[Bug 293382] Dead lock and kernel crash around closefp_impl
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 293382] Dead lock and kernel crash around closefp_impl"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 Apr 2026 14:59:32 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382
--- Comment #43 from Paul <devgs@ukr.net> ---
Hi!
We have another panic.
Fatal trap 12: page fault while in kernel mode
cpuid = 7; apic id = 13
fault virtual address = 0x0
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80b72503
stack pointer = 0x28:0xfffffe069ae28d40
frame pointer = 0x28:0xfffffe069ae28d70
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 29500 (asy:http:s)
rdi: ff01000107b11500 rsi: 0000000000000008 rdx: 0000000000000001
rcx: 0000000000000000 r8: 0000000000000002 r9: ffffffff82252ef0
rax: 0000000000000000 rbx: ff0100772fd78668 rbp: fffffe069ae28d70
r10: 0000000000000000 r11: 0000000000000004 r12: ff01000107b11500
r13: ff0100772fd78668 r14: ff01007278e4e780 r15: ff01000107b11518
trap number = 12
panic: page fault
cpuid = 7
time = 1775658023
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe069ae28a70
vpanic() at vpanic+0x136/frame 0xfffffe069ae28ba0
panic() at panic+0x43/frame 0xfffffe069ae28c00
trap_pfault() at trap_pfault+0x422/frame 0xfffffe069ae28c70
calltrap() at calltrap+0x8/frame 0xfffffe069ae28c70
--- trap 0xc, rip = 0xffffffff80b72503, rsp = 0xfffffe069ae28d40, rbp =
0xfffffe069ae28d70 ---
knote_drop_detached() at knote_drop_detached+0x113/frame 0xfffffe069ae28d70
knote_fdclose() at knote_fdclose+0x17f/frame 0xfffffe069ae28dc0
closefp_impl() at closefp_impl+0xa8/frame 0xfffffe069ae28e00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe069ae28f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe069ae28f30
--- syscall (6, FreeBSD ELF64, close), rip = 0x82d1d232a, rsp = 0x858670b98,
rbp = 0x858670bb0 ---
KDB: enter: panic
(kgdb) bt
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:399
#2 0xffffffff804b60a8 in db_fncall_generic (nargs=0, args=0xfffffe069ae28490,
addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:631
#3 db_fncall (dummy1=<optimized out>, dummy2=<optimized out>,
dummy3=<optimized out>, dummy4=<optimized out>) at
/usr/src/sys/ddb/db_command.c:679
#4 0xffffffff804b5b2d in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:508
#5 0xffffffff804b5c76 in db_command_script
(command=command@entry=0xffffffff81bd7722 <db_recursion_data+18> "call
doadump") at /usr/src/sys/ddb/db_command.c:573
#6 0xffffffff804bba58 in db_script_exec
(scriptname=scriptname@entry=0xfffffe069ae28660 "kdb.enter.panic",
warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:301
#7 0xffffffff804bb952 in db_script_kdbenter (eventname=<optimized out>) at
/usr/src/sys/ddb/db_script.c:323
#8 0xffffffff804b91e1 in db_trap (type=<optimized out>, code=<optimized out>)
at /usr/src/sys/ddb/db_main.c:266
#9 0xffffffff80c23c0f in kdb_trap (type=type@entry=3, code=code@entry=0,
tf=tf@entry=0xfffffe069ae289b0) at /usr/src/sys/kern/subr_kdb.c:790
#10 0xffffffff811318fd in trap (frame=<optimized out>) at
/usr/src/sys/amd64/amd64/trap.c:697
#11 <signal handler called>
#12 kdb_enter (why=<optimized out>, msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:556
#13 0xffffffff80bd0b8b in vpanic (fmt=0xffffffff812bd9d3 "%s",
ap=ap@entry=0xfffffe069ae28be0) at /usr/src/sys/kern/kern_shutdown.c:962
#14 0xffffffff80bd09f3 in panic (fmt=0xffffffff81da22a0 <cnputs_mtx>
"\325\376!\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887
#15 0xffffffff81132082 in trap_fatal (frame=<optimized out>, eva=<optimized
out>) at /usr/src/sys/amd64/amd64/trap.c:1028
#16 0xffffffff81132082 in trap_pfault (frame=0xfffffe069ae28c80,
usermode=false, signo=<optimized out>, ucode=<optimized out>)
