From nobody Wed Apr 8 14:59:32 2026 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4frR6s18zFz6YGGN for ; Wed, 08 Apr 2026 14:59:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4frR6s0RvKz3wKS for ; Wed, 08 Apr 2026 14:59:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775660373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xAXoYSQ2BWDyFD70mot3zY0JdAZvXY4lqA+iBIEFNh4=; b=QmMyF3Rkmonewl8UyDjmnOWf3MMEiheaIrucn1olTfojkGaE277jzg/OzKJkomCTQXRxKb 74ch68OM90buWgK5iAVa1Euwv3OA9QsR3EwSOebtpEW3wPTFL1pkI+zElGl69RmpdJXbqo CQ6XYQb+1CPOYkjzsjOxTfP9BDWUlOvL/vf+rDpoDII1lnY0lgaBbsFl/BjUhdiyxyPClW AQNnJitLG4Fm9Kz/4OjUaAeaKaVqEt0hEriFSr9JA21DocG/ireT0y0M7HfHonUNH1kfeR QAyha1oIfoky6z17i1EMb6VDqgOUsfv+wZEKRuQsKKFqOpjmJ4JqBCSbLIq4Mg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1775660373; a=rsa-sha256; cv=none; b=SnDydn08opAlqup7H1U7eVDWrJ8f2lHjliCuRvnALMSBrxGg/d3Hy7ws31tquOOGEGvOYt szTVHI7kTQl5xcBhK+ooLY0t+9c4ewut2xnghzb9THH028Nj9hCaEsiMn7isvtavspnWyV 6AS8gxMqEiWKO2lwvmGlsrOkd5K2a9+6r/HaPW6NT4a5x2JG7H4oIUPAnKE+LEwbM39f7x JdvL6Ks8p6Bi7S25yTzEdhSqeLY7SNBknU+Y2L8VgI5Rl/90L3IJ3Fl2maHMNCszamj+W5 B9SLZEZ2Jww5AsmrCN1u7FYbRtAv18YaRXJtGopeogZ6R8UIKRQnL/LC+rC/yg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775660373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xAXoYSQ2BWDyFD70mot3zY0JdAZvXY4lqA+iBIEFNh4=; b=fZVScwoabookLIgTMLMnEciSsGZ0cNjxiHAi+RtXHaIBQ8853ddMiEukiOJnHS1NQXZUfR I/CXRX96DSnOUyX5G7k7Y5vMCK0douiq+J662eG1lmbW1/SVNoBjPdYfHAkJb5lBxycUBR ap1ehAioE6FNPAfq7S1nwrXv1QyrtVMKZuitEZkxA7FXTNvmO9z+3jHDDyU7dhcycNIgWn 9sXieP2Lt2zZ82ycK7kiQPmcVDQv/mLoL6RAZMgykdra537JynaeLuKFGy3VG7ht62AgQY wdPvmxZyagNVUWTtHEa09keTUaFQpxmltIU5t9jn+sehzScxSRIACEPUBUpUKA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4frR6r6nslzXGy for ; Wed, 08 Apr 2026 14:59:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 638ExWEO096281 for ; Wed, 8 Apr 2026 14:59:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 638ExWqp096280 for bugs@FreeBSD.org; Wed, 8 Apr 2026 14:59:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293382] Dead lock and kernel crash around closefp_impl Date: Wed, 08 Apr 2026 14:59:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.3-STABLE X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: devgs@ukr.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D293382 --- Comment #43 from Paul --- Hi! We have another panic. Fatal trap 12: page fault while in kernel mode cpuid =3D 7; apic id =3D 13 fault virtual address =3D 0x0 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff80b72503 stack pointer =3D 0x28:0xfffffe069ae28d40 frame pointer =3D 0x28:0xfffffe069ae28d70 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 29500 (asy:http:s) rdi: ff01000107b11500 rsi: 0000000000000008 rdx: 0000000000000001 rcx: 0000000000000000 r8: 0000000000000002 r9: ffffffff82252ef0 rax: 0000000000000000 rbx: ff0100772fd78668 rbp: fffffe069ae28d70 r10: 0000000000000000 r11: 0000000000000004 r12: ff01000107b11500 r13: ff0100772fd78668 r14: ff01007278e4e780 r15: ff01000107b11518 trap number =3D 12 panic: page fault cpuid =3D 7 time =3D 1775658023 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069ae28= a70 