[Bug 205270] [zfs] Panic at shutdown in 11.0-CURRENT

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Dec 12 15:58:20 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205270

            Bug ID: 205270
           Summary: [zfs] Panic at shutdown in 11.0-CURRENT
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: 214748mv at gmail.com

Sometimes I have the panic in the photo at shutdown:

http://imgur.com/mXrgFLp

Unfortunately this happens randomly.

After a bit of investigation I have understood the panic cause: is an invalid
offset.

The original function in  /sys/cddl/contrib/opensolaris/uts/common/fs/zfs/txg.c
is:

boolean_t
txg_list_member(txg_list_t *tl, void *p, uint64_t txg)
{
    int t = txg & TXG_MASK;
    txg_node_t *tn = (txg_node_t *)((char *)p + tl->tl_offset);

    return (tn->tn_member[t] != 0);
}

I have modified the function to print an uncommon or invalid tl->tl_offset :

boolean_t
txg_list_member(txg_list_t *tl, void *p, uint64_t txg)
{
    size_t ofs = tl->tl_offset;
    {
        static int cnt=0;
        if ( (cnt++ % 1000) == 0
            || (ofs != 88 && ofs != 984) )
            printf("**** %d) tl->tl_offset %zu\n", cnt, ofs);
    }

    txg_node_t *tn = (txg_node_t *)((char *)p + ofs);

    return (tn->tn_member[txg & TXG_MASK] != 0);
}

I have received the panic again with an invalid  tl->tl_offset of
16045693110842147038.
In /val/log/messages I have:

Dec  8 10:32:42 ativ kernel: Waiting (max 60 seconds) for system process
`vnlru' to stop...done
Dec  8 10:32:42 ativ kernel: Waiting (max 60 seconds) for system process
`bufdaemon' to stop...done
Dec  8 10:32:42 ativ kernel: Waiting (max 60 seconds) for system process
`syncer' to stop...
Dec  8 10:32:42 ativ kernel: Syncing disks, vnodes remaining...0 0 0 done
Dec  8 10:32:42 ativ kernel: All buffers synced.
Dec  8 10:32:42 ativ kernel: **** 9692) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9693) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9694) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9695) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9708) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9709) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9710) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9711) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9720) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9721) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9722) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: **** 9723) tl->tl_offset 384
Dec  8 10:32:42 ativ kernel: Uptime: 1h57m42s
Dec  8 10:32:42 ativ kernel: **** 9736) tl->tl_offset 16045693110842147038
Dec  8 10:32:42 ativ kernel:
Dec  8 10:32:42 ativ kernel:
Dec  8 10:32:42 ativ kernel: Fatal trap 9: general protection fault while in
kernel mode
Dec  8 10:32:42 ativ kernel: cpuid = 2; apic id = 02
Dec  8 10:32:42 ativ kernel: instruction pointer    = 0x20:0xffffffff8211b1cb
Dec  8 10:32:42 ativ kernel: stack pointer            = 0x28:0xfffffe0119525990
Dec  8 10:32:42 ativ kernel: frame pointer            = 0x28:0xfffffe01195259c0
Dec  8 10:32:42 ativ kernel: code segment        = base 0x0, limit 0xfffff,
type 0x1b
Dec  8 10:32:42 ativ kernel: = DPL 0, pres 1, long 1, def32 0, gran 1
Dec  8 10:32:42 ativ kernel: processor eflags    = interrupt enabled, resume,
IOPL = 0
Dec  8 10:32:42 ativ kernel: current process        = 0 (dbu_evict)

Probably the panic is caused by some memory already freed, the hex  value of
16045693110842147038 is 0xdeadc0dedeadc0de.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list