Actions
Bug #15306
openzap_cursor_retrieve: illegal access to a user address
Status:
New
Priority:
Normal
Assignee:
-
Category:
zfs - Zettabyte File System
Start date:
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
Description
I just faced the following panic on illumos as of 2022-11-14:
> ::status debugging crash dump vmcore.13 (64-bit) from SERVER operating system: 5.11 illumos-8b26092d55 (i86pc) build version: heads/master-0-g8b26092d55-dirty image uuid: 2effb1f4-d8bb-6d2e-ca96-e8d57c481f53 panic message: BAD TRAP: type=e (#pf Page fault) rp=fffffe003fb8af10 addr=9109b occurred in module "zfs" due to an illegal access to a user address dump content: kernel pages only > ::stack mze_compare+4() zap_cursor_retrieve+0x92(fffffe003fb8b138, fffffe003fb8b170) dsl_deadlist_load_tree+0xba(fffffe2e8a6017b8) dsl_deadlist_space_range+0xb7(fffffe2e8a6017b8, 468c258, 468c81d, fffffe003fb8b400, fffffe003fb8b408, fffffe003fb8b410) dsl_destroy_snapshot_sync_impl+0x3f2(fffffe2f7897e280, 0, fffffe2d07e1ed00) dsl_destroy_snapshot_sync+0x65(fffffe003fb8b568, fffffe2d07e1ed00) zcp_sync_task+0x83(fffffe2cf0958008, fffffffff7987bb0, fffffffff7988d60, fffffe003fb8b568, 1, fffffe2d6e9786b8) zcp_synctask_destroy+0x98(fffffe2cf0958008, 1, fffffe2ce77a2890) zcp_synctask_wrapper+0xb1(fffffe2cf0958008) luaD_precall+0x1f7(fffffe2cf0958008, fffffe2f3e970318, 1) luaV_execute+0xfe1(fffffe2cf0958008) luaD_call+0x48(fffffe2cf0958008, fffffe2d9028c6a8, ffffffff, 0) f_call+0x13(fffffe2cf0958008, fffffe003fb8b8b8) luaD_rawrunprotected+0x7d(fffffe2cf0958008, fffffffff7a5c660, fffffe003fb8b8b8) luaD_pcall+0x52(fffffe2cf0958008, fffffffff7a5c660, fffffe003fb8b8b8, 20, 10) lua_pcallk+0x80(fffffe2cf0958008, 1, ffffffff, 1, 0, 0) zcp_eval_impl+0x108(fffffe2d07e1ed00, fffffe0040b2a988) zcp_eval_sync+0x60(fffffe0040b2a988, fffffe2d07e1ed00) dsl_sync_task_sync+0x93(fffffe0040b2a828, fffffe2d07e1ed00) dsl_pool_sync+0x34b(fffffe2cb56bd500, 469d1e7) spa_sync_iterate_to_convergence+0xd0(fffffe2ca839f000, fffffe2d810585c0) spa_sync+0x2f6(fffffe2ca839f000, 469d1e7) txg_sync_thread+0x1f5(fffffe2cb56bd500) thread_start+0xb() >
Updated by Toomas Soome 4 months ago
Marcel Telka wrote:
I just faced the following panic on illumos as of 2022-11-14:
[...]
That stack trace seems have eaten some frames; zap_cursor_retrieve does not directly call mze_compare, but it appears to be used via creating avl (passed with call to avl_create()), so there should be call to avl_find() around that address in zap_cursor_retrieve(). Feels like either corruption of deadlist or some missed corner case... of course, would need to check actual data from dump to see if these mzap entries make sense there and whatnot.
Actions