Date: Wed, 18 Mar 2026 10:10:18 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293382] Dead lock and kernel crash around closefp_impl Message-ID: <bug-293382-227-2YnyqFT76w@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-293382-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382 --- Comment #19 from Paul <devgs@ukr.net> --- Sadly, it happens still, even with the latest patch of kern_event.c: Fatal trap 9: general protection fault while in kernel mode cpuid = 0; apic id = 00 instruction pointer = 0x20:0xffffffff80b5914d stack pointer = 0x28:0xfffffe0718977d60 frame pointer = 0x28:0xfffffe0718977d60 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 3115 (asy:http:s) rdi: deadc0dedeadc0f6 rsi: 0000000000000004 rdx: ffffffff811ab239 rcx: 0000000000000121 r8: 0000000000000001 r9: ffffffff81e1ec98 rax: fffff803c20c3740 rbx: 000000000008fa97 rbp: fffffe0718977d60 r10: 0000000000000000 r11: 0000000000000004 r12: fffff80155c37718 r13: fffff819bc941960 r14: 000000000008fa97 r15: fffff80155c37700 trap number = 9 panic: general protection fault cpuid = 0 time = 1773824580 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0718977ae0 vpanic() at vpanic+0x161/frame 0xfffffe0718977c10 panic() at panic+0x43/frame 0xfffffe0718977c70 trap_fatal() at trap_fatal+0x68/frame 0xfffffe0718977c90 calltrap() at calltrap+0x8/frame 0xfffffe0718977c90 --- trap 0x9, rip = 0xffffffff80b5914d, rsp = 0xfffffe0718977d60, rbp = 0xfffffe0718977d60 --- __mtx_assert() at __mtx_assert+0x3d/frame 0xfffffe0718977d60 knote_fdclose() at knote_fdclose+0x11e/frame 0xfffffe0718977dc0 closefp_impl() at closefp_impl+0x96/frame 0xfffffe0718977e00 amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe0718977f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0718977f30 --- syscall (6, FreeBSD ELF64, close), rip = 0x82ddf932a, rsp = 0x85fb5eb88, rbp = 0x85fb5eba0 --- KDB: enter: panic (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:405 #2 0xffffffff804a4718 in db_fncall_generic (nargs=0, args=0xfffffe0718977510, addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:626 #3 db_fncall (dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>) at /usr/src/sys/ddb/db_command.c:674 #4 0xffffffff804a418d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:504 #5 0xffffffff804a42d6 in db_command_script (command=command@entry=0xffffffff81bba6e2 <db_recursion_data+18> "call doadump") at /usr/src/sys/ddb/db_command.c:569 #6 0xffffffff804a9578 in db_script_exec (scriptname=scriptname@entry=0xfffffe07189776e0 "kdb.enter.panic", warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:302 #7 0xffffffff804a9472 in db_script_kdbenter (eventname=<optimized out>) at /usr/src/sys/ddb/db_script.c:324 #8 0xffffffff804a7531 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:267 #9 0xffffffff80bd09a0 in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe0718977a20) at /usr/src/sys/kern/subr_kdb.c:790 #10 0xffffffff810b3a07 in trap (frame=0xfffffe0718977a20) at /usr/src/sys/amd64/amd64/trap.c:639 #11 <signal handler called> #12 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556 #13 0xffffffff80b7fc7d in vpanic (fmt=0xffffffff81237367 "%s", ap=ap@entry=0xfffffe0718977c50) at /usr/src/sys/kern/kern_shutdown.c:953 #14 0xffffffff80b7fa43 in panic (fmt=0xffffffff81d853a0 <cnputs_mtx> "\233\327\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:891 #15 0xffffffff810b40b8 in trap_fatal (frame=0xfffffe0718977ca0, eva=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:1000 #16 <signal handler called> #17 __mtx_assert (c=0xdeadc0dedeadc0f6, what=what@entry=4, file=0xffffffff811ab239 "/usr/src/sys/kern/kern_event.c", line=line@entry=289) at /usr/src/sys/kern/kern_mutex.c:1091 #18 0xffffffff80b25c8e in kn_enter_flux (kn=<optimized out>) at /usr/src/sys/kern/kern_event.c:289 #19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at /usr/src/sys/kern/kern_event.c:2703 #20 0xffffffff80b1dbd6 in closefp_impl (fdp=0xfffffe0713371430, fd=588439, fp=0xfffff86e9b7ee190, td=0xfffff803c20c3740, audit=true) at /usr/src/sys/kern/kern_descrip.c:1320 #21 0xffffffff810b4f0a in syscallenter (td=0xfffff803c20c3740) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #22 amd64_syscall (td=0xfffff803c20c3740, traced=0) at /usr/src/sys/amd64/amd64/trap.c:1241 #23 <signal handler called> #24 0x000000082ddf932a in ?? () Backtrace stopped: Cannot access memory at address 0x85fb5eb88 (kgdb) l /usr/src/sys/kern/kern_event.c:2690 2685 /* 2686 * We shouldn't have to worry about new kevents appearing on fd 2687 * since filedesc is locked. 2688 */ 2689 again: 2690 TAILQ_FOREACH(kq, &fdp->fd_kqlist, kq_list) { 2691 KQ_LOCK(kq); 2692 influx = 0; 2693 while (kq->kq_knlistsize > fd && 2694 (kn = SLIST_FIRST(&kq->kq_knlist[fd])) != NULL) { (kgdb) fr 18 #18 0xffffffff80b25c8e in kn_enter_flux (kn=<optimized out>) at /usr/src/sys/kern/kern_event.c:289 289 KQ_OWNED(kn->kn_kq); (kgdb) p *kn->kn_kq value has been optimized out (kgdb) up #19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at /usr/src/sys/kern/kern_event.c:2703 2703 kn_enter_flux(kn); (kgdb) p kn $4 = (struct knote *) 0xfffff819bc941960 (kgdb) p *kn $1 = { kn_link = { sle_next = 0xdeadc0dedeadc0de }, kn_selnext = { sle_next = 0xdeadc0dedeadc0de }, kn_knlist = 0xdeadc0dedeadc0de, kn_tqe = { tqe_next = 0xdeadc0dedeadc0de, tqe_prev = 0xdeadc0dedeadc0de }, kn_kq = 0xdeadc0dedeadc0de, kn_kevent = { ident = 16045693110842147038, filter = -16162, flags = 57005, fflags = 3735929054, data = -2401050962867404578, udata = 0xdeadc0dedeadc0de, ext = {16045693110842147038, 16045693110842147038, 16045693110842147038, 16045693110842147038} }, kn_hook = 0xdeadc0dedeadc0de, kn_hookid = -559038242, kn_status = -559038242, kn_influx = -559038242, kn_sfflags = -559038242, kn_sdata = -2401050962867404578, kn_ptr = { p_fp = 0xdeadc0dedeadc0de, p_proc = 0xdeadc0dedeadc0de, p_aio = 0xdeadc0dedeadc0de, p_lio = 0xdeadc0dedeadc0de, p_v = 0xdeadc0dedeadc0de }, kn_fop = 0xdeadc0dedeadc0de } (kgdb) p *kn->kn_kq Cannot access memory at address 0xdeadc0dedeadc0de #20 0xffffffff80b1dbd6 in closefp_impl (fdp=0xfffffe0713371430, fd=588439, fp=0xfffff86e9b7ee190, td=0xfffff803c20c3740, audit=true) at /usr/src/sys/kern/kern_descrip.c:1320 1320 knote_fdclose(td, fd); (kgdb) p *fp $1 = { f_flag = 7, f_count = 1, f_data = 0xfffff82e0210c000, f_ops = 0xffffffff81436808 <socketops>, f_vnode = 0x0, f_cred = 0xfffff804daf23a00, f_type = 2, f_vflags = 0, { f_seqcount = {0, 0}, f_pipegen = 0 }, f_nextoff = {0, 0}, f_vnun = { fvn_cdevpriv = 0x0, fvn_advice = 0x0 }, f_offset = 0 } (kgdb) p *fdp $2 = { fd_files = 0xfffffe094f9fb000, fd_map = 0xfffffe094d255000, fd_freefile = 3, fd_refcnt = 1, fd_holdcnt = 1, fd_sx = { lock_object = { lo_name = 0xffffffff812b4244 "filedesc structure", lo_flags = 36896768, lo_data = 0, lo_witness = 0xfffff8804bd94380 }, sx_lock = 18446735293757011776 }, fd_kqlist = { tqh_first = 0xfffff8010c5ba200, tqh_last = 0xfffff80155c37728 }, fd_holdleaderscount = 0, fd_holdleaderswakeup = 0 } (kgdb) fr 19 #19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at /usr/src/sys/kern/kern_event.c:2703 2703 kn_enter_flux(kn); (kgdb) p *kq value has been optimized out (kgdb) i r rax 0xfffff803c20c3740 -8779952539840 rbx 0x8fa97 588439 rcx 0x121 289 rdx 0xffffffff811ab239 -2128956871 rsi 0x4 4 rdi 0xdeadc0dedeadc0f6 -2401050962867404554 rbp 0xfffffe0718977dc0 0xfffffe0718977dc0 rsp 0xfffffe0718977d70 0xfffffe0718977d70 r8 0x1 1 r9 0xffffffff81e1ec98 -2115900264 r10 0x0 0 r11 0x4 4 r12 0xfffff80155c37718 -8790359181544 r13 0xfffff819bc941960 -8685555017376 r14 0x8fa97 588439 r15 0xfffff80155c37700 -8790359181568 rip 0xffffffff80b25c8e 0xffffffff80b25c8e <knote_fdclose+286> eflags 0x10297 [ CF PF AF SF IF RF ] cs 0x20 32 ss 0x28 40 ds <unavailable> es <unavailable> fs <unavailable> gs <unavailable> fs_base <unavailable> gs_base <unavailable> (kgdb) p *((struct kqueue*)$r15) $3 = { kq_lock = { lock_object = { lo_name = 0xffffffff812bbf6c "kqueue", lo_flags = 21168128, lo_data = 0, lo_witness = 0xfffff8804bd8da80 }, mtx_lock = 18446735293757011776 }, kq_refcnt = 1, kq_list = { tqe_next = 0x0, tqe_prev = 0xfffff80150e0d528 }, kq_head = { tqh_first = 0x0, tqh_last = 0xfffff80155c37738 }, kq_count = 0, kq_sel = { si_tdlist = { tqh_first = 0x0, tqh_last = 0x0 }, si_note = { kl_list = { slh_first = 0x0 }, kl_lock = 0xffffffff80b254e0 <knlist_mtx_lock>, kl_unlock = 0xffffffff80b25500 <knlist_mtx_unlock>, kl_assert_lock = 0xffffffff80b25520 <knlist_mtx_assert_lock>, kl_lockarg = 0xfffff80155c37700, kl_autodestroy = 0 }, si_mtx = 0x0 }, kq_sigio = 0x0, kq_fdp = 0xfffffe0713371430, kq_state = 2, kq_knlistsize = 680960, kq_knlist = 0xfffffe0987b7a000, kq_knhashmask = 0, kq_knhash = 0x0, kq_task = { ta_link = { stqe_next = 0x0 }, ta_pending = 0, ta_priority = 0 '\000', ta_flags = 0 '\000', ta_func = 0xffffffff80b26050 <kqueue_task>, ta_context = 0xfffff80155c37700 }, kq_cred = 0xfffff804daf23a00 } Weirdest thing is (might this be a hint of a problem?) that in frame 19, `kn` points to some memory address that contains exactly the same, byte-by-byte content as in previous crash, seemingly a garbage. Is this some 'kernel constants' data segment, or is it expected and not a garbage? -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293382-227-2YnyqFT76w>