291238 – panic in sdt_kld_unload_try when module load fails

Bug 291238 - panic in sdt_kld_unload_try when module load fails

Summary: panic in sdt_kld_unload_try when module load fails

Status:	In Progress

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	16.0-CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	Mark Johnston

URL:	https://reviews.freebsd.org/D53938
Keywords:	crash

Depends on:
Blocks:

Reported:	2025-11-26 17:05 UTC by Cy Schubert
Modified:	2025-12-01 14:22 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cy Schubert freebsd_committer

2025-11-26 17:05:53 UTC

When reapplying 9562994a7aacee2baae6ddee1a7b558b48ae39ef a panic occurs when poudriere starts.

Discussed with emaste@.

The backtrace:

(kgdb) bt
#0  __curthread () at /opt/src/git-src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=1) at /opt/src/git-src/sys/kern/kern_shutdown.c:399
#2  0xffffffff807165ce in kern_reboot (howto=260) at /opt/src/git-src/sys/kern/kern_shutdown.c:519
#3  0xffffffff80716af7 in vpanic (fmt=0xffffffff80b5833f "%s", ap=ap@entry=0xfffffe008ceaa7d0) at /opt/src/git-src/sys/kern/kern_shutdown.c:974
#4  0xffffffff80716923 in panic (fmt=<unavailable>) at /opt/src/git-src/sys/kern/kern_shutdown.c:887
#5  0xffffffff80ad0b7f in trap_fatal (frame=<optimized out>, eva=<optimized out>) at /opt/src/git-src/sys/amd64/amd64/trap.c:969
#6  0xffffffff80ad0b7f in trap_pfault (frame=0xfffffe008ceaa850, usermode=false, signo=<optimized out>, ucode=<optimized out>)
#7  <signal handler called>
#8  0xffffffff81d86282 in sdt_kld_unload_probes (lf=0xfffff8016725e480) at /opt/src/git-src/sys/cddl/dev/sdt/sdt.c:494
#9  sdt_kld_unload_try (arg=<optimized out>, lf=0xfffff8016725e480, error=0xfffffe008ceaa994) at /opt/src/git-src/sys/cddl/dev/sdt/sdt.c:567
#10 0xffffffff806e069c in linker_file_unload (file=0xfffff8016725e480, flags=flags@entry=1) at /opt/src/git-src/sys/kern/kern_linker.c:706
#11 0xffffffff80aef490 in link_elf_load_file (cls=<optimized out>, filename=<optimized out>, result=<optimized out>) at /opt/src/git-src/sys/kern/link_elf_obj.c:1277
#12 0xffffffff806dfe77 in LINKER_LOAD_FILE (cls=0xffffffff810df828 <link_elf_class>, filename=0xfffff800031b4a00 "/boot/kernel/linux.ko", result=0xfffffe008ceaac18) at ./linker_if.h:266
#13 linker_load_file (filename=0xfffff800031b4a00 "/boot/kernel/linux.ko", result=<optimized out>) at /opt/src/git-src/sys/kern/kern_linker.c:480
#14 linker_load_module (kldname=kldname@entry=0x0, modname=0xfffff80040170c00 "linux", parent=parent@entry=0x0, verinfo=verinfo@entry=0x0, lfpp=lfpp@entry=0xfffffe008ceaada0) at /opt/src/git-src/sys/kern/kern_linker.c:2293
#15 0xffffffff806e1e55 in kern_kldload (td=td@entry=0xfffff8003dbe1000, file=file@entry=0xfffff80040170c00 "linux", fileid=fileid@entry=0xfffffe008ceaade4) at /opt/src/git-src/sys/kern/kern_linker.c:1237
#16 0xffffffff806e1f69 in sys_kldload (td=0xfffff8003dbe1000, uap=0xfffff8003dbe1428) at /opt/src/git-src/sys/kern/kern_linker.c:1260
#17 0xffffffff80ad14b6 in syscallenter (td=0xfffff8003dbe1000) at /opt/src/git-src/sys/amd64/amd64/../../kern/subr_syscall.c:193
#18 amd64_syscall (td=0xfffff8003dbe1000, traced=0) at /opt/src/git-src/sys/amd64/amd64/trap.c:1208
#19 <signal handler called>
#20 0x00002e4f6f437f1a in ?? ()
Backtrace stopped: Cannot access memory at address 0x2e4f6bc74eb8
(kgdb) frame 8
#8  0xffffffff81d86282 in sdt_kld_unload_probes (lf=0xfffff8016725e480) at /opt/src/git-src/sys/cddl/dev/sdt/sdt.c:494
494                             tp2 = STAILQ_FIRST(&tp->probe->tracepoint_list);
(kgdb) p &tp->probe->tracepoint_list
$1 = (struct {...} *) 0x30
(kgdb)

Comment 1 Mark Johnston freebsd_committer

2025-11-26 18:04:36 UTC

The problem is that we're invoking the kld_unload_try eventhandlers without having processed relocations on the linker file in question.

Comment 2 Ed Maste freebsd_committer

2025-11-26 18:57:02 UTC

Ah, it looks like the only consumers are in sys/cddl/dev/dtrace/dtrace_load.c and sys/cddl/dev/sdt/sdt.c. I suppose this is just a long-standing issue.

Comment 3 commit-hook freebsd_committer

2025-12-01 14:22:01 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=72b114169bd56ec157d746a2df87b3a4617065b3

commit 72b114169bd56ec157d746a2df87b3a4617065b3
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-11-26 18:15:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-01 14:19:18 +0000

    linker: Avoid invoking eventhandlers on incompletely loaded files

    We do not invoke the kld_load eventhandler until after the file is fully
    linked, so don't invoke the kld_unload_try or kld_unload event handlers
    unless the file is fully linked either.

    In my case, the dtrace SDT kld_unload_try handler was running before
    relocations were processed against the file, and that caused problems
    when sdt_kld_unload_probes() accesses elements of a linker set.

    Move the kld_unload handler invocation earlier, to after sysuninits have
    been run.  This is a bit more consistent with the kld_load handler.

    PR:             291238
    Reviewed by:    imp, emaste, kib
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D53938

 sys/kern/kern_linker.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)