[Bug 293382] Dead lock and kernel crash around closefp_impl
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 293382] Dead lock and kernel crash around closefp_impl"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 18 Mar 2026 10:10:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382
--- Comment #19 from Paul <devgs@ukr.net> ---
Sadly, it happens still, even with the latest patch of kern_event.c:
Fatal trap 9: general protection fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer = 0x20:0xffffffff80b5914d
stack pointer = 0x28:0xfffffe0718977d60
frame pointer = 0x28:0xfffffe0718977d60
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 3115 (asy:http:s)
rdi: deadc0dedeadc0f6 rsi: 0000000000000004 rdx: ffffffff811ab239
rcx: 0000000000000121 r8: 0000000000000001 r9: ffffffff81e1ec98
rax: fffff803c20c3740 rbx: 000000000008fa97 rbp: fffffe0718977d60
r10: 0000000000000000 r11: 0000000000000004 r12: fffff80155c37718
r13: fffff819bc941960 r14: 000000000008fa97 r15: fffff80155c37700
trap number = 9
panic: general protection fault
cpuid = 0
time = 1773824580
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0718977ae0
vpanic() at vpanic+0x161/frame 0xfffffe0718977c10
panic() at panic+0x43/frame 0xfffffe0718977c70
trap_fatal() at trap_fatal+0x68/frame 0xfffffe0718977c90
calltrap() at calltrap+0x8/frame 0xfffffe0718977c90
--- trap 0x9, rip = 0xffffffff80b5914d, rsp = 0xfffffe0718977d60, rbp =
0xfffffe0718977d60 ---
__mtx_assert() at __mtx_assert+0x3d/frame 0xfffffe0718977d60
knote_fdclose() at knote_fdclose+0x11e/frame 0xfffffe0718977dc0
closefp_impl() at closefp_impl+0x96/frame 0xfffffe0718977e00
amd64_syscall() at amd64_syscall+0x15a/frame 0xfffffe0718977f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0718977f30
--- syscall (6, FreeBSD ELF64, close), rip = 0x82ddf932a, rsp = 0x85fb5eb88,
rbp = 0x85fb5eba0 ---
KDB: enter: panic
(kgdb) bt
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:405
#2 0xffffffff804a4718 in db_fncall_generic (nargs=0, args=0xfffffe0718977510,
addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:626
#3 db_fncall (dummy1=<optimized out>, dummy2=<optimized out>,
dummy3=<optimized out>, dummy4=<optimized out>) at
/usr/src/sys/ddb/db_command.c:674
#4 0xffffffff804a418d in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:504
#5 0xffffffff804a42d6 in db_command_script
(command=command@entry=0xffffffff81bba6e2 <db_recursion_data+18> "call
doadump") at /usr/src/sys/ddb/db_command.c:569
#6 0xffffffff804a9578 in db_script_exec
(scriptname=scriptname@entry=0xfffffe07189776e0 "kdb.enter.panic",
warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:302
#7 0xffffffff804a9472 in db_script_kdbenter (eventname=<optimized out>) at
/usr/src/sys/ddb/db_script.c:324
#8 0xffffffff804a7531 in db_trap (type=<optimized out>, code=<optimized out>)
at /usr/src/sys/ddb/db_main.c:267
#9 0xffffffff80bd09a0 in kdb_trap (type=type@entry=3, code=code@entry=0,
tf=tf@entry=0xfffffe0718977a20) at /usr/src/sys/kern/subr_kdb.c:790
#10 0xffffffff810b3a07 in trap (frame=0xfffffe0718977a20) at
/usr/src/sys/amd64/amd64/trap.c:639
#11 <signal handler called>
