[Bug 267935] panic: page fault in kern_osd.c on shutdown with one running vnet jail

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 22 Nov 2022 21:50:33 UTC

            Bug ID: 267935
           Summary: panic: page fault in kern_osd.c on shutdown with one
                    running vnet jail
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: nsonack@outlook.com

This bug repeatedly occurs on a Thinkpad T440s in the following situation:

- Kernel in versions 13.1-RELEASE-p3 and 13.1-RELEASE-p4
- One manually created VNET Jail (with a epair interface attached to it)
- In the jail only PostgreSQL 15 is running
- Reboot or shut the host machine down
- It almost immediately panics and prints a pile of probably unrelated
  traces (which look like nested faults) a'la:

  #0 0xffffffff80e5e323 at linux_dump_stack+0x23
  #1 0xffffffff83e5d620 at drm_atomic_helper_check_planes+0xb0
  #2 0xffffffff83d55e2a at intel_atomic_check+0x124a
  #3 0xffffffff83e5b360 at drm_atomic_check_only+0x400
  #4 0xffffffff83e5b793 at drm_atomic_commit+0x13
  #5 0xffffffff83e683b8 at drm_client_modeset_commit_atomic+0x148
  #6 0xffffffff83e68119 at drm_client_modeset_commit_force+0x69
  #7 0xffffffff83ea80ba at drm_fb_helper_restore_fbdev_mode_unlocked+0x7a
  #8 0xffffffff83ea2057 at vt_kms_postswitch+0x167
  #9 0xffffffff80a70a19 at vt_window_switch+0x2d9
  #10 0xffffffff80a6db7f at vtterm_cngrab+0x4f
  #11 0xffffffff80bb3956 at cngrab+0x26
  #12 0xffffffff80c1b654 at kern_reboot+0x354
  #13 0xffffffff80c1bbce at vpanic+0x1ee
  #14 0xffffffff80c1b9d3 at panic+0x43
  #15 0xffffffff810afdf5 at trap_fatal+0x385
  #16 0xffffffff810afe4f at trap_pfault+0x4f
  #17 0xffffffff810875b8 at calltrap+0x8

- kgdb reveals:

  #8  0xffffffff841003d0 in ?? ()
  No symbol table info available.
  #9  0xffffffff80bfc6ea in osd_call (type=type@entry=1, method=method@entry=5,
obj=obj@entry=0xfffff80019641000, data=data@entry=0x0)
      at /usr/src/sys/kern/kern_osd.c:401
          error = 0
          i = 4
          methodfun = 0xffffffff841003d0
  #10 0xffffffff80be0f22 in prison_deref (pr=0xfffff80019641000, flags=67) at
          freeprison = {tqh_first = 0x0, tqh_last = 0xfffffe000ede7e08}
          killpr = 0x0
          ppr = <optimized out>
          p = <optimized out>
          rpr = <optimized out>
          tpr = <optimized out>
  #11 0xffffffff80c7da81 in taskqueue_run_locked
(queue=queue@entry=0xfffff800016b5900) at
          et = {et_link = {tqe_next = 0xfffffe00105e01e0, tqe_prev =
0xffffffff811c863e}, et_td = 0x0, et_section = {bucket = 0}, et_old_priority =
0 '\000'}
          tb = {tb_running = 0xfffff80019641060, tb_seq = 322, tb_link =
{le_next = 0x0, le_prev = 0xfffff800016b5910}}
          in_net_epoch = false
          task = 0xfffff80019641060
          pending = 1
  #12 0xffffffff80c7ed92 in taskqueue_thread_loop (arg=<optimized out>,
arg@entry=0xffffffff81cf79b8 <taskqueue_thread>)
      at /usr/src/sys/kern/subr_taskqueue.c:794
          tqp = <optimized out>
          tq = 0xfffff800016b5900
  #13 0xffffffff80bd8a9e in fork_exit (callout=0xffffffff80c7ecd0
<taskqueue_thread_loop>, arg=0xffffffff81cf79b8 <taskqueue_thread>,
      at /usr/src/sys/kern/kern_fork.c:1093
          td = 0xfffffe00105e01e0
          p = 0xffffffff81c8d768 <proc0>
          dtd = <optimized out>
  #14 <signal handler called>
  No locals.
  #15 mi_startup () at /usr/src/sys/kern/init_main.c:322
          sipp = 0x8080808080808080
          xipp = <optimized out>
          save = <optimized out>
  Backtrace stopped: Cannot access memory at address 0x3000000028
  (kgdb) info registers
  rax            0x6                 6
  rbx            0x0                 0
  rcx            0xffffffff841003d0  -2079325232
  rdx            0x1d                29
  rsi            0x0                 0
  rdi            0xfffff80019641000  -8795667034112
  rbp            0xfffffe000ede7de0  0xfffffe000ede7de0
  rsp            0xfffffe000ede7d98  0xfffffe000ede7d98
  r8             0xffffffff8190be60  -2121220512
  r9             0x0                 0
  r10            0x7d0               2000
  r11            0x801973db          2149151707
  r12            0xfffff80019641000  -8795667034112
  r13            0x5                 5
  r14            0xffffffff8190bef8  -2121220360
  r15            0x4                 4
  rip            0xffffffff841003d0  0xffffffff841003d0
  eflags         0x10282             [ SF IF RF ]
  cs             0x20                32
  ss             0x28                40
  ds             <unavailable>
  es             <unavailable>
  fs             <unavailable>
  gs             <unavailable>
  fs_base        <unavailable>
  gs_base        <unavailable>
  (kgdb) frame 8
  #8  0xffffffff841003d0 in ?? ()

  I do not know what is loaded at 0xffffffff841003d0.

  If you need more information or any of the files in /var/crash,
  please let me know. Also, I haven't tested whether this bug is reproducible
  on other machines but it is at least the 7th time I saw this looking at the
  contents of /var/crash.

  Minor note: The crash does not occur when I stop the jail before shutting
  down the machine.

You are receiving this mail because:
You are the assignee for the bug.