Bug 196982

Summary: vm_page_unwire panic while writing to zfs filesystem
Product: Base System Reporter: Dave <dhducati>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me CC: fs
Priority: --- Keywords: crash
Version: 9.3-RELEASE   
Hardware: amd64   
OS: Any   

Description Dave 2015-01-22 00:20:00 UTC 
After seeing various random zfs panics/reboots on 9.2, I updated to 9.3.  I have caught the following panic twice now in the space of an hour.  In both cases, I was running tar to make a tarball of a ufs filesystem, with the tarball being written to a zfs filesystem.

This is FreeBSD 9.3-RELEASE-p5 as installed via freebsd-update:

9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #0: Mon Nov  3 22:38:58 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

panic: vm_page_unwire: page 0xfffffe022bd7e878's wire count is zero

KDB: stack backtrace:
#0 0xffffffff80925726 at kdb_backtrace+0x66
#1 0xffffffff808eb2ee at panic+0x1ce
#2 0xffffffff80b6a505 at vm_page_unwire+0xf5
#3 0xffffffff80b574e2 at vm_fault_unwire+0xb2
#4 0xffffffff80b5f2bf at vm_map_delete+0xdf
#5 0xffffffff80b5f611 at vm_map_remove+0x51
#6 0xffffffff80b531ba at uma_large_free+0x3a
#7 0xffffffff808d399a at free+0x5a
#8 0xffffffff81a2adac at arc_buf_destroy+0x11c
#9 0xffffffff81a2b04f at arc_hdr_destroy+0x1ff
#10 0xffffffff81a2cf00 at arc_buf_remove_ref+0xf0
#11 0xffffffff81a35171 at dbuf_rele_and_unlock+0xa1
#12 0xffffffff81a48a8c at dmu_tx_check_ioerr+0xac
#13 0xffffffff81a48e7e at dmu_tx_count_write+0x3be
#14 0xffffffff81a4961a at dmu_tx_hold_write+0x4a
#15 0xffffffff81acceb9 at zfs_freebsd_write+0x489
#16 0xffffffff80dd50a5 at VOP_WRITE_APV+0xe5
#17 0xffffffff8099ab4e at vn_write+0x37e

(kgdb) #0  doadump (textdump=<value optimized out>) at pcpu.h:235
#1  0xffffffff808eadc6 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:454
#2  0xffffffff808eb2c7 in panic (fmt=0x1 <Address 0x1 out of bounds>)
    at /usr/src/sys/kern/kern_shutdown.c:642
#3  0xffffffff80b6a505 in vm_page_unwire (m=<value optimized out>,
    activate=<value optimized out>) at /usr/src/sys/vm/vm_page.c:2219
#4  0xffffffff80b574e2 in vm_fault_unwire (map=<value optimized out>,
    start=<value optimized out>, end=18446743524292603904, fictitious=0)
    at /usr/src/sys/vm/vm_fault.c:1242
#5  0xffffffff80b5f2bf in vm_map_delete (map=0xfffffe00020000f0,
    start=18446743524292472832, end=18446743524292603904)
    at /usr/src/sys/vm/vm_map.c:2755
#6  0xffffffff80b5f611 in vm_map_remove (map=0xfffffe00020000f0,
    start=18446743524292472832, end=18446743524292603904)
    at /usr/src/sys/vm/vm_map.c:2947
#7  0xffffffff80b531ba in uma_large_free (slab=0xfffffe00a69416a8)
    at /usr/src/sys/vm/uma_core.c:3089
#8  0xffffffff808d399a in free (addr=0xffffff801430b000,
    mtp=0xffffffff81b77ce0) at /usr/src/sys/kern/kern_malloc.c:607
#9  0xffffffff81a2adac in arc_buf_destroy (buf=0xfffffe015a31a510,
    recycle=<value optimized out>, all=1)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c:1668
#10 0xffffffff81a2b04f in arc_hdr_destroy (hdr=0xfffffe01da7a0510)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c:1776
#11 0xffffffff81a2cf00 in arc_buf_remove_ref (buf=0xfffffe015a31a510,
    tag=0xfffffe01a66f6b60)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c:1850
#12 0xffffffff81a35171 in dbuf_rele_and_unlock (db=0xfffffe01a66f6b60,
    tag=<value optimized out>)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/dbuf.c:2078
#13 0xffffffff81a48a8c in dmu_tx_check_ioerr (zio=0xfffffe0031212398,
    dn=0xfffffe0122287000, level=<value optimized out>,
    blkid=<value optimized out>)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/dmu_tx.c:166
#14 0xffffffff81a48e7e in dmu_tx_count_write (txh=0xfffffe015c3e8a00,
    off=5105778688, len=8192)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/dmu_tx.c:258
#15 0xffffffff81a4961a in dmu_tx_hold_write (tx=<value optimized out>,
    object=<value optimized out>, off=5105778688, len=<value optimized out>)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/dmu_tx.c:414
#16 0xffffffff81acceb9 in zfs_freebsd_write (ap=<value optimized out>)
    at /usr/src/sys/modules/zfs/../../cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c:985
#17 0xffffffff80dd50a5 in VOP_WRITE_APV (vop=0xffffffff81b47d40,
    a=0xffffff8246b92830) at vnode_if.c:983
#18 0xffffffff8099ab4e in vn_write (fp=0xfffffe018ac22b90,
    uio=0xffffff8246b92ad0, active_cred=0xfffffe018ae1a600, flags=1,
    td=<value optimized out>) at vnode_if.h:413
#19 0xffffffff809985d0 in vn_io_fault (fp=0xfffffe018ac22b90,
    uio=0xffffff8246b92ad0, active_cred=0xfffffe018ae1a600, flags=0,
    td=0xfffffe015b71b000) at /usr/src/sys/kern/vfs_vnops.c:911
#20 0xffffffff809388f5 in dofilewrite (td=0xfffffe015b71b000, fd=3,
    fp=0xfffffe018ac22b90, auio=0xffffff8246b92ad0,
    offset=<value optimized out>, flags=0) at file.h:295
#21 0xffffffff80938c2c in kern_writev (td=0xfffffe015b71b000, fd=3,
    auio=0xffffff8246b92ad0) at /usr/src/sys/kern/sys_generic.c:463
#22 0xffffffff80938cb4 in sys_write (td=<value optimized out>,
    uap=<value optimized out>) at /usr/src/sys/kern/sys_generic.c:379
#23 0xffffffff80cd209a in amd64_syscall (td=0xfffffe015b71b000, traced=0)
    at subr_syscall.c:135
#24 0xffffffff80cbc727 in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:391
#25 0x0000000801786afc in ?? ()

I have the vmcore files for both of these.  The traces are the same in each case.
Comment 1 Graham Perrin 2023-09-11 07:17:10 UTC 
Reproducible with OpenZFS in 13.2-RELEASE-p3 or greater? 

stable/12 (OpenZFS optional, not integral) reaches end of life this year.