[Bug 212168] [panic] [UFS] use-after-free panic (0xdeadc0dedeadc0de)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Aug 26 05:17:58 UTC 2016


            Bug ID: 212168
           Summary: [panic] [UFS] use-after-free panic
           Product: Base System
           Version: 11.0-RC1
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: gjb at FreeBSD.org
                CC: mckusick at FreeBSD.org, re at FreeBSD.org

Created attachment 174085
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=174085&action=edit

The 11.0-RC1 FreeBSD/aarch64 architecture currently still has WITNESS and
INVARIANTS enabled (whether intentional or otherwise), however this appears to
be architecture-agnostic.

The root filesystem is:

 /dev/ada0p2 on / (ufs, local, journaled soft-updates)

During a buildworld loop on two systems with this setup, a panic was observed
on multiple occasions.

The backtrace is attached, and the panic message on the console was:

Fatal data abort:
  x0: ffff000aa48ff4c0
  x1: ffff000aa48ff4c0
  x2: ffff0000005c90ff
  x3:             10b6
  x4:                0
  x5:               16
  x6: ffff0000005c90ff
  x7:              db8
  x8: deadc0dedeadc0de
  x9:               1c
 x10:             8000
 x11:                0
 x12:                2
 x13: ffff0000007c07ec
 x14: ffff0000007c07a0
 x15:                b
 x16:             2710
 x17:              e00
 x18: ffff000b90150370
 x19: ffff000aa48ff4c0
 x20: ffff0000005e66d9
 x21: fffffd00278e0ce8
 x22:                0
 x23:         a0020020
 x24: fffffd00278e0db8
 x25: fffffd0e7aa588f0
 x26: fffffd0027914600
 x27:          a8b0d2f
 x28:          a8b0d73
 x29: ffff000b901503f0
 x30: ffff000b901503f0
  sp: ffff000b90150370
  lr: ffff0000004d1438
 elr: ffff0000004b542c
spsr:         60000345
 far: deadc0dedeadc376
 esr:         96000004
[ thread pid 44795 tid 101060 ]
Stopped at      softdep_disk_io_initiation+0x50:        ldr     x21, [x8, #664]

Following a cursory investigation by Peter:

FYI; I looked at the disassembled code from the cluster build, and observed
that the panic is right here:

        if ((wk = LIST_FIRST(&bp->b_dep)) == NULL)
        ump = VFSTOUFS(wk->wk_mp);

There are a series of dereferences if bp->... so that's not it.  However, wk
is the problem. LIST_FIRST is returning the value 0xdeadc0dedeadc0de so that
means there is a use-after free.

There are a couple of possibilities:

* there is an aarch64 specific bug in the interrupt handling or locking
somehow.  However, we have had multiple exact crashes on exactly this so it
really does not look like a race or locking bug.

* WITNESS / INVARIANTS are exposing a previously undetected use-after-free
softdep bug.  The act of having INVARIANTS/WITNESS on is causing an escalation
from a normally harmless bug to a full crash.

If I had to guess, compiling without INVARIANTS/WITNESS will likely sweep the
problem back under the rug so you can get package builds done.  If this
changes things then there is definitely a softdep bug in there.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list