[Bug 293382] Dead lock and kernel crash around closefp_impl

Tue, 24 Mar 2026 18:51:41 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382

--- Comment #23 from Konstantin Belousov <[email protected]> ---
My belief is that kn is freed somewhere, which explains 0xdeadc0de.  I cannot
easily
guess where such thing could happen.  Lets try the brute force approach then.

Below is the patch, to be applied on top of my previous patch.  It is debug
only.
When the panic due to the new assert (kn->kn_kq != kq) occurs, the kn var
should
point to struct eknote instead of knote.  I am interested in the *eknote
content,
and in the lookup of the source lines for the captured stack trace, which
should
point to the place where the free of kn occured.

I do not have better idea how to proceed ATM.

commit 6536e2123f1249a3e8fa8e4895b01abc95381633
Author: Konstantin Belousov <[email protected]>
Date:   Wed Mar 25 03:47:59 2026 +0200

    debug

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 38928a68dd94..70f9ba07716d 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -230,6 +230,13 @@ static const struct filterops user_filtops = {
        .f_copy = knote_triv_copy,
 };

+#include <sys/stack.h>
+struct eknote {
+       struct knote k;
+       struct knote c;
+       struct stack s;
+};
+
 static uma_zone_t      knote_zone;
 static unsigned int __exclusive_cache_line     kq_ncallouts;
 static unsigned int    kq_calloutmax = 4 * 1024;
@@ -2962,8 +2969,8 @@ static void
 knote_init(void *dummy __unused)
 {

-       knote_zone = uma_zcreate("KNOTE", sizeof(struct knote), NULL, NULL,
-           NULL, NULL, UMA_ALIGN_PTR, 0);
+       knote_zone = uma_zcreate("KNOTE", sizeof(struct eknote), NULL, NULL,
+           NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
        ast_register(TDA_KQUEUE, ASTR_ASTF_REQUIRED, 0, ast_kqueue);
        prison0.pr_klist = knlist_alloc(&prison0.pr_mtx);
 }
@@ -2972,15 +2979,22 @@ SYSINIT(knote, SI_SUB_PSEUDO, SI_ORDER_ANY, knote_init,
NULL);
 static struct knote *
 knote_alloc(int mflag)
 {
+       struct eknote *e;

-       return (uma_zalloc(knote_zone, mflag | M_ZERO));
+       e = uma_zalloc(knote_zone, mflag | M_ZERO);
+       return (&e->k);
 }

 static void
 knote_free(struct knote *kn)
 {
+       struct eknote *e;

-       uma_zfree(knote_zone, kn);
+       e = __containerof(kn, struct eknote, k);
+       e->c = e->k;
+       stack_save(&e->s);
+       memset(&e->k, 0xdeadc0de, sizeof(e->k));
+       uma_zfree(knote_zone, e);
 }

 /*

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to