page fault in pfioctl

From: Andriy Gapon <>
Date: Sat, 12 Jun 2021 17:59:50 UTC
Not sure if this has been reported, or maybe even fixed, yet.
The crash happened with stable/13 as of 92f49c769b4 (June 3).
Judging from the time I think that it happened when running a periodic report 
(likely 520.pfdenied).
I have the vmcore, can take a look into it on Monday.

Ah, and I must add that this is a custom kernel configuration with INVARIANTS.

Kernel page fault with the following non-sleepable locks held:
exclusive rm pf rulesets (pf rulesets) r = 0 (0xffffffff85558e58) locked @ 
stack backtrace:
#0 0xffffffff808a77bd at witness_debugger+0x6d
#1 0xffffffff808a860b at witness_warn+0x21b
#2 0xffffffff80b30171 at trap_pfault+0x71
#3 0xffffffff80b2f729 at trap+0x289
#4 0xffffffff80b304d9 at trap_check+0x29
#5 0xffffffff80b0bb28 at calltrap+0x8
#6 0xffffffff85540358 at pfioctl+0x4d28
#7 0xffffffff807176cf at devfs_ioctl+0xcf
#8 0xffffffff80bb26e2 at VOP_IOCTL_APV+0x92
#9 0xffffffff80928014 at VOP_IOCTL+0x34
#10 0xffffffff80923330 at vn_ioctl+0xc0
#11 0xffffffff80717bbe at devfs_ioctl_f+0x1e
#12 0xffffffff808abc6b at fo_ioctl+0xb
#13 0xffffffff808abc01 at kern_ioctl+0x1d1
#14 0xffffffff808ab982 at sys_ioctl+0x132
#15 0xffffffff80b30cc9 at syscallenter+0x159
#16 0xffffffff80b309a5 at amd64_syscall+0x15
#17 0xffffffff80b0c44e at fast_syscall_common+0xf8

Fatal trap 12: page fault while in kernel mode
cpuid = 5; apic id = 05
fault virtual address   = 0x800a22000
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff80b2c7ca
stack pointer           = 0x28:0xfffffe01cb072480
frame pointer           = 0x28:0xfffffe01cb072480
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12208 (pfctl)
trap number             = 12
panic: page fault
cpuid = 5
time = 1623456453
KDB: stack backtrace:
db_trace_self_wrapper() at 0xffffffff805c1e8b = db_trace_self_wrapper+0x2b/frame 
kdb_backtrace() at 0xffffffff808874b7 = kdb_backtrace+0x37/frame 0xfffffe01cb0720f0
vpanic() at 0xffffffff808449d8 = vpanic+0x188/frame 0xfffffe01cb072150
panic() at 0xffffffff808445f3 = panic+0x43/frame 0xfffffe01cb0721b0
trap_fatal() at 0xffffffff80b300a5 = trap_fatal+0x375/frame 0xfffffe01cb072210
trap_pfault() at 0xffffffff80b30180 = trap_pfault+0x80/frame 0xfffffe01cb072280
trap() at 0xffffffff80b2f729 = trap+0x289/frame 0xfffffe01cb072390
trap_check() at 0xffffffff80b304d9 = trap_check+0x29/frame 0xfffffe01cb0723b0
calltrap() at 0xffffffff80b0bb28 = calltrap+0x8/frame 0xfffffe01cb0723b0
--- trap 0xc, rip = 0xffffffff80b2c7ca, rsp = 0xfffffe01cb072480, rbp = 
0xfffffe01cb072480 ---
copyout_nosmap_std() at 0xffffffff80b2c7ca = copyout_nosmap_std+0x15a/frame 
pfioctl() at 0xffffffff85540358 = pfioctl+0x4d28/frame 0xfffffe01cb072940
devfs_ioctl() at 0xffffffff807176cf = devfs_ioctl+0xcf/frame 0xfffffe01cb0729a0
VOP_IOCTL_APV() at 0xffffffff80bb26e2 = VOP_IOCTL_APV+0x92/frame 0xfffffe01cb0729c0
VOP_IOCTL() at 0xffffffff80928014 = VOP_IOCTL+0x34/frame 0xfffffe01cb072a10
vn_ioctl() at 0xffffffff80923330 = vn_ioctl+0xc0/frame 0xfffffe01cb072b00
devfs_ioctl_f() at 0xffffffff80717bbe = devfs_ioctl_f+0x1e/frame 0xfffffe01cb072b20
fo_ioctl() at 0xffffffff808abc6b = fo_ioctl+0xb/frame 0xfffffe01cb072b30
kern_ioctl() at 0xffffffff808abc01 = kern_ioctl+0x1d1/frame 0xfffffe01cb072b80
sys_ioctl() at 0xffffffff808ab982 = sys_ioctl+0x132/frame 0xfffffe01cb072c50
syscallenter() at 0xffffffff80b30cc9 = syscallenter+0x159/frame 0xfffffe01cb072ca0
Andriy Gapon