Project

General

Profile

Actions

Bug #15306

open

zap_cursor_retrieve: illegal access to a user address

Added by Marcel Telka 11 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
zfs - Zettabyte File System
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:

Description

I just faced the following panic on illumos as of 2022-11-14:

> ::status
debugging crash dump vmcore.13 (64-bit) from SERVER
operating system: 5.11 illumos-8b26092d55 (i86pc)
build version: heads/master-0-g8b26092d55-dirty

image uuid: 2effb1f4-d8bb-6d2e-ca96-e8d57c481f53
panic message: BAD TRAP: type=e (#pf Page fault) rp=fffffe003fb8af10 addr=9109b occurred in module "zfs" due to an illegal access to a user address
dump content: kernel pages only
> ::stack
mze_compare+4()
zap_cursor_retrieve+0x92(fffffe003fb8b138, fffffe003fb8b170)
dsl_deadlist_load_tree+0xba(fffffe2e8a6017b8)
dsl_deadlist_space_range+0xb7(fffffe2e8a6017b8, 468c258, 468c81d, fffffe003fb8b400, fffffe003fb8b408, fffffe003fb8b410)
dsl_destroy_snapshot_sync_impl+0x3f2(fffffe2f7897e280, 0, fffffe2d07e1ed00)
dsl_destroy_snapshot_sync+0x65(fffffe003fb8b568, fffffe2d07e1ed00)
zcp_sync_task+0x83(fffffe2cf0958008, fffffffff7987bb0, fffffffff7988d60, fffffe003fb8b568, 1, fffffe2d6e9786b8)
zcp_synctask_destroy+0x98(fffffe2cf0958008, 1, fffffe2ce77a2890)
zcp_synctask_wrapper+0xb1(fffffe2cf0958008)
luaD_precall+0x1f7(fffffe2cf0958008, fffffe2f3e970318, 1)
luaV_execute+0xfe1(fffffe2cf0958008)
luaD_call+0x48(fffffe2cf0958008, fffffe2d9028c6a8, ffffffff, 0)
f_call+0x13(fffffe2cf0958008, fffffe003fb8b8b8)
luaD_rawrunprotected+0x7d(fffffe2cf0958008, fffffffff7a5c660, fffffe003fb8b8b8)
luaD_pcall+0x52(fffffe2cf0958008, fffffffff7a5c660, fffffe003fb8b8b8, 20, 10)
lua_pcallk+0x80(fffffe2cf0958008, 1, ffffffff, 1, 0, 0)
zcp_eval_impl+0x108(fffffe2d07e1ed00, fffffe0040b2a988)
zcp_eval_sync+0x60(fffffe0040b2a988, fffffe2d07e1ed00)
dsl_sync_task_sync+0x93(fffffe0040b2a828, fffffe2d07e1ed00)
dsl_pool_sync+0x34b(fffffe2cb56bd500, 469d1e7)
spa_sync_iterate_to_convergence+0xd0(fffffe2ca839f000, fffffe2d810585c0)
spa_sync+0x2f6(fffffe2ca839f000, 469d1e7)
txg_sync_thread+0x1f5(fffffe2cb56bd500)
thread_start+0xb()
>

Actions #1

Updated by Toomas Soome 4 months ago

Marcel Telka wrote:

I just faced the following panic on illumos as of 2022-11-14:
[...]

That stack trace seems have eaten some frames; zap_cursor_retrieve does not directly call mze_compare, but it appears to be used via creating avl (passed with call to avl_create()), so there should be call to avl_find() around that address in zap_cursor_retrieve(). Feels like either corruption of deadlist or some missed corner case... of course, would need to check actual data from dump to see if these mzap entries make sense there and whatnot.

Actions

Also available in: Atom PDF