#12 kdb_enter (why=<optimized out>, msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:556
#13 0xffffffff80b7fc7d in vpanic (fmt=0xffffffff81237367 "%s",
ap=ap@entry=0xfffffe0718977c50) at /usr/src/sys/kern/kern_shutdown.c:953
#14 0xffffffff80b7fa43 in panic (fmt=0xffffffff81d853a0 <cnputs_mtx>
"\233\327\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:891
#15 0xffffffff810b40b8 in trap_fatal (frame=0xfffffe0718977ca0, eva=<optimized
out>) at /usr/src/sys/amd64/amd64/trap.c:1000
#16 <signal handler called>
#17 __mtx_assert (c=0xdeadc0dedeadc0f6, what=what@entry=4,
file=0xffffffff811ab239 "/usr/src/sys/kern/kern_event.c", line=line@entry=289)
at /usr/src/sys/kern/kern_mutex.c:1091
#18 0xffffffff80b25c8e in kn_enter_flux (kn=<optimized out>) at
/usr/src/sys/kern/kern_event.c:289
#19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at
/usr/src/sys/kern/kern_event.c:2703
#20 0xffffffff80b1dbd6 in closefp_impl (fdp=0xfffffe0713371430, fd=588439,
fp=0xfffff86e9b7ee190, td=0xfffff803c20c3740, audit=true) at
/usr/src/sys/kern/kern_descrip.c:1320
#21 0xffffffff810b4f0a in syscallenter (td=0xfffff803c20c3740) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#22 amd64_syscall (td=0xfffff803c20c3740, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1241
#23 <signal handler called>
#24 0x000000082ddf932a in ?? ()
Backtrace stopped: Cannot access memory at address 0x85fb5eb88
(kgdb) l /usr/src/sys/kern/kern_event.c:2690
2685 /*
2686 * We shouldn't have to worry about new kevents appearing on fd
2687 * since filedesc is locked.
2688 */
2689 again:
2690 TAILQ_FOREACH(kq, &fdp->fd_kqlist, kq_list) {
2691 KQ_LOCK(kq);
2692 influx = 0;
2693 while (kq->kq_knlistsize > fd &&
2694 (kn = SLIST_FIRST(&kq->kq_knlist[fd])) != NULL) {
(kgdb) fr 18
#18 0xffffffff80b25c8e in kn_enter_flux (kn=<optimized out>) at
/usr/src/sys/kern/kern_event.c:289
289 KQ_OWNED(kn->kn_kq);
(kgdb) p *kn->kn_kq
value has been optimized out
(kgdb) up
#19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at
/usr/src/sys/kern/kern_event.c:2703
2703 kn_enter_flux(kn);
(kgdb) p kn
$4 = (struct knote *) 0xfffff819bc941960
(kgdb) p *kn
$1 = {
kn_link = {
sle_next = 0xdeadc0dedeadc0de
},
kn_selnext = {
sle_next = 0xdeadc0dedeadc0de
},
kn_knlist = 0xdeadc0dedeadc0de,
kn_tqe = {
tqe_next = 0xdeadc0dedeadc0de,
tqe_prev = 0xdeadc0dedeadc0de
},
kn_kq = 0xdeadc0dedeadc0de,
kn_kevent = {
ident = 16045693110842147038,
filter = -16162,
flags = 57005,
fflags = 3735929054,
data = -2401050962867404578,
udata = 0xdeadc0dedeadc0de,
ext = {16045693110842147038, 16045693110842147038, 16045693110842147038,
16045693110842147038}
},
kn_hook = 0xdeadc0dedeadc0de,
kn_hookid = -559038242,
kn_status = -559038242,
kn_influx = -559038242,
kn_sfflags = -559038242,
kn_sdata = -2401050962867404578,
kn_ptr = {
p_fp = 0xdeadc0dedeadc0de,
p_proc = 0xdeadc0dedeadc0de,
p_aio = 0xdeadc0dedeadc0de,
p_lio = 0xdeadc0dedeadc0de,
p_v = 0xdeadc0dedeadc0de
},
kn_fop = 0xdeadc0dedeadc0de
}
(kgdb) p *kn->kn_kq
Cannot access memory at address 0xdeadc0dedeadc0de
#20 0xffffffff80b1dbd6 in closefp_impl (fdp=0xfffffe0713371430, fd=588439,
fp=0xfffff86e9b7ee190, td=0xfffff803c20c3740, audit=true) at
