From nobody Wed Mar 18 10:10:18 2026 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fbPhp6vHwz6VZPD for ; Wed, 18 Mar 2026 10:10:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fbPhp6JZnz3GNf for ; Wed, 18 Mar 2026 10:10:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773828618; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+F/rbxbziy+nd7pQ7LcEQKUV/myeNeXvoj44j4ohrxE=; b=TjcRAooy7MvTTx+AyDbO1Ho6upNJEfsFqxfJ9mrvuPyIABCtUm0YRoZ33xWRfTEQ9rgdRc JmXkWBUOG0n70umdn7EhcLrLGWfgZ/zeYeuk59pq7J6GL6YM+BvBaiU4b+3KYAunt54TAU 4apcg8DBxUvm8BrWqYPSgnyrwS7/XE7+JTrOBME8BSQemQhME20WlhpgVr1VWk03Ho9hfj Q7JRu9RHjznXn5XgDLCC+pIKA//kr1F+ym5TSCDSmmf9o5s5y/XsTUEGjPugR4AKcCQ8RA 1MaJvSWXsQl35NkD4f1coYhl5oVstlB+ce4SYLDaAczKI5xB0fk+QrmakY0NBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773828618; a=rsa-sha256; cv=none; b=vFyKmIKcp2nGwvAb39CKjCvpxd4Tzs9fw8YiThs1urwoxWjy/LNDCTxdKPfFhWXtzvYZ9K 5BvCPDQonoEdQCAxJGwex73R1JMzlBjkwEKMWSoqYxv4yKvG6badDyOEVdU2PRAGHu3IFC 4X6m63VphNtKehgqNzIe8+iLQbizTe32xVYo4vMaVDRc7AIdxh6UPnqZRVT+Y2BG1975UW z4bZ29craVq9AtND/bwXO1xMOw62YAJbc04VWwmR7SpQYFKpD6BZW2sQ/VTxewR+QaTQpm aK381DhoDC2CdOtVAKpn3CXc0Qb8UnBnaT3cg7o5VepsCXyXvijaxsvDglnt/g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773828618; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+F/rbxbziy+nd7pQ7LcEQKUV/myeNeXvoj44j4ohrxE=; b=bFWLTFdzVAn5nsBA0y/oC99wTDMVEsA3z3o6HMi7VCoGLeKbGEUXTiE7CrYtzxiF3nY38A EqiF4pwfkTDV/ypf3whilrSZw9MKRqDap3Kujbln9ZTh8p7GcmFI7s+z/M52x+ZA+JuTrT GncqSblLnCVisgEOZwuns07WprRgI70mO3lqnMJehOjusbms8yY7bhmkuIqfm3a4UCwEP/ kFQ+cP8imS6xaCJizXW8qWozAvIwNhtcELQxvUZfHMmBuwT5Mb4MQuofc9YmrZzixKJLnw J9GPend7t7QlCGDOhW2gF7zujaTaydmlH/QlU5SIf0pwOPewg8+hoTSkGnOKEA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fbPhp5qvxz13VN for ; Wed, 18 Mar 2026 10:10:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 62IAAIDw087219 for ; Wed, 18 Mar 2026 10:10:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 62IAAIdS087218 for bugs@FreeBSD.org; Wed, 18 Mar 2026 10:10:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293382] Dead lock and kernel crash around closefp_impl Date: Wed, 18 Mar 2026 10:10:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.3-STABLE X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: devgs@ukr.net X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D293382 --- Comment #19 from Paul --- Sadly, it happens still, even with the latest patch of kern_event.c: Fatal trap 9: general protection fault while in kernel mode cpuid =3D 0; apic id =3D 00 instruction pointer =3D 0x20:0xffffffff80b5914d stack pointer =3D 0x28:0xfffffe0718977d60 frame pointer =3D 0x28:0xfffffe0718977d60 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 3115 (asy:http:s) rdi: deadc0dedeadc0f6 rsi: 0000000000000004 rdx: ffffffff811ab239 rcx: 0000000000000121 r8: 0000000000000001 r9: ffffffff81e1ec98 rax: fffff803c20c3740 