Date: Mon, 30 Mar 2026 08:30:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293382] Dead lock and kernel crash around closefp_impl Message-ID: <bug-293382-227-LFfMTouT5v@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-293382-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382 --- Comment #27 from Paul <devgs@ukr.net> --- Hi! It seems like latest changes have reduced the likelihood of the issue. My guess is: we are dealing with the use-after-free race and just by adding some additional (slow? like 'stack_save()'?) code to the 'free' function, we made it much, much less likely to occur. But anyway, it finally happened. Unread portion of the kernel message buffer: panic: Assertion kn->kn_kq == kq failed at /usr/src/sys/kern/kern_event.c:2859 cpuid = 3 time = 1774857902 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069abdfbd0 vpanic() at vpanic+0x136/frame 0xfffffe069abdfd00 panic() at panic+0x43/frame 0xfffffe069abdfd60 knote_fdclose() at knote_fdclose+0x236/frame 0xfffffe069abdfdc0 closefp_impl() at closefp_impl+0xa8/frame 0xfffffe069abdfe00 amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe069abdff30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe069abdff30 --- syscall (6, FreeBSD ELF64, close), rip = 0x82d5be32a, rsp = 0x85b519b98, rbp = 0x85b519bb0 --- KDB: enter: panic (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xffffffff804b60a8 in db_fncall_generic (nargs=0, args=0xfffffe069abdf5f0, addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:631 #3 db_fncall (dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>) at /usr/src/sys/ddb/db_command.c:679 #4 0xffffffff804b5b2d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:508 #5 0xffffffff804b5c76 in db_command_script (command=command@entry=0xffffffff81bd7722 <db_recursion_data+18> "call doadump") at /usr/src/sys/ddb/db_command.c:573 #6 0xffffffff804bba58 in db_script_exec (scriptname=scriptname@entry=0xfffffe069abdf7c0 "kdb.enter.panic", warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:301 #7 0xffffffff804bb952 in db_script_kdbenter (eventname=<optimized out>) at /usr/src/sys/ddb/db_script.c:323 #8 0xffffffff804b91e1 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:266 #9 0xffffffff80c1d01f in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe069abdfb10) at /usr/src/sys/kern/subr_kdb.c:790 #10 0xffffffff8112a96d in trap (frame=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:675 #11 <signal handler called> #12 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556 #13 0xffffffff80bc9f9b in vpanic (fmt=0xffffffff812ec6bb "Assertion %s failed at %s:%d", ap=ap@entry=0xfffffe069abdfd40) at /usr/src/sys/kern/kern_shutdown.c:962 #14 0xffffffff80bc9e03 in panic (fmt=0xffffffff81da2290 <cnputs_mtx> "\254\214!\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887 #15 0xffffffff80b6bd26 in knote_fdclose (td=td@entry=0xff0100026dc5d780, fd=fd@entry=544408) at /usr/src/sys/kern/kern_event.c:2859 #16 0xffffffff80b63468 in closefp_impl (fdp=0xfffffe02c31fec90, fd=544408, fp=0xff01002710a27640, td=0xff0100026dc5d780, audit=true) at /usr/src/sys/kern/kern_descrip.c:1413 #17 0xffffffff8112b739 in syscallenter (td=0xff0100026dc5d780) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193 #18 amd64_syscall (td=0xff0100026dc5d780, traced=0) at /usr/src/sys/amd64/amd64/trap.c:1244 #19 <signal handler called> #20 0x000000082d5be32a in ?? () Backtrace stopped: Cannot access memory at