[Bug 268909] ZFS: panic from null pointer dereference in avl_rotation

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 13 Sep 2023 12:43:16 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268909

--- Comment #1 from John F. Carr <jfc@mit.edu> ---
This happened again running 13.2-STABLE at 79ce96abd6c5.  It probably happened
a couple other times since my original submission when the system was unable to
save or analyze a crash.

The AVL tree is corrupt and avl_walk crashes following a bad pointer.

The initial node is

(kgdb) p/x *(avl_node_t *)0xfffff801476764a0
$20 = {avl_child = {0x0, 0xfffff80200004d20}, avl_pcb = 0xfffff801f1c461fa}

Following the avl_child[1] leads to

(kgdb) p/x *(avl_node_t *)0xfffff80200004d20
$21 = {avl_child = {0x395753c375b177a6, 0xfa91e69b009252c}, avl_pcb =
0xfffff801476764a6}

Following avl_child[0] leads to a GPF using 0x395753c375b177a6 as a base
address.

#7  avl_walk (tree=tree@entry=0xfffff80009178260, 
    oldnode=oldnode@entry=0xfffff80147676440, left=left@entry=1)
    at /usr/src/sys/contrib/openzfs/module/avl/avl.c:147
#8  0xffffffff81c1bea5 in scan_io_queue_gather (queue=0xfffff80009178200, 
    list=0xfffffe010f60eda8, rs=<optimized out>)
    at /usr/src/sys/contrib/openzfs/module/zfs/dsl_scan.c:2942
#9  scan_io_queues_run_one (arg=0xfffff80009178200)
    at /usr/src/sys/contrib/openzfs/module/zfs/dsl_scan.c:3093
#10 0xffffffff81b41bbf in taskq_run (arg=0xfffff80041735d80, 
    pending=<optimized out>)
    at /usr/src/sys/contrib/openzfs/module/os/freebsd/spl/spl_taskq.c:315

-- 
You are receiving this mail because:
You are the assignee for the bug.