[Bug 212168] [panic] [UFS] use-after-free panic (0xdeadc0dedeadc0de)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Aug 26 05:17:58 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212168
Bug ID: 212168
Summary: [panic] [UFS] use-after-free panic
(0xdeadc0dedeadc0de)
Product: Base System
Version: 11.0-RC1
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: gjb at FreeBSD.org
CC: mckusick at FreeBSD.org, re at FreeBSD.org
Created attachment 174085
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=174085&action=edit
ufs_panic.txt
The 11.0-RC1 FreeBSD/aarch64 architecture currently still has WITNESS and
INVARIANTS enabled (whether intentional or otherwise), however this appears to
be architecture-agnostic.
The root filesystem is:
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
During a buildworld loop on two systems with this setup, a panic was observed
on multiple occasions.
The backtrace is attached, and the panic message on the console was:
Fatal data abort:
x0: ffff000aa48ff4c0
x1: ffff000aa48ff4c0
x2: ffff0000005c90ff
x3: 10b6
x4: 0
x5: 16
x6: ffff0000005c90ff
x7: db8
x8: deadc0dedeadc0de
x9: 1c
x10: 8000
x11: 0
x12: 2
x13: ffff0000007c07ec
x14: ffff0000007c07a0
x15: b
x16: 2710
x17: e00
x18: ffff000b90150370
x19: ffff000aa48ff4c0
x20: ffff0000005e66d9
x21: fffffd00278e0ce8
x22: 0
x23: a0020020
x24: fffffd00278e0db8
x25: fffffd0e7aa588f0
x26: fffffd0027914600
x27: a8b0d2f
x28: a8b0d73
x29: ffff000b901503f0
x30: ffff000b901503f0
sp: ffff000b90150370
lr: ffff0000004d1438
elr: ffff0000004b542c
spsr: 60000345
far: deadc0dedeadc376
esr: 96000004
[ thread pid 44795 tid 101060 ]
Stopped at softdep_disk_io_initiation+0x50: ldr x21, [x8, #664]
Following a cursory investigation by Peter:
FYI; I looked at the disassembled code from the cluster build, and observed
that the panic is right here:
if ((wk = LIST_FIRST(&bp->b_dep)) == NULL)
return;
ump = VFSTOUFS(wk->wk_mp);
^^^^^^^^^^^^^^^^^^^
There are a series of dereferences if bp->... so that's not it. However, wk
is the problem. LIST_FIRST is returning the value 0xdeadc0dedeadc0de so that
means there is a use-after free.
There are a couple of possibilities:
* there is an aarch64 specific bug in the interrupt handling or locking
somehow. However, we have had multiple exact crashes on exactly this so it
really does not look like a race or locking bug.
* WITNESS / INVARIANTS are exposing a previously undetected use-after-free
softdep bug. The act of having INVARIANTS/WITNESS on is causing an escalation
from a normally harmless bug to a full crash.
If I had to guess, compiling without INVARIANTS/WITNESS will likely sweep the
problem back under the rug so you can get package builds done. If this
changes things then there is definitely a softdep bug in there.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list