Re: Use after Free panic: ZFS?

From: Andriy Gapon <avg_at_FreeBSD.org>
Date: Wed, 30 Jan 2019 14:54:56 +0200
On 29/01/2019 16:43, Larry Rosenman wrote:
> panic: Memory modified after free 0xfffff807019ca980(32) val=0 _at_ 0xfffff807019ca980
> 
> cpuid = 5
> time = 1548755136
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00f750c880
> vpanic() at vpanic+0x1b4/frame 0xfffffe00f750c8e0
> panic() at panic+0x43/frame 0xfffffe00f750c940
> trash_ctor() at trash_ctor+0x4c/frame 0xfffffe00f750c950
> uma_zalloc_arg() at uma_zalloc_arg+0x9df/frame 0xfffffe00f750c9e0
> uma_zfree_arg() at uma_zfree_arg+0x46a/frame 0xfffffe00f750ca40
> arc_buf_destroy_impl() at arc_buf_destroy_impl+0x133/frame 0xfffffe00f750ca80
> arc_buf_destroy() at arc_buf_destroy+0x17a/frame 0xfffffe00f750cab0
> dbuf_destroy() at dbuf_destroy+0x87/frame 0xfffffe00f750cb10
> dbuf_evict_one() at dbuf_evict_one+0x187/frame 0xfffffe00f750cb40
> dbuf_evict_thread() at dbuf_evict_thread+0x185/frame 0xfffffe00f750cbb0
> fork_exit() at fork_exit+0x84/frame 0xfffffe00f750cbf0
> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00f750cbf0
> --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
> Uptime: 3d16h49m14s
> Dumping 22587 out of 131028 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91%
> 
> __curthread () at ./machine/pcpu.h:230
> 230             __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD));
> (kgdb) #0  __curthread () at ./machine/pcpu.h:230
> #1  doadump (textdump=<optimized out>)
>     at /usr/src/sys/kern/kern_shutdown.c:371
> #2  0xffffffff80491760 in kern_reboot (howto=260)
>     at /usr/src/sys/kern/kern_shutdown.c:451
> #3  0xffffffff80491bc0 in vpanic (fmt=<optimized out>, ap=0xfffffe00f750c920)
>     at /usr/src/sys/kern/kern_shutdown.c:877
> #4  0xffffffff80491913 in panic (fmt=<unavailable>)
>     at /usr/src/sys/kern/kern_shutdown.c:804
> #5  0xffffffff8071255c in trash_ctor (mem=<unavailable>, size=<unavailable>,
>     arg=<optimized out>, flags=<optimized out>)
>     at /usr/src/sys/vm/uma_dbg.c:82
> #6  0xffffffff8070cf4f in uma_zalloc_arg (zone=0xfffff8203ffdc000,
>     udata=0x108, flags=1) at /usr/src/sys/vm/uma_core.c:2418
> #7  0xffffffff8070d69a in bucket_alloc (zone=<optimized out>,
>     udata=<unavailable>, flags=<unavailable>)
>     at /usr/src/sys/vm/uma_core.c:433
> #8  uma_zfree_arg (zone=0xfffff801059a0000, item=<optimized out>,
>     udata=0xfffff81042431940) at /usr/src/sys/vm/uma_core.c:3153

The problem is with an item in an (internal) UMA bucket zone.
So, this is probably not ZFS specific.

-- 
Andriy Gapon
Received on Wed Jan 30 2019 - 11:55:06 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:20 UTC