From nobody Thu Jan 12 16:32:00 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nt9746jCvz2p48C for ; Thu, 12 Jan 2023 16:32:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nt9745L4bz3sJC for ; Thu, 12 Jan 2023 16:32:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1673541120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8BtOxOI+hrVfOrh3eZOX/Xx0YHI+OdjeV2TtAs2ev9M=; b=GswOyY0lNAatZtAEBLTORzF4+RK+ckgKKFLWGFZ354HXwPCIcvHWHaAfGypsgENgEqyLGD iMrkT9JNKORkIlQEPpVwQSLvlFyHrkbw6SX2zUNp3TtHfWa/J9NH80aCdeyuaI/RWai6Ti u4xlcIB2Tn/8njOvObnFcFEPxvyEWL5ogxyo79Alv7aHp0n438U75RJO5Le47QLgJ22mNg vxHlEpqXVXB06I5rpQT2v/yl78RQTeQKv9ZryI/UbUqj2ytSsLH2OUd2LbuUkrVXQ2QyTw apcPqncCnlYhcOZ1hTPnu2KZlE/GWVRDYCY2OFoEKUMWqy1cPncoLEWN+PdtNQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673541120; a=rsa-sha256; cv=none; b=lzpsniiyMZTWi2fpztkHuUzCZWxc8TwFz8m46NtN1RhzD3+sA1C5ynVi9UxnY+crtp3sWa 4QvK9gg2iUyq/48JEvp9IgL27nZO2W/OOj032LnoUYFhFysP03JAOMu+0OtDtizfqDIceq zcCZ6U+nNeNgqQJKnNYPmgH2U+yv72OkUh594N5p5tnlyMphhSmQtyEZs+uvQIymrDfxvC M6jVVDRO9nOJQvLe67DoFeqfhb4MfPTyUXDh4aCGbO3Z2lvNXfNrj8iQbe1e4k9cDSHi/B EHs2sHnU+I4a9W7qQ3OfY+jiZ/nS3gmpOzaJV6aFqB6QKGAtm4LydC+u9LV1Sw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nt9744Nx2zZl5 for ; Thu, 12 Jan 2023 16:32:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30CGW0OQ077378 for ; Thu, 12 Jan 2023 16:32:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30CGW0Sx077377 for bugs@FreeBSD.org; Thu, 12 Jan 2023 16:32:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268909] [zfs] panic from null pointer dereference in avl_rotation Date: Thu, 12 Jan 2023 16:32:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jfc@mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268909 Bug ID: 268909 Summary: [zfs] panic from null pointer dereference in avl_rotation Product: Base System Version: 13.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jfc@mit.edu During a ZFS scrub my kernel crashed in openzfs/module/avl/avl.c function avl_rotation because gchild was null in this code: gchild =3D child->avl_child[right]; gleft =3D gchild->avl_child[left]; gright =3D gchild->avl_child[right]; Longer: While a zpool scrub was active and nothing else was going on my system cras= hed due to a page fault in kernel mode. Faulting address was 0x8. Hardware is CPU: AMD Opteron(tm) X3421 APU (2096.10-MHz K8-class = CPU) Origin=3D"AuthenticAMD" Id=3D0x660f01 Family=3D0x15 Model=3D0x60 Step= ping=3D1 Software is 13.1-STABLE as of January 9 (f61fca7409f6). Call chain at fault is avl_rotation + 0x51 avl_remove + 0x1b3 scan_io_queues_run_one + 0xad3 taskq_run + 0x1f Thread name is "zfskern/dsl_scan_iss". The struct trapframe passed to trap_pfault holds (lldb) p/x *frame (trapframe) $2 =3D { tf_rdi =3D 0xfffff800c1210460 tf_rsi =3D 0xfffff80300b0d968 tf_rdx =3D 0x0000000000000001 tf_rcx =3D 0x0000000000000001 tf_r8 =3D 0xfffff80300b0d968 tf_r9 =3D 0xfffff802674b7a78 tf_rax =3D 0x00000000ffffffff tf_rbx =3D 0x00000000ffffffff tf_rbp =3D 0xfffffe0125165ca0 tf_r10 =3D 0x0000000000000000 tf_r11 =3D 0xfffff80300000a78 tf_r12 =3D 0x0000000000000000 tf_r13 =3D 0x0000000000000000 tf_r14 =3D 0x0000000000000000 tf_r15 =3D 0xfffff802674b7a78 tf_trapno =3D 0x0000000c tf_fs =3D 0x0013 tf_gs =3D 0x001b tf_addr =3D 0x0000000000000008 tf_flags =3D 0x00000001 tf_es =3D 0x003b tf_ds =3D 0x003b tf_err =3D 0x0000000000000000 tf_rip =3D 0xffffffff81d0f461 tf_cs =3D 0x0000000000000020 tf_rflags =3D 0x0000000000010246 tf_rsp =3D 0xfffffe0125165c68 tf_ss =3D 0x0000000000000028 } The faulting instruction is the load (movq) at address 0x461 in the annotat= ed disassembly below. It corresponds to line 409 of avl.c. # avl_rotation(avl_tree_t *tree, avl_node_t *node, int balance) 0x410: 55 pushq %rbp 0x411: 48 89 e5 movq %rsp, %rbp 0x414: 41 57 pushq %r15 0x416: 41 56 pushq %r14 0x418: 41 55 pushq %r13 0x41a: 41 54 pushq %r12 0x41c: 53 pushq %rbx 0x41d: 48 83 ec 10 subq $0x10, %rsp 0x421: 49 89 f0 movq %rsi, %r8 0x424: 89 d1 movl %edx, %ecx 0x426: f7 d1 notl %ecx 0x428: c1 e9 1f shrl $0x1f, %ecx # left =3D 1 0x42b: 41 89 ca movl %ecx, %r10d 0x42e: 41 83 f2 01 xorl $0x1, %r10d # right =3D 0 0x432: d1 fa sarl %edx 0x434: 89 d0 movl %edx, %eax 0x436: f7 d8 negl %eax # right_heavy =3D -1 0x438: 4c 8b 4e 10 movq 0x10(%rsi), %r9 0x43c: 8f 4a 78 10 ... bextrl $0x102, %r9d, %r13d 0x445: 49 83 e1 f8 andq $-0x8, %r9 0x449: 4c 8b 1c ce movq (%rsi,%rcx,8), %r11 # child =3D 0xfffff80300000a78 0x44d: 41 8b 5b 10 movl 0x10(%r11), %ebx 0x451: 83 e3 03 andl $0x3, %ebx 0x454: ff cb decl %ebx # child_bal =3D -1 0x456: 39 c3 cmpl %eax, %ebx 0x458: 75 73 jne 0x4cd # first if (...) 0x45a: 45 89 d6 movl %r10d, %r14d 0x45d: 4f 8b 24 f3 movq (%r11,%r14,8), %r12 # loads null 0x461: 4d 8b 3c cc movq (%r12,%rcx,8), %r15 # page fault %r12=3D0, = %rcx=3D1 0x465: 4b 8b 1c f4 movq (%r12,%r14,8), %rbx 0x469: 49 89 1c c8 movq %rbx, (%r8,%rcx,8) 0x46d: 48 85 db testq %rbx, %rbx 0x470: 74 2c je 0x49e # if (gright !=3D NULL) --=20 You are receiving this mail because: You are the assignee for the bug.=