[Bug 293382] Dead lock and kernel crash around closefp_impl

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 293382] Dead lock and kernel crash around closefp_impl"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 23 Mar 2026 09:52:56 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382

--- Comment #22 from Paul <devgs@ukr.net> ---
Hi,

Just in case, we have tested new patch with our current kernel version, and it
panicked. So we've finally switched to HEAD, as suggested earlier (we
understand that this simplifies things a lot). And basically the same thing
happened there.

It's about the new assert, added in the latest patch.


Unread portion of the kernel message buffer:
panic: Assertion kn->kn_kq == kq failed at /usr/src/sys/kern/kern_event.c:2852
cpuid = 8
time = 1774258230
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0699ccbbd0
vpanic() at vpanic+0x136/frame 0xfffffe0699ccbd00
panic() at panic+0x43/frame 0xfffffe0699ccbd60
knote_fdclose() at knote_fdclose+0x236/frame 0xfffffe0699ccbdc0
closefp_impl() at closefp_impl+0xa8/frame 0xfffffe0699ccbe00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0699ccbf30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0699ccbf30
--- syscall (6, FreeBSD ELF64, close), rip = 0x82d4a332a, rsp = 0x85dfa6b98,
rbp = 0x85dfa6bb0 ---
KDB: enter: panic

(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff804b60a8 in db_fncall_generic (nargs=0, args=0xfffffe0699ccb5f0,
addr=<optimized out>, rv=<optimized out>) at /usr/src/sys/ddb/db_command.c:631
#3  db_fncall (dummy1=<optimized out>, dummy2=<optimized out>,
dummy3=<optimized out>, dummy4=<optimized out>) at
/usr/src/sys/ddb/db_command.c:679
#4  0xffffffff804b5b2d in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=false) at /usr/src/sys/ddb/db_command.c:508
#5  0xffffffff804b5c76 in db_command_script
(command=command@entry=0xffffffff81bd7722 <db_recursion_data+18> "call
doadump") at /usr/src/sys/ddb/db_command.c:573
#6  0xffffffff804bba58 in db_script_exec
(scriptname=scriptname@entry=0xfffffe0699ccb7c0 "kdb.enter.panic",
warnifnotfound=warnifnotfound@entry=0) at /usr/src/sys/ddb/db_script.c:301
#7  0xffffffff804bb952 in db_script_kdbenter (eventname=<optimized out>) at
/usr/src/sys/ddb/db_script.c:323
#8  0xffffffff804b91e1 in db_trap (type=<optimized out>, code=<optimized out>)
at /usr/src/sys/ddb/db_main.c:266
#9  0xffffffff80c1ce5f in kdb_trap (type=type@entry=3, code=code@entry=0,
tf=tf@entry=0xfffffe0699ccbb10) at /usr/src/sys/kern/subr_kdb.c:790
#10 0xffffffff8112a96d in trap (frame=<optimized out>) at
/usr/src/sys/amd64/amd64/trap.c:675
#11 <signal handler called>
#12 kdb_enter (why=<optimized out>, msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:556
#13 0xffffffff80bc9ddb in vpanic (fmt=0xffffffff812ec6bb "Assertion %s failed
at %s:%d", ap=ap@entry=0xfffffe0699ccbd40) at
/usr/src/sys/kern/kern_shutdown.c:962
#14 0xffffffff80bc9c43 in panic (fmt=0xffffffff81da2290 <cnputs_mtx>
"\254\214!\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887
#15 0xffffffff80b6bc76 in knote_fdclose (td=td@entry=0xff0100018d9b4000,
fd=fd@entry=161249) at /usr/src/sys/kern/kern_event.c:2852
#16 0xffffffff80b63468 in closefp_impl (fdp=0xfffffe0693882000, fd=161249,
fp=0xff010002dd9fb230, td=0xff0100018d9b4000, audit=true) at
/usr/src/sys/kern/kern_descrip.c:1413
#17 0xffffffff8112b739 in syscallenter (td=0xff0100018d9b4000) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#18 amd64_syscall (td=0xff0100018d9b4000, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1244
#19 <signal handler called>
#20 0x000000082d4a332a in ?? ()
Backtrace stopped: Cannot access memory at address 0x85dfa6b98
(kgdb) fr 15
