[Bug 287438] fusefs: page fault during fuse_internal_init_callback if it gets unmounted too soon
Date: Tue, 10 Jun 2025 23:31:12 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287438
Bug ID: 287438
Summary: fusefs: page fault during fuse_internal_init_callback
if it gets unmounted too soon
Product: Base System
Version: 15.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: asomers@FreeBSD.org
A few times in production I've seen a crash like this. I've seen it in both
14.1, 14.2, and 15.0-CURRENT. I have a reproduction case, but it's quite
complicated, involving the addition of multiple sleeps to the kernel in order
to trigger the race. I'll try to simplify it if I can before I commit it. I
don't yet have a solution to the bug.
The essence of the test case is that something tries to unmount the file system
even before the daemon has responded to FUSE_INIT, but then a signal kills the
process doing the unmount, and the fuse_vfsop_unmount call gets interlaced with
the fuse_internal_init_callback call.
[1022978] Fatal trap 12: page fault while in kernel mode
[1022978] cpuid = 18; apic id = 84
[1022978] fault virtual address = 0x9e0
[1022978] fault code = supervisor read data, page not present
[1022978] instruction pointer = 0x20:0xffffffff825fec64
[1022978] stack pointer = 0x28:0xfffffe1dc2663ca0
[1022978] frame pointer = 0x28:0xfffffe1dc2663cc0
[1022978] code segment = base 0x0, limit 0xfffff, type 0x1b
[1022978] = DPL 0, pres 1, long 1, def32 0, gran 1
[1022978] processor eflags = interrupt enabled, resume, IOPL = 0
[1022978] current process = 27382 (fuse-ext2)
[1022979] rdi: 0000000000000013 rsi: 0000000000000007 rdx: 0000000000000000
[1022979] rcx: fffffe1c02e88701 r8: 0000001100010000 r9: 0000001100010000
[1022979] rax: 0000000000000000 rbx: fffff8c33d845d80 rbp: fffffe1dc2663cc0
[1022979] r10: 0002000000000000 r11: fffffe1c02e88c60 r12: fffffe1c02e88740
[1022979] r13: 0000000000000000 r14: fffffe1af9a9f000 r15: fffff897205465c0
[1022979] trap number = 12
[1022979] panic: page fault
[1022979] cpuid = 18
[1022979] time = 1717989244
[1022979] KDB: stack backtrace:
[1022979] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
0xfffffe1dc2663980
[1022979] vpanic() at vpanic+0x132/frame 0xfffffe1dc2663ab0
[1022979] panic() at panic+0x43/frame 0xfffffe1dc2663b10
[1022979] trap_fatal() at trap_fatal+0x40c/frame 0xfffffe1dc2663b70
[1022979] trap_pfault() at trap_pfault+0x4f/frame 0xfffffe1dc2663bd0
[1022979] calltrap() at calltrap+0x8/frame 0xfffffe1dc2663bd0
[1022979] --- trap 0xc, rip = 0xffffffff825fec64, rsp = 0xfffffe1dc2663ca0, rbp
= 0xfffffe1dc2663cc0 ---
[1022979] fuse_internal_init_callback() at
fuse_internal_init_callback+0x344/frame 0xfffffe1dc2663cc0
[1022979] fuse_device_write() at fuse_device_write+0x3ca/frame
0xfffffe1dc2663d10
[1022979] devfs_write_f() at devfs_write_f+0xe0/frame 0xfffffe1dc2663d70
[1022979] dofilewrite() at dofilewrite+0x86/frame 0xfffffe1dc2663dc0
[1022979] sys_writev() at sys_writev+0x6c/frame 0xfffffe1dc2663e00
[1022979] amd64_syscall() at amd64_syscall+0x75c/frame 0xfffffe1dc2663f30
[1022979] fast_syscall_common() at fast_syscall_common+0xf8/frame
0xfffffe1dc2663f30
[1022979] --- syscall (121, FreeBSD ELF64, writev), rip = 0x823b703da, rsp =
0x820d7a888, rbp = 0x820d7a8b0 ---
[1022979] KDB: enter: panic
--
You are receiving this mail because:
You are the assignee for the bug.