address 0x85b519b98 (kgdb) fr 15 #15 0xffffffff80b6bd26 in knote_fdclose (td=td@entry=0xff0100026dc5d780, fd=fd@entry=544408) at /usr/src/sys/kern/kern_event.c:2859 2859 MPASS(kn->kn_kq == kq); (kgdb) p *((struct kqueue*)$r15) $11 = { kq_lock = { lock_object = { lo_name = 0xffffffff8133f15f "kqueue", lo_flags = 21168128, lo_data = 0, lo_witness = 0xff0100804bd8db80 }, mtx_lock = 18374967965079951232 }, kq_refcnt = 0, kq_list = { tqe_next = 0xff0100010ac21b00, tqe_prev = 0xff010002a0adb128 }, kq_head = { tqh_first = 0x0, tqh_last = 0xff0100010aac4b38 }, kq_count = 0, kq_sel = { si_tdlist = { tqh_first = 0x0, tqh_last = 0x0 }, si_note = { kl_list = { slh_first = 0x0 }, kl_lock = 0xffffffff80b6b420 <knlist_mtx_lock>, kl_unlock = 0xffffffff80b6b440 <knlist_mtx_unlock>, kl_assert_lock = 0xffffffff80b6b460 <knlist_mtx_assert_lock>, kl_lockarg = 0xff0100010aac4b00, kl_autodestroy = 0 }, si_mtx = 0x0 }, kq_sigio = 0x0, kq_fdp = 0xfffffe02c31fec90, kq_state = 0, kq_knlistsize = 685056, kq_knlist = 0xfffffe0bbf526000, kq_knhashmask = 0, kq_knhash = 0x0, kq_task = { ta_link = { stqe_next = 0x0 }, ta_pending = 0, ta_priority = 0 '\000', ta_flags = 0 '\000', ta_func = 0xffffffff80b6dd00 <kqueue_task>, ta_context = 0xff0100010aac4b00 }, kq_cred = 0xff0100010a9eb600, kq_forksrc = 0x0 } (kgdb) p *((struct eknote*)kn) $3 = { k = { kn_link = { sle_next = 0xdededededededede }, kn_selnext = { sle_next = 0xdededededededede }, kn_knlist = 0xdededededededede, kn_tqe = { tqe_next = 0xdededededededede, tqe_prev = 0xdededededededede }, kn_kq = 0xdededededededede, kn_kevent = { ident = 16059518370053021406, filter = -8482, flags = 57054, fflags = 3739147998, data = -2387225703656530210, udata = 0xdededededededede, ext = {16059518370053021406, 16059518370053021406, 16059518370053021406, 16059518370053021406} }, kn_hook = 0xdededededededede, kn_hookid = -555819298, kn_status = -555819298, kn_influx = -555819298, kn_sfflags = 3739147998, kn_sdata = -2387225703656530210, kn_ptr = { p_fp = 0xdededededededede, p_proc = 0xdededededededede, p_aio = 0xdededededededede, p_lio = 0xdededededededede, p_prison = 0xdededededededede, p_v = 0xdededededededede }, kn_fop = 0xdededededededede }, c = { kn_link = { sle_next = 0x0 }, kn_selnext = { sle_next = 0xffffffffffffffff }, kn_knlist = 0x0, kn_tqe = { tqe_next = 0xffffffffffffffff, tqe_prev = 0xffffffffffffffff }, kn_kq = 0xff0100010aac4b00, kn_kevent = { ident = 138904, filter = -1, flags = 32, fflags = 0, data = 0, udata = 0xdda7cbe67c0, ext = {0, 0, 0, 0} }, kn_hook = 0x0, kn_hookid = 0, kn_status = 8, kn_influx = 1, kn_sfflags = 0, kn_sdata = 0, kn_ptr = { p_fp = 0x0, p_proc = 0x0, p_aio = 0x0, p_lio = 0x0, p_prison = 0x0, p_v = 0x0 }, kn_fop = 0x0 }, s = { depth = 5, pcs = {18446744071574043258, 18446744071574043755, 18446744071574008936, 18446744071580071737, 18446744071579870491, 0 <repeats 13 times>} } } (kgdb) p (void*)18446744071574043258 $4 = (void *) 0xffffffff80b6ba7a <knote_drop_detached+554> (kgdb) p (void*)18446744071574043755 $5 = (void *) 0xffffffff80b6bc6b <knote_fdclose+379> (kgdb) p (void*)18446744071574008936 $6 = (void *) 0xffffffff80b63468 <closefp_impl+168> (kgdb) p (void*)18446744071580071737 $7 = (void *) 0xffffffff8112b739 <amd64_syscall+361> (kgdb) p (void*)18446744071579870491 $8 = (void *) 0xffffffff810fa51b <fast_syscall_common+248> Please, tell us if you need anything else. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293382-227-LFfMTouT5v>