vpanic() at vpanic+0x136/frame 0xfffffe069ae28ba0 panic() at panic+0x43/frame 0xfffffe069ae28c00 trap_pfault() at trap_pfault+0x422/frame 0xfffffe069ae28c70 calltrap() at calltrap+0x8/frame 0xfffffe069ae28c70 --- trap 0xc, rip =3D 0xffffffff80b72503, rsp =3D 0xfffffe069ae28d40, rbp = =3D 0xfffffe069ae28d70 --- knote_drop_detached() at knote_drop_detached+0x113/frame 0xfffffe069ae28d70 knote_fdclose() at knote_fdclose+0x17f/frame 0xfffffe069ae28dc0 closefp_impl() at closefp_impl+0xa8/frame 0xfffffe069ae28e00 amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe069ae28f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe069ae28f30 --- syscall (6, FreeBSD ELF64, close), rip =3D 0x82d1d232a, rsp =3D 0x85867= 0b98, rbp =3D 0x858670bb0 --- KDB: enter: panic (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=3D0) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xffffffff804b60a8 in db_fncall_generic (nargs=3D0, args=3D0xfffffe069a= e28490, addr=3D, rv=3D) at /usr/src/sys/ddb/db_comman= d.c:631 #3 db_fncall (dummy1=3D, dummy2=3D, dummy3=3D, dummy4=3D) at /usr/src/sys/ddb/db_command.c:679 #4 0xffffffff804b5b2d in db_command (last_cmdp=3D, cmd_table=3D, dopager=3Dfalse) at /usr/src/sys/ddb/db_comman= d.c:508 #5 0xffffffff804b5c76 in db_command_script (command=3Dcommand@entry=3D0xffffffff81bd7722 "call doadump") at /usr/src/sys/ddb/db_command.c:573 #6 0xffffffff804bba58 in db_script_exec (scriptname=3Dscriptname@entry=3D0xfffffe069ae28660 "kdb.enter.panic", warnifnotfound=3Dwarnifnotfound@entry=3D0) at /usr/src/sys/ddb/db_script.c:= 301 #7 0xffffffff804bb952 in db_script_kdbenter (eventname=3D) = at /usr/src/sys/ddb/db_script.c:323 #8 0xffffffff804b91e1 in db_trap (type=3D, code=3D) at /usr/src/sys/ddb/db_main.c:266 #9 0xffffffff80c23c0f in kdb_trap (type=3Dtype@entry=3D3, code=3Dcode@entr= y=3D0, tf=3Dtf@entry=3D0xfffffe069ae289b0) at /usr/src/sys/kern/subr_kdb.c:790 #10 0xffffffff811318fd in trap (frame=3D) at /usr/src/sys/amd64/amd64/trap.c:697 #11 #12 kdb_enter (why=3D, msg=3D) at /usr/src/sys/kern/subr_kdb.c:556 #13 0xffffffff80bd0b8b in vpanic (fmt=3D0xffffffff812bd9d3 "%s", ap=3Dap@entry=3D0xfffffe069ae28be0) at /usr/src/sys/kern/kern_shutdown.c:962 #14 0xffffffff80bd09f3 in panic (fmt=3D0xffffffff81da22a0 "\325\376!\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887 #15 0xffffffff81132082 in trap_fatal (frame=3D, eva=3D) at /usr/src/sys/amd64/amd64/trap.c:1028 #16 0xffffffff81132082 in trap_pfault (frame=3D0xfffffe069ae28c80, usermode=3Dfalse, signo=3D, ucode=3D) #17 #18 0xffffffff80b72503 in knote_drop_detached (kn=3Dkn@entry=3D0xff0100772f= d78668, td=3Dtd@entry=3D0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950 #19 0xffffffff80b7284f in knote_drop (td=3D0xff01007278e4e780, kn=3D) at /usr/src/sys/kern/kern_event.c:2915 #20 knote_fdclose (td=3Dtd@entry=3D0xff01007278e4e780, fd=3Dfd@entry=3D2110= 98) at /usr/src/sys/kern/kern_event.c:2875 #21 0xffffffff80b69fd8 in closefp_impl (fdp=3D0xfffffe0694c620c0, fd=3D2110= 98, fp=3D0xff010004c3517c80, td=3D0xff01007278e4e780, audit=3Dtrue) at /usr/src/sys/kern/kern_descrip.c:1413 #22 0xffffffff81132739 in syscallenter (td=3D0xff01007278e4e780) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #23 amd64_syscall (td=3D0xff01007278e4e780, traced=3D0) at /usr/src/sys/amd64/amd64/trap.c:1267 #24 #25 0x000000082d1d232a in ?? () Backtrace stopped: Cannot access memory at address 0x858670b98 (kgdb) fr 18 #18 0xffffffff80b72503 in knote_drop_detached (kn=3Dkn@entry=3D0xff0100772f= d78668, td=3Dtd@entry=3D0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950 2950 SLIST_REMOVE(list, kn, knote, kn_link); (kgdb) p *((struct eknote*)kn) $1 =3D { k =3D { kn_link =3D { sle_next =3D 0x0 }, kn_selnext =3D { sle_next =3D 0xffffffffffffffff }, kn_knlist =3D 0x0, kn_tqe =3D { tqe_next =3D 0xffffffffffffffff, tqe_prev =3D 0xffffffffffffffff }, kn_kq =3D 0xff01000107b11500, kn_kevent =3D { ident =3D 76954, filter =3D -1, flags =3D 32, fflags =3D 0, data =3D 0, udata =3D 0x1b2102fcfc40, ext =3D {0, 0, 0, 0} }, kn_hook =3D 0x0, kn_hookid =3D 0, kn_status =3D 8, kn_influx =3D 1, kn_sfflags =3D 0, kn_sdata =3D 0, kn_ptr =3D { p_fp =3D 0xff010062f4444af0, p_proc =3D 0xff010062f4444af0, p_aio =3D 0xff010062f4444af0, p_lio =3D 0xff010062f4444af0, p_prison =3D 0xff010062f4444af0, p_v =3D 0xff010062f4444af0 }, kn_fop =3D 0xffffffff814dd960 }, c =3D { kn_link =3D { sle_next =3D 0x0 }, kn_selnext =3D { sle_next =3D 0x0 }, kn_knlist =3D 0x0, kn_tqe =3D { tqe_next =3D 0x0, tqe_prev =3D 0x0 }, kn_kq =3D 0x0, kn_kevent =3D { ident =3D 0, filter =3D 0, flags =3D 0, fflags =3D 0, data =3D 0, udata =3D 0x0, ext =3D {0, 0, 0, 0} }, kn_hook =3D 0x0, kn_hookid =3D 0, kn_status =3D 0, kn_influx =3D 0, kn_sfflags =3D 0, kn_sdata =3D 0, kn_ptr =3D { p_fp =3D 0x0, p_proc =3D 0x0, p_aio =3D 0x0, p_lio =3D 0x0, p_prison =3D 0x0, p_v =3D 0x0 }, kn_fop =3D 0x0 }, on_kn_link =3D 0 } (kgdb) p kq $2 =3D (struct kqueue *) 0xff01000107b11500 (kgdb) p *kq $3 =3D { kq_lock =3D { lock_object =3D { lo_name =3D 0xffffffff813464c6 "kqueue", lo_flags =3D 21168128, lo_data =3D 0, lo_witness =3D 0xff0100804bd8db80 }, mtx_lock =3D 18374968446302873472 }, kq_refcnt =3D 0, kq_list =3D { tqe_next =3D 0xff010001dd4fac00, tqe_prev =3D 0xff010077e823d828 }, kq_head =3D { tqh_first =3D 0x0, tqh_last =3D 0xff01000107b11538 }, kq_count =3D 0, kq_sel =3D { si_tdlist =3D { tqh_first =3D 0x0, tqh_last =3D 0x0 }, si_note =3D { kl_list =3D { slh_first =3D 0x0 }, kl_lock =3D 0xffffffff80b71fc0 , kl_unlock =3D 0xffffffff80b71fe0 , kl_assert_lock =3D 0xffffffff80b72000 , kl_lockarg =3D 0xff01000107b11500, kl_autodestroy =3D 0 }, si_mtx =3D 0x0 }, kq_sigio =3D 0x0, kq_fdp =3D 0xfffffe0694c620c0, kq_state =3D 0, kq_knlistsize =3D 288512, kq_knlist =3D 0xfffffe09ce3fe000, kq_knhashmask =3D 0, kq_knhash =3D 0x0, kq_task =3D { ta_link =3D { stqe_next =3D 0x0 }, ta_pending =3D 0, ta_priority =3D 0 '\000', ta_flags =3D 0 '\000', ta_func =3D 0xffffffff80b748a0 , ta_context =3D 0xff01000107b11500 }, kq_cred =3D 0xff010001dd445900, kq_forksrc =3D 0x0 } (kgdb) p list $4 =3D p kq->kq_knlist[kn->kn_kevent.ident] $6 =3D { slh_first =3D 0x0 } (kgdb) p &kq->kq_knlist[kn->kn_kevent.ident] $7 =3D (struct klist *) 0xfffffe09ce4944d0 Please, tell us if you need anything else. --=20 You are receiving this mail because: You are the assignee for the bug.=