#15 0xffffffff80b6bc76 in knote_fdclose (td=td@entry=0xff0100018d9b4000,
fd=fd@entry=161249) at /usr/src/sys/kern/kern_event.c:2852
2852                            MPASS(kn->kn_kq == kq);
(kgdb) p *kn
$1 = {
  kn_link = {
    sle_next = 0xdeadc0dedeadc0de
  },
  kn_selnext = {
    sle_next = 0xdeadc0dedeadc0de
  },
  kn_knlist = 0xdeadc0dedeadc0de,
  kn_tqe = {
    tqe_next = 0xdeadc0dedeadc0de,
    tqe_prev = 0xdeadc0dedeadc0de
  },
  kn_kq = 0xdeadc0dedeadc0de,
  kn_kevent = {
    ident = 16045693110842147038,
    filter = -16162,
    flags = 57005,
    fflags = 3735929054,
    data = -2401050962867404578,
    udata = 0xdeadc0dedeadc0de,
    ext = {16045693110842147038, 16045693110842147038, 16045693110842147038,
16045693110842147038}
  },
  kn_hook = 0xdeadc0dedeadc0de,
  kn_hookid = -559038242,
  kn_status = -559038242,
  kn_influx = -559038242,
  kn_sfflags = 3735929054,
  kn_sdata = -2401050962867404578,
  kn_ptr = {
    p_fp = 0xdeadc0dedeadc0de,
    p_proc = 0xdeadc0dedeadc0de,
    p_aio = 0xdeadc0dedeadc0de,
    p_lio = 0xdeadc0dedeadc0de,
    p_prison = 0xdeadc0dedeadc0de,
    p_v = 0xdeadc0dedeadc0de
  },
  kn_fop = 0xdeadc0dedeadc0de
}
(kgdb) p *kq
value has been optimized out
(kgdb) i r
rax            0x12                18
rbx            0x275e1             161249
rcx            0xba5f4feebeda7d64  -5017203573044642460
rdx            0xffffffff813451fb  -2127277573
rsi            0xfffffe0699ccba90  -2170673120624
rdi            0xffffffff81da2290  -2116410736
rbp            0xfffffe0699ccbdc0  0xfffffe0699ccbdc0
rsp            0xfffffe0699ccbd70  0xfffffe0699ccbd70
r8             0x12                18
r9             0x20                32
r10            0x0                 0
r11            0x0                 0
r12            0xff010001bdd19b18  -71776111581619432
r13            0xff0100488988c0a0  -71775807516131168
r14            0x275e1             161249
r15            0xff010001bdd19b00  -71776111581619456
rip            0xffffffff80b6bc76  0xffffffff80b6bc76 <knote_fdclose+566>
eflags         0x86                [ PF SF ]
cs             0x20                32
ss             0x28                40
ds             <unavailable>
es             <unavailable>
fs             <unavailable>
gs             <unavailable>
fs_base        <unavailable>
gs_base        <unavailable>
(kgdb) p *((struct kqueue*)$r15)
$2 = {
  kq_lock = {
    lock_object = {
      lo_name = 0xffffffff8133f15f "kqueue",
      lo_flags = 21168128,
      lo_data = 0,
      lo_witness = 0xff0100804bd8db80
    },
    mtx_lock = 18374967961319063552
  },
  kq_refcnt = 0,
  kq_list = {
    tqe_next = 0xff0100014c3afe00,
    tqe_prev = 0xff010001075a7528
  },
  kq_head = {
    tqh_first = 0x0,
    tqh_last = 0xff010001bdd19b38
  },
  kq_count = 0,
  kq_sel = {
    si_tdlist = {
      tqh_first = 0x0,
      tqh_last = 0x0
    },
    si_note = {
      kl_list = {
        slh_first = 0x0
      },
      kl_lock = 0xffffffff80b6b3a0 <knlist_mtx_lock>,
      kl_unlock = 0xffffffff80b6b3c0 <knlist_mtx_unlock>,
      kl_assert_lock = 0xffffffff80b6b3e0 <knlist_mtx_assert_lock>,
      kl_lockarg = 0xff010001bdd19b00,
      kl_autodestroy = 0
    },
    si_mtx = 0x0
  },
  kq_sigio = 0x0,
  kq_fdp = 0xfffffe0693882000,
  kq_state = 0,
  kq_knlistsize = 695296,
  kq_knlist = 0xfffffe0a76665000,
  kq_knhashmask = 0,
  kq_knhash = 0x0,
  kq_task = {
    ta_link = {
      stqe_next = 0x0
    },
    ta_pending = 0,
    ta_priority = 0 '\000',
    ta_flags = 0 '\000',
    ta_func = 0xffffffff80b6db40 <kqueue_task>,
    ta_context = 0xff010001bdd19b00
  },
  kq_cred = 0xff01000107bc5780,
  kq_forksrc = 0x0
}


Please, tell us if you need anything else.

-- 
You are receiving this mail because:
You are the assignee for the bug.