#17 <signal handler called>
#18 0xffffffff80b72503 in knote_drop_detached (kn=kn@entry=0xff0100772fd78668,
td=td@entry=0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950
#19 0xffffffff80b7284f in knote_drop (td=0xff01007278e4e780, kn=<optimized
out>) at /usr/src/sys/kern/kern_event.c:2915
#20 knote_fdclose (td=td@entry=0xff01007278e4e780, fd=fd@entry=211098) at
/usr/src/sys/kern/kern_event.c:2875
#21 0xffffffff80b69fd8 in closefp_impl (fdp=0xfffffe0694c620c0, fd=211098,
fp=0xff010004c3517c80, td=0xff01007278e4e780, audit=true) at
/usr/src/sys/kern/kern_descrip.c:1413
#22 0xffffffff81132739 in syscallenter (td=0xff01007278e4e780) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#23 amd64_syscall (td=0xff01007278e4e780, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1267
#24 <signal handler called>
#25 0x000000082d1d232a in ?? ()
Backtrace stopped: Cannot access memory at address 0x858670b98
(kgdb) fr 18
#18 0xffffffff80b72503 in knote_drop_detached (kn=kn@entry=0xff0100772fd78668,
td=td@entry=0xff01007278e4e780) at /usr/src/sys/kern/kern_event.c:2950
2950 SLIST_REMOVE(list, kn, knote, kn_link);
(kgdb) p *((struct eknote*)kn)
$1 = {
k = {
kn_link = {
sle_next = 0x0
},
kn_selnext = {
sle_next = 0xffffffffffffffff
},
kn_knlist = 0x0,
kn_tqe = {
tqe_next = 0xffffffffffffffff,
tqe_prev = 0xffffffffffffffff
},
kn_kq = 0xff01000107b11500,
kn_kevent = {
ident = 76954,
filter = -1,
flags = 32,
fflags = 0,
data = 0,
udata = 0x1b2102fcfc40,
ext = {0, 0, 0, 0}
},
kn_hook = 0x0,
kn_hookid = 0,
kn_status = 8,
kn_influx = 1,
kn_sfflags = 0,
kn_sdata = 0,
kn_ptr = {
p_fp = 0xff010062f4444af0,
p_proc = 0xff010062f4444af0,
p_aio = 0xff010062f4444af0,
p_lio = 0xff010062f4444af0,
p_prison = 0xff010062f4444af0,
p_v = 0xff010062f4444af0
},
kn_fop = 0xffffffff814dd960 <soread_filtops>
},
c = {
kn_link = {
sle_next = 0x0
},
kn_selnext = {
sle_next = 0x0
},
kn_knlist = 0x0,
kn_tqe = {
tqe_next = 0x0,
tqe_prev = 0x0
},
kn_kq = 0x0,
kn_kevent = {
ident = 0,
filter = 0,
flags = 0,
fflags = 0,
data = 0,
udata = 0x0,
ext = {0, 0, 0, 0}
},
kn_hook = 0x0,
kn_hookid = 0,
kn_status = 0,
kn_influx = 0,
kn_sfflags = 0,
kn_sdata = 0,
kn_ptr = {
p_fp = 0x0,
p_proc = 0x0,
p_aio = 0x0,
p_lio = 0x0,
p_prison = 0x0,
p_v = 0x0
},
kn_fop = 0x0
},
on_kn_link = 0
}
(kgdb) p kq
$2 = (struct kqueue *) 0xff01000107b11500
(kgdb) p *kq
$3 = {
kq_lock = {
lock_object = {
lo_name = 0xffffffff813464c6 "kqueue",
lo_flags = 21168128,
lo_data = 0,
lo_witness = 0xff0100804bd8db80
},
mtx_lock = 18374968446302873472
},
kq_refcnt = 0,
kq_list = {
tqe_next = 0xff010001dd4fac00,
tqe_prev = 0xff010077e823d828
},
kq_head = {
tqh_first = 0x0,
tqh_last = 0xff01000107b11538
},
kq_count = 0,
kq_sel = {
si_tdlist = {
tqh_first = 0x0,
tqh_last = 0x0
},
si_note = {
kl_list = {
slh_first = 0x0
},
kl_lock = 0xffffffff80b71fc0 <knlist_mtx_lock>,
kl_unlock = 0xffffffff80b71fe0 <knlist_mtx_unlock>,
kl_assert_lock = 0xffffffff80b72000 <knlist_mtx_assert_lock>,
kl_lockarg = 0xff01000107b11500,
kl_autodestroy = 0
},
si_mtx = 0x0
},
kq_sigio = 0x0,
kq_fdp = 0xfffffe0694c620c0,
kq_state = 0,
kq_knlistsize = 288512,
kq_knlist = 0xfffffe09ce3fe000,
kq_knhashmask = 0,
kq_knhash = 0x0,
kq_task = {
ta_link = {
stqe_next = 0x0
},
ta_pending = 0,
ta_priority = 0 '\000',
ta_flags = 0 '\000',
ta_func = 0xffffffff80b748a0 <kqueue_task>,
ta_context = 0xff01000107b11500
},
kq_cred = 0xff010001dd445900,
kq_forksrc = 0x0
}
(kgdb) p list
$4 = <optimized out>
p kq->kq_knlist[kn->kn_kevent.ident]
$6 = {
slh_first = 0x0
}
(kgdb) p &kq->kq_knlist[kn->kn_kevent.ident]
$7 = (struct klist *) 0xfffffe09ce4944d0
Please, tell us if you need anything else.
--
You are receiving this mail because:
You are the assignee for the bug.