/usr/src/sys/kern/kern_descrip.c:1320
1320 knote_fdclose(td, fd);
(kgdb) p *fp
$1 = {
f_flag = 7,
f_count = 1,
f_data = 0xfffff82e0210c000,
f_ops = 0xffffffff81436808 <socketops>,
f_vnode = 0x0,
f_cred = 0xfffff804daf23a00,
f_type = 2,
f_vflags = 0,
{
f_seqcount = {0, 0},
f_pipegen = 0
},
f_nextoff = {0, 0},
f_vnun = {
fvn_cdevpriv = 0x0,
fvn_advice = 0x0
},
f_offset = 0
}
(kgdb) p *fdp
$2 = {
fd_files = 0xfffffe094f9fb000,
fd_map = 0xfffffe094d255000,
fd_freefile = 3,
fd_refcnt = 1,
fd_holdcnt = 1,
fd_sx = {
lock_object = {
lo_name = 0xffffffff812b4244 "filedesc structure",
lo_flags = 36896768,
lo_data = 0,
lo_witness = 0xfffff8804bd94380
},
sx_lock = 18446735293757011776
},
fd_kqlist = {
tqh_first = 0xfffff8010c5ba200,
tqh_last = 0xfffff80155c37728
},
fd_holdleaderscount = 0,
fd_holdleaderswakeup = 0
}
(kgdb) fr 19
#19 knote_fdclose (td=td@entry=0xfffff803c20c3740, fd=fd@entry=588439) at
/usr/src/sys/kern/kern_event.c:2703
2703 kn_enter_flux(kn);
(kgdb) p *kq
value has been optimized out
(kgdb) i r
rax 0xfffff803c20c3740 -8779952539840
rbx 0x8fa97 588439
rcx 0x121 289
rdx 0xffffffff811ab239 -2128956871
rsi 0x4 4
rdi 0xdeadc0dedeadc0f6 -2401050962867404554
rbp 0xfffffe0718977dc0 0xfffffe0718977dc0
rsp 0xfffffe0718977d70 0xfffffe0718977d70
r8 0x1 1
r9 0xffffffff81e1ec98 -2115900264
r10 0x0 0
r11 0x4 4
r12 0xfffff80155c37718 -8790359181544
r13 0xfffff819bc941960 -8685555017376
r14 0x8fa97 588439
r15 0xfffff80155c37700 -8790359181568
rip 0xffffffff80b25c8e 0xffffffff80b25c8e <knote_fdclose+286>
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x20 32
ss 0x28 40
ds <unavailable>
es <unavailable>
fs <unavailable>
gs <unavailable>
fs_base <unavailable>
gs_base <unavailable>
(kgdb) p *((struct kqueue*)$r15)
$3 = {
kq_lock = {
lock_object = {
lo_name = 0xffffffff812bbf6c "kqueue",
lo_flags = 21168128,
lo_data = 0,
lo_witness = 0xfffff8804bd8da80
},
mtx_lock = 18446735293757011776
},
kq_refcnt = 1,
kq_list = {
tqe_next = 0x0,
tqe_prev = 0xfffff80150e0d528
},
kq_head = {
tqh_first = 0x0,
tqh_last = 0xfffff80155c37738
},
kq_count = 0,
kq_sel = {
si_tdlist = {
tqh_first = 0x0,
tqh_last = 0x0
},
si_note = {
kl_list = {
slh_first = 0x0
},
kl_lock = 0xffffffff80b254e0 <knlist_mtx_lock>,
kl_unlock = 0xffffffff80b25500 <knlist_mtx_unlock>,
kl_assert_lock = 0xffffffff80b25520 <knlist_mtx_assert_lock>,
kl_lockarg = 0xfffff80155c37700,
kl_autodestroy = 0
},
si_mtx = 0x0
},
kq_sigio = 0x0,
kq_fdp = 0xfffffe0713371430,
kq_state = 2,
kq_knlistsize = 680960,
kq_knlist = 0xfffffe0987b7a000,
kq_knhashmask = 0,
kq_knhash = 0x0,
kq_task = {
ta_link = {
stqe_next = 0x0
},
ta_pending = 0,
ta_priority = 0 '\000',
ta_flags = 0 '\000',
ta_func = 0xffffffff80b26050 <kqueue_task>,
ta_context = 0xfffff80155c37700
},
kq_cred = 0xfffff804daf23a00
}
Weirdest thing is (might this be a hint of a problem?) that in frame 19, `kn`
points to some memory address that contains exactly the same, byte-by-byte
content as in previous crash, seemingly a garbage. Is this some 'kernel
constants' data segment, or is it expected and not a garbage?
--
You are receiving this mail because:
You are the assignee for the bug.