[Bug 289686] [panic] kernel panic: null pointer defererence in fuse_vnops.c:286

bugzilla-noreply Thu, 18 Sep 2025 14:05:11 -0700

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289686


            Bug ID: 289686
           Summary: [panic] kernel panic: null pointer defererence in
                    fuse_vnops.c:286
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: [email protected]
          Reporter: [email protected]

Kernel: 14.3-RELEASE-p2

Unread portion of the kernel message buffer:
rdi: fffffe13be744c70 rsi: 0000000000000001 rdx: fffff85ee4b83201
rcx: 0000000000000000  r8: 0000000000000201  r9: fffff857376a7900
rax: 0000000000000000 rbx: fffff85ee4b831c0 rbp: fffffe13be744c30
r10: 0000000000000218 r11: 0000000000000c01 r12: fffff89ffa412000
r13: fffff88551397000 r14: fffff8564a211600 r15: fffffe143354b100
trap number             = 12
panic: page fault
cpuid = 43
time = 1757978146
KDB: stack backtrace:
#0 0xffffffff80ba8f1d at kdb_backtrace+0x5d
#1 0xffffffff80b5aa11 at vpanic+0x161
#2 0xffffffff80b5a8a3 at panic+0x43
#3 0xffffffff8104dbfa at trap_pfault+0x3da
#4 0xffffffff81023d98 at calltrap+0x8
#5 0xffffffff811102dd at VOP_CLOSE_APV+0x1d
#6 0xffffffff80c5aa0c at vn_close1+0x14c
#7 0xffffffff80c58e0d at vn_closefile+0x3d
#8 0xffffffff80af6e61 at _fdrop+0x11
#9 0xffffffff80c0df29 at unp_dispose+0x269
#10 0xffffffff80c0476e at soshutdown+0x10e
#11 0xffffffff80c0bb21 at kern_shutdown+0x51
#12 0xffffffff8104e547 at amd64_syscall+0x117
#13 0xffffffff810246ab at fast_syscall_common+0xf8

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
57              __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct
pcpu,
(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff80b5a56b in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:523
#3  0xffffffff80b5aa69 in vpanic (fmt=0xffffffff811a03c8 "%s",
ap=ap@entry=0xfffffe13be744a00)
    at /usr/src/sys/kern/kern_shutdown.c:967
#4  0xffffffff80b5a8a3 in panic (fmt=<unavailable>) at
/usr/src/sys/kern/kern_shutdown.c:891
#5  0xffffffff8104dbfa in trap_fatal (frame=<optimized out>, eva=<optimized
out>) at /usr/src/sys/amd64/amd64/trap.c:1000
#6  0xffffffff8104dbfa in trap_pfault (frame=0xfffffe13be744a80,
usermode=false, signo=<optimized out>, ucode=<optimized out>)
#7  <signal handler called>
#8  0xffffffff8418d4a5 in fuse_vnop_close (ap=0xfffffe13be744c70) at
/usr/src/sys/fs/fuse/fuse_vnops.c:286
#9  0xffffffff811102dd in VOP_CLOSE_APV (vop=0xffffffff84196d88 <fuse_vnops>,
a=a@entry=0xfffffe13be744c70) at vnode_if.c:496
#10 0xffffffff80c5aa0c in VOP_CLOSE (vp=0xfffff85ee4b831c0, fflag=1,
cred=0xfffff8564a211600, td=0x0) at ./vnode_if.h:247
#11 vn_close1 (vp=vp@entry=0xfffff85ee4b831c0, flags=1,
file_cred=0xfffff8564a211600, td=0x0, keep_ref=false)
    at /usr/src/sys/kern/vfs_vnops.c:543
#12 0xffffffff80c58e0d in vn_closefile (fp=0xfffff93fb97d42d0, td=0x0) at
/usr/src/sys/kern/vfs_vnops.c:1872
#13 0xffffffff80af6e61 in fo_close (fp=0xfffffe13be744c70, td=0x1,
td@entry=0x0) at /usr/src/sys/sys/file.h:396
#14 _fdrop (fp=0xfffffe13be744c70, td=0x1, td@entry=0x0) at
/usr/src/sys/kern/kern_descrip.c:3711
#15 0xffffffff80afa73a in closef_nothread (fp=0xfffffe13be744c70) at
/usr/src/sys/kern/kern_descrip.c:2852
#16 0xffffffff80c0e208 in unp_discard (fp=0xfffffe13be744c70,
fp@entry=0xfffff93fb97d42d0)
    at /usr/src/sys/kern/uipc_usrreq.c:2921
#17 0xffffffff80c0df29 in unp_freerights (fdep=0xfffff8c087015830, fdcount=1)
at /usr/src/sys/kern/uipc_usrreq.c:2431
#18 unp_scan (m0=0xfffff941ae168500, op=<optimized out>) at
/usr/src/sys/kern/uipc_usrreq.c:3333
#19 unp_dispose (so=<optimized out>) at /usr/src/sys/kern/uipc_usrreq.c:3302
#20 0xffffffff80c0476e in soshutdown (so=<optimized out>, how=how@entry=2) at
/usr/src/sys/kern/uipc_socket.c:3661
#21 0xffffffff80c0bb21 in kern_shutdown (td=0xfffff89ffa412000, s=<optimized
out>, how=2)
    at /usr/src/sys/kern/uipc_syscalls.c:1210
#22 0xffffffff8104e547 in syscallenter (td=0xfffff89ffa412000) at
/usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#23 amd64_syscall (td=0xfffff89ffa412000, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:1241
#24 <signal handler called>
#25 0x0000000825796a7a in ?? ()
Backtrace stopped: Cannot access memory at address 0x8456c4ef8

Looks like the problem is in sys/fs/fuse/fuse_vnops.c:788 where ap->a_td
returned NULL:

788     struct thread *td = ap->a_td;

In line 789, it's trying to dereference td->td_proc->p_pid and crashes because
td is NULL.

Based on my modest knowledge, the fix is quite simple. At line 789:
- pid_t pid = td->td_proc->p_pid;
+ pid_t pid = (td != NULL) ? td->td_proc->p_pid : 0;

Looking deeper into the code, it's allowed to have a pid equal to 0, and it
shouldn't crash.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 289686] [panic] kernel panic: null pointer defererence in fuse_vnops.c:286

Reply via email to