Date: Fri, 26 Aug 2016 05:17:58 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 212168] [panic] [UFS] use-after-free panic (0xdeadc0dedeadc0de) Message-ID: <bug-212168-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212168 Bug ID: 212168 Summary: [panic] [UFS] use-after-free panic (0xdeadc0dedeadc0de) Product: Base System Version: 11.0-RC1 Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: gjb@FreeBSD.org CC: mckusick@FreeBSD.org, re@FreeBSD.org Created attachment 174085 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=174085&action=edit ufs_panic.txt The 11.0-RC1 FreeBSD/aarch64 architecture currently still has WITNESS and INVARIANTS enabled (whether intentional or otherwise), however this appears to be architecture-agnostic. The root filesystem is: /dev/ada0p2 on / (ufs, local, journaled soft-updates) During a buildworld loop on two systems with this setup, a panic was observed on multiple occasions. The backtrace is attached, and the panic message on the console was: Fatal data abort: x0: ffff000aa48ff4c0 x1: ffff000aa48ff4c0 x2: ffff0000005c90ff x3: 10b6 x4: 0 x5: 16 x6: ffff0000005c90ff x7: db8 x8: deadc0dedeadc0de x9: 1c x10: 8000 x11: 0 x12: 2 x13: ffff0000007c07ec x14: ffff0000007c07a0 x15: b x16: 2710 x17: e00 x18: ffff000b90150370 x19: ffff000aa48ff4c0 x20: ffff0000005e66d9 x21: fffffd00278e0ce8 x22: 0 x23: a0020020 x24: fffffd00278e0db8 x25: fffffd0e7aa588f0 x26: fffffd0027914600 x27: a8b0d2f x28: a8b0d73 x29: ffff000b901503f0 x30: ffff000b901503f0 sp: ffff000b90150370 lr: ffff0000004d1438 elr: ffff0000004b542c spsr: 60000345 far: deadc0dedeadc376 esr: 96000004 [ thread pid 44795 tid 101060 ] Stopped at softdep_disk_io_initiation+0x50: ldr x21, [x8, #664] Following a cursory investigation by Peter: FYI; I looked at the disassembled code from the cluster build, and observed that the panic is right here: if ((wk = LIST_FIRST(&bp->b_dep)) == NULL) return; ump = VFSTOUFS(wk->wk_mp); ^^^^^^^^^^^^^^^^^^^ There are a series of dereferences if bp->... so that's not it. However, wk is the problem. LIST_FIRST is returning the value 0xdeadc0dedeadc0de so that means there is a use-after free. There are a couple of possibilities: * there is an aarch64 specific bug in the interrupt handling or locking somehow. However, we have had multiple exact crashes on exactly this so it really does not look like a race or locking bug. * WITNESS / INVARIANTS are exposing a previously undetected use-after-free softdep bug. The act of having INVARIANTS/WITNESS on is causing an escalation from a normally harmless bug to a full crash. If I had to guess, compiling without INVARIANTS/WITNESS will likely sweep the problem back under the rug so you can get package builds done. If this changes things then there is definitely a softdep bug in there. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212168-8>