rbx: 000000000008fa97 rbp: fffffe0718977d60 r10: 0000000000000000 r11: 0000000000000004 r12: fffff80155c37718 r13: fffff819bc941960 r14: 000000000008fa97 r15: fffff80155c37700 trap number =3D 9 panic: general protection fault cpuid =3D 0 time =3D 1773824580 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0718977= ae0 vpanic() at vpanic+0x161/frame 0xfffffe0718977c10 panic() at panic+0x43/frame 0xfffffe0718977c70 trap_fatal() at trap_fatal+0x68/frame 0xfffffe0718977c90 calltrap() at calltrap+0x8/frame 0xfffffe0718977c90 --- trap 0x9, rip =3D 0xffffffff80b5914d, rsp =3D 0xfffffe0718977d60, rbp = =3D 0xfffffe0718977d60 --- __mtx_assert() at __mtx_assert+0x3d/frame 0xfffffe0718977d60 knote_fdclose() at knote_fdclose+0x11e/frame 0xfffffe0718977dc0 closefp_impl() at closefp_impl+0x96/frame 0xfffffe0718977e00 amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe0718977f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0718977f30 --- syscall (6, FreeBSD ELF64, close), rip =3D 0x82ddf932a, rsp =3D 0x85fb5= eb88, rbp =3D 0x85fb5eba0 --- KDB: enter: panic (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=3D0) at /usr/src/sys/kern/kern_shutdown.c:405 #2 0xffffffff804a4718 in db_fncall_generic (nargs=3D0, args=3D0xfffffe0718= 977510, addr=3D, rv=3D) at /usr/src/sys/ddb/db_comman= d.c:626 #3 db_fncall (dummy1=3D, dummy2=3D, dummy3=3D, dummy4=3D) at /usr/src/sys/ddb/db_command.c:674 #4 0xffffffff804a418d in db_command (last_cmdp=3D, cmd_table=3D, dopager=3Dfalse) at /usr/src/sys/ddb/db_comman= d.c:504 #5 0xffffffff804a42d6 in db_command_script (command=3Dcommand@entry=3D0xffffffff81bba6e2 "call doadump") at /usr/src/sys/ddb/db_command.c:569 #6 0xffffffff804a9578 in db_script_exec (scriptname=3Dscriptname@entry=3D0xfffffe07189776e0 "kdb.enter.panic", warnifnotfound=3Dwarnifnotfound@entry=3D0) at /usr/src/sys/ddb/db_script.c:= 302 #7 0xffffffff804a9472 in db_script_kdbenter (eventname=3D) = at /usr/src/sys/ddb/db_script.c:324 #8 0xffffffff804a7531 in db_trap (type=3D, code=3D) at /usr/src/sys/ddb/db_main.c:267 #9 0xffffffff80bd09a0 in kdb_trap (type=3Dtype@entry=3D3, code=3Dcode@entr= y=3D0, tf=3Dtf@entry=3D0xfffffe0718977a20) at /usr/src/sys/kern/subr_kdb.c:790 #10 0xffffffff810b3a07 in trap (frame=3D0xfffffe0718977a20) at /usr/src/sys/amd64/amd64/trap.c:639 #11 #12 kdb_enter (why=3D, msg=3D) at /usr/src/sys/kern/subr_kdb.c:556 #13 0xffffffff80b7fc7d in vpanic (fmt=3D0xffffffff81237367 "%s", ap=3Dap@entry=3D0xfffffe0718977c50) at /usr/src/sys/kern/kern_shutdown.c:953 #14 0xffffffff80b7fa43 in panic (fmt=3D0xffffffff81d853a0 "\233\327\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:891 #15 0xffffffff810b40b8 in trap_fatal (frame=3D0xfffffe0718977ca0, eva=3D) at /usr/src/sys/amd64/amd64/trap.c:1000 #16 #17 __mtx_assert (c=3D0xdeadc0dedeadc0f6, what=3Dwhat@entry=3D4, file=3D0xffffffff811ab239 "/usr/src/sys/kern/kern_event.c", line=3Dline@ent= ry=3D289) at /usr/src/sys/kern/kern_mutex.c:1091 #18 0xffffffff80b25c8e in kn_enter_flux (kn=3D) at /usr/src/sys/kern/kern_event.c:289 #19 knote_fdclose (td=3Dtd@entry=3D0xfffff803c20c3740, fd=3Dfd@entry=3D5884= 39) at /usr/src/sys/kern/kern_event.c:2703 #20 0xffffffff80b1dbd6 in closefp_impl (fdp=3D0xfffffe0713371430, fd=3D5884= 39, fp=3D0xfffff86e9b7ee190, td=3D0xfffff803c20c3740, audit=3Dtrue) at /usr/src/sys/kern/kern_descrip.c:1320 #21 0xffffffff810b4f0a in syscallenter (td=3D0xfffff803c20c3740) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #22 amd64_syscall (td=3D0xfffff803c20c3740, traced=3D0) at /usr/src/sys/amd64/amd64/trap.c:1241 #23 #24 0x000000082ddf932a in ?? () Backtrace stopped: Cannot access memory at address 0x85fb5eb88 (kgdb) l /usr/src/sys/kern/kern_event.c:2690 2685 /* 2686 * We shouldn't have to worry about new kevents appearing o= n fd 2687 * since filedesc is locked. 2688 */ 2689 again: 2690 TAILQ_FOREACH(kq, &fdp->fd_kqlist, kq_list) { 2691 KQ_LOCK(kq); 2692 influx =3D 0; 2693 while (kq->kq_knlistsize > fd && 2694 (kn =3D SLIST_FIRST(&kq->kq_knlist[fd])) !=3D N= ULL) { (kgdb) fr 18 #18 0xffffffff80b25c8e in kn_enter_flux (kn=3D) at /usr/src/sys/kern/kern_event.c:289 289 KQ_OWNED(kn->kn_kq); (kgdb) p *kn->kn_kq value has been optimized out (kgdb) up #19 knote_fdclose (td=3Dtd@entry=3D0xfffff803c20c3740, fd=3Dfd@entry=3D5884= 39) at /usr/src/sys/kern/kern_event.c:2703 2703 kn_enter_flux(kn); (kgdb) p kn $4 =3D (struct knote *) 0xfffff819bc941960 (kgdb) p *kn $1 =3D { kn_link =3D { sle_next =3D 0xdeadc0dedeadc0de }, kn_selnext =3D { sle_next =3D 0xdeadc0dedeadc0de }, kn_knlist =3D 0xdeadc0dedeadc0de, kn_tqe =3D { tqe_next =3D 0xdeadc0dedeadc0de, tqe_prev =3D 0xdeadc0dedeadc0de }, kn_kq =3D 0xdeadc0dedeadc0de, kn_kevent =3D { ident =3D 16045693110842147038, filter =3D -16162, flags =3D 57005, fflags =3D 3735929054, data =3D -2401050962867404578, udata =3D 0xdeadc0dedeadc0de, ext =3D {16045693110842147038, 16045693110842147038, 160456931108421470= 38, 16045693110842147038} }, kn_hook =3D 0xdeadc0dedeadc0de, kn_hookid =3D -559038242, kn_status =3D -559038242, kn_influx =3D -559038242, kn_sfflags =3D -559038242, kn_sdata =3D -2401050962867404578, kn_ptr =3D { p_fp =3D 0xdeadc0dedeadc0de, p_proc =3D 0xdeadc0dedeadc0de, p_aio =3D 0xdeadc0dedeadc0de, p_lio =3D 0xdeadc0dedeadc0de, p_v =3D 0xdeadc0dedeadc0de }, kn_fop =3D 0xdeadc0dedeadc0de } (kgdb) p *kn->kn_kq Cannot access memory at address 0xdeadc0dedeadc0de #20 0xffffffff80b1dbd6 in closefp_impl (fdp=3D0xfffffe0713371430, fd=3D5884= 39, fp=3D0xfffff86e9b7ee190, td=3D0xfffff803c20c3740, audit=3Dtrue) at /usr/src/sys/kern/kern_descrip.c:1320 1320 knote_fdclose(td, fd); (kgdb) p *fp $1 =3D { f_flag =3D 7, f_count =3D 1, f_data =3D 0xfffff82e0210c000, f_ops =3D 0xffffffff81436808 , f_vnode =3D 0x0, f_cred =3D 0xfffff804daf23a00, f_type =3D 2, f_vflags =3D 0, { f_seqcount =3D {0, 0}, f_pipegen =3D 0 }, f_nextoff =3D {0, 0}, f_vnun =3D { fvn_cdevpriv =3D 0x0, fvn_advice =3D 0x0 }, f_offset =3D 0 } (kgdb) p *fdp $2 =3D { fd_files =3D 0xfffffe094f9fb000, fd_map =3D 0xfffffe094d255000, fd_freefile =3D 3, fd_refcnt =3D 1, fd_holdcnt =3D 1, fd_sx =3D { lock_object =3D { lo_name =3D 0xffffffff812b4244 "filedesc structure", lo_flags =3D 36896768, lo_data =3D 0, lo_witness =3D 0xfffff8804bd94380 }, sx_lock =3D 18446735293757011776 }, fd_kqlist =3D { tqh_first =3D 0xfffff8010c5ba200, tqh_last =3D 0xfffff80155c37728 }, fd_holdleaderscount =3D 0, fd_holdleaderswakeup =3D 0 } (kgdb) fr 19 #19 knote_fdclose (td=3Dtd@entry=3D0xfffff803c20c3740, fd=3Dfd@entry=3D5884= 39) at /usr/src/sys/kern/kern_event.c:2703 2703 kn_enter_flux(kn); (kgdb) p *kq value has been optimized out (kgdb) i r rax 0xfffff803c20c3740 -8779952539840 rbx 0x8fa97 588439 rcx 0x121 289 rdx 0xffffffff811ab239 -2128956871 rsi 0x4 4 rdi 0xdeadc0dedeadc0f6 -2401050962867404554 rbp 0xfffffe0718977dc0 0xfffffe0718977dc0 rsp 0xfffffe0718977d70 0xfffffe0718977d70 r8 0x1 1 r9 0xffffffff81e1ec98 -2115900264 r10 0x0 0 r11 0x4 4 r12 0xfffff80155c37718 -8790359181544 r13 0xfffff819bc941960 -8685555017376 r14 0x8fa97 588439 r15 0xfffff80155c37700 -8790359181568 rip 0xffffffff80b25c8e 0xffffffff80b25c8e eflags 0x10297 [ CF PF AF SF IF RF ] cs 0x20 32 ss 0x28 40 ds es fs gs fs_base gs_base (kgdb) p *((struct kqueue*)$r15) $3 =3D { kq_lock =3D { lock_object =3D { lo_name =3D 0xffffffff812bbf6c "kqueue", lo_flags =3D 21168128, lo_data =3D 0, lo_witness =3D 0xfffff8804bd8da80 }, mtx_lock =3D 18446735293757011776 }, kq_refcnt =3D 1, kq_list =3D { tqe_next =3D 0x0, tqe_prev =3D 0xfffff80150e0d528 }, kq_head =3D { tqh_first =3D 0x0, tqh_last =3D 0xfffff80155c37738 }, kq_count =3D 0, kq_sel =3D { si_tdlist =3D { tqh_first =3D 0x0, tqh_last =3D 0x0 }, si_note =3D { kl_list =3D { slh_first =3D 0x0 }, kl_lock =3D 0xffffffff80b254e0 , kl_unlock =3D 0xffffffff80b25500 , kl_assert_lock =3D 0xffffffff80b25520 , kl_lockarg =3D 0xfffff80155c37700, kl_autodestroy =3D 0 }, si_mtx =3D 0x0 }, kq_sigio =3D 0x0, kq_fdp =3D 0xfffffe0713371430, kq_state =3D 2, kq_knlistsize =3D 680960, kq_knlist =3D 0xfffffe0987b7a000, kq_knhashmask =3D 0, kq_knhash =3D 0x0, kq_task =3D { ta_link =3D { stqe_next =3D 0x0 }, ta_pending =3D 0, ta_priority =3D 0 '\000', ta_flags =3D 0 '\000', ta_func =3D 0xffffffff80b26050 , ta_context =3D 0xfffff80155c37700 }, kq_cred =3D 0xfffff804daf23a00 } Weirdest thing is (might this be a hint of a problem?) that in frame 19, `k= n` points to some memory address that contains exactly the same, byte-by-byte content as in previous crash, seemingly a garbage. Is this some 'kernel constants' data segment, or is it expected and not a garbage? --=20 You are receiving this mail because: You are the assignee for the bug.=