffffffff80bd0b8b in vpanic (fmt=0xffffffff812bd9d3 "%s", ap=ap@entry=0xfffffe069ae28be0) at /usr/src/sys/kern/kern_shutdown.c:962 #14 0xffffffff80bd09f3 in panic (fmt=0xffffffff81da22a0 <cnputs_mtx> "\325\376!\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887 #15 0xffffffff81132082 in trap_fatal (frame=<optimized out>, eva=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:1028 #16 0xffffffff81132082 in trap_pfault (frame=0xfffffe069ae28c80, usermode=false, signo=<optimized out>, ucode=<optimized out>) #17 <signal handler called> #18 0xffffffff80b72503 in knote_drop_detached (kn=kn@entry=0xff0100772fd78668, td=td@entry=0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950 #19 0xffffffff80b7284f in knote_drop (td=0xff01007278e4e780, kn=<optimized out>) at /usr/src/sys/kern/kern_event.c:2915 #20 knote_fdclose (td=td@entry=0xff01007278e4e780, fd=fd@entry=211098) at /usr/src/sys/kern/kern_event.c:2875 #21 0xffffffff80b69fd8 in closefp_impl (fdp=0xfffffe0694c620c0, fd=211098, fp=0xff010004c3517c80, td=0xff01007278e4e780, audit=true) at /usr/src/sys/kern/kern_descrip.c:1413 #22 0xffffffff81132739 in syscallenter (td=0xff01007278e4e780) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #23 amd64_syscall (td=0xff01007278e4e780, traced=0) at /usr/src/sys/amd64/amd64/trap.c:1267 #24 <signal handler called> #25 0x000000082d1d232a in ?? () Backtrace stopped: Cannot access memory at address 0x858670b98 (kgdb) fr 18 #18 0xffffffff80b72503 in knote_drop_detached (kn=kn@entry=0xff0100772fd78668, td=td@entry=0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950 2950 SLIST_REMOVE(list, kn, knote, kn_link); (kgdb) p *((struct eknote*)kn) $1 = { k = { kn_link = { sle_next = 0x0 }, kn_selnext = { sle_next = 0xffffffffffffffff }, kn_knlist = 0x0, kn_tqe = { tqe_next = 0xffffffffffffffff, tqe_prev = 0xffffffffffffffff }, kn_kq = 0xff01000107b11500, kn_kevent = { ident = 76954, filter = -1, flags = 32, fflags = 0, data = 0, udata = 0x1b2102fcfc40, ext = {0, 0, 0, 0} }, kn_hook = 0x0, kn_hookid = 0, kn_status = 8, kn_influx = 1, kn_sfflags = 0, kn_sdata = 0, kn_ptr = { p_fp = 0xff010062f4444af0, p_proc = 0xff010062f4444af0, p_aio = 0xff010062f4444af0, p_lio = 0xff010062f4444af0, p_prison = 0xff010062f4444af0, p_v = 0xff010062f4444af0 }, kn_fop = 0xffffffff814dd960 <soread_filtops> }, c = { kn_link = { sle_next = 0x0 }, kn_selnext = { sle_next = 0x0 }, kn_knlist = 0x0, kn_tqe = { tqe_next = 0x0, tqe_prev = 0x0 }, kn_kq = 0x0, kn_kevent = { ident = 0, filter = 0, flags = 0, fflags = 0, data = 0, udata = 0x0, ext = {0, 0, 0, 0} }, kn_hook = 0x0, kn_hookid = 0, kn_status = 0, kn_influx = 0, kn_sfflags = 0, kn_sdata = 0, kn_ptr = { p_fp = 0x0, p_proc = 0x0, p_aio = 0x0, p_lio = 0x0, p_prison = 0x0, p_v = 0x0 }, kn_fop = 0x0 }, on_kn_link = 0 } (kgdb) p kq $2 = (struct kqueue *) 0xff01000107b11500 (kgdb) p *kq $3 = { kq_lock = { lock_object = { lo_name = 0xffffffff813464c6 "kqueue", lo_flags = 21168128, lo_data = 0, lo_witness = 0xff0100804bd8db80 }, mtx_lock = 18374968446302873472 }, kq_refcnt = 0, kq_list = { tqe_next = 0xff010001dd4fac00, tqe_prev = 0xff010077e823d828 }, kq_head = { tqh_first = 0x0, tqh_last = 0xff01000107b11538 }, kq_count = 0, kq_sel = { si_tdlist = { tqh_first = 0x0, tqh_last = 0x0 }, si_note = { kl_list = { slh_first = 0x0 }, kl_lock = 0xffffffff80b71fc0 <knlist_mtx_lock>, kl_unlock = 0xffffffff80b71fe0 <knlist_mtx_unlock>, kl_assert_lock = 0xffffffff80b72000 <knlist_mtx_assert_lock>, kl_lockarg = 0xff01000107b11500, kl_autodestroy = 0 }, si_mtx = 0x0 }, kq_sigio = 0x0, kq_fdp = 0xfffffe0694c620c0, kq_state = 0, kq_knlistsize = 288512, kq_knlist = 0xfffffe09ce3fe000, kq_knhashmask = 0, kq_knhash = 0x0, kq_task = { ta_link = { stqe_next = 0x0 }, ta_pending = 0, ta_priority = 0 '\000', ta_flags = 0 '\000', ta_func = 0xffffffff80b748a0 <kqueue_task>, ta_context = 0xff01000107b11500 }, kq_cred = 0xff010001dd445900, kq_forksrc = 0x0 } (kgdb) p list $4 = <optimized out> p kq->kq_knlist[kn->kn_kevent.ident] $6 = { slh_first = 0x0 } (kgdb) p &kq->kq_knlist[kn->kn_kevent.ident] $7 = (struct klist *) 0xfffffe09ce4944d0 Please, tell us if you need anything else. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293382-227-drfetny0vl>