Date: Wed, 13 Sep 2023 12:43:16 +0000 From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 268909] ZFS: panic from null pointer dereference in avl_rotation Message-ID: <bug-268909-3630-y0HXPN7Ikq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268909-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-268909-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268909 --- Comment #1 from John F. Carr <jfc@mit.edu> --- This happened again running 13.2-STABLE at 79ce96abd6c5. It probably happened a couple other times since my original submission when the system was unable to save or analyze a crash. The AVL tree is corrupt and avl_walk crashes following a bad pointer. The initial node is (kgdb) p/x *(avl_node_t *)0xfffff801476764a0 $20 = {avl_child = {0x0, 0xfffff80200004d20}, avl_pcb = 0xfffff801f1c461fa} Following the avl_child[1] leads to (kgdb) p/x *(avl_node_t *)0xfffff80200004d20 $21 = {avl_child = {0x395753c375b177a6, 0xfa91e69b009252c}, avl_pcb = 0xfffff801476764a6} Following avl_child[0] leads to a GPF using 0x395753c375b177a6 as a base address. #7 avl_walk (tree=tree@entry=0xfffff80009178260, oldnode=oldnode@entry=0xfffff80147676440, left=left@entry=1) at /usr/src/sys/contrib/openzfs/module/avl/avl.c:147 #8 0xffffffff81c1bea5 in scan_io_queue_gather (queue=0xfffff80009178200, list=0xfffffe010f60eda8, rs=<optimized out>) at /usr/src/sys/contrib/openzfs/module/zfs/dsl_scan.c:2942 #9 scan_io_queues_run_one (arg=0xfffff80009178200) at /usr/src/sys/contrib/openzfs/module/zfs/dsl_scan.c:3093 #10 0xffffffff81b41bbf in taskq_run (arg=0xfffff80041735d80, pending=<optimized out>) at /usr/src/sys/contrib/openzfs/module/os/freebsd/spl/spl_taskq.c:315 -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268909-3630-y0HXPN7Ikq>