NULL pointer dereference in ddt_prefetch from zfs_sa_set_xattr

[chrisrd]

I received this with linux 3.0.14, zfs 30a9524, spl e05bec8 + cherry-pick 791dc87:

[10141.730149] BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
[10141.730202] IP: [] ddt_prefetch+0x5a/0x92 [zfs]
[10141.730272] PGD 510c1b067 PUD 4c096c067 PMD 0
[10141.730305] Oops: 0000 [#1] SMP
[10141.730333] CPU 8
[10141.730340] Modules linked in: fuse nfsd exportfs zfs(P) zcommon(P) znvpair(P) zavl(P) zunicode(P) spl zlib_deflate sha256_generic aesni_intel cryptd aes_x86_64 aes_generic cbc dm_crypt dm_mod nfs lockd auth_rpcgss nfs_acl sunrpc bridge stp llc sg sd_mod usbhid hid uhci_hcd mpt2sas psmouse scsi_transport_sas raid_class scsi_mod i2c_i801 i2c_core ioatdma ehci_hcd igb dca button processor thermal_sys
[10141.730623]
[10141.730645] Pid: 27491, comm: rsync Tainted: P 3.0.14-otn-00018-g2c7c13d #1 Supermicro X8DTH-i/6/iF/6F/X8DTH
[10141.730704] RIP: 0010:[] [] ddt_prefetch+0x5a/0x92 [zfs]
[10141.730777] RSP: 0018:ffff8804cd9059a8 EFLAGS: 00010206
[10141.730805] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000037353963
[10141.730835] RDX: 0000003337353963 RSI: 0000000000003963 RDI: ffff8804cd9059c8
[10141.730866] RBP: ffff8804cd905b98 R08: ffff88063fd14a80 R09: 0000000000000000
[10141.730897] R10: 00000000013192c8 R11: 6635343664626462 R12: 0000000000000000
[10141.730928] R13: 0000000000000000 R14: ffff8804cd9059a8 R15: 0000000013c85377
[10141.730960] FS: 00007f7084412700(0000) GS:ffff88063fd00000(0000) knlGS:0000000000000000
[10141.731006] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[10141.731035] CR2: 0000000000000090 CR3: 0000000510c1a000 CR4: 00000000000006e0
[10141.731065] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[10141.731096] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[10141.731128] Process rsync (pid: 27491, threadinfo ffff8804cd904000, task ffff880627771670)
[10141.731174] Stack:
[10141.731195] 373731340e000000 3a3020302c302035 0000000000003038 0000000000000000
[10141.731249] 0000003337353963 0000000000000000 0000000000000000 0000000000000000
[10141.731303] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[10141.731356] Call Trace:
[10141.731405] [] ? dbuf_read+0x15e/0x60b [zfs]
[10141.731437] [] ? kfree+0x56/0xec
[10141.731472] [] ? kmem_alloc_debug+0x76/0xd1 [spl]
[10141.731523] [] ? dbuf_rele_and_unlock+0x192/0x197 [zfs]
[10141.731555] [] ? __kmalloc+0xa5/0x118
[10141.731589] [] ? kmem_alloc_debug+0x76/0xd1 [spl]
[10141.731649] [] dsl_dataset_block_freeable+0x37/0x43 [zfs]
[10141.731705] [] dmu_tx_hold_spill+0x61/0x8f [zfs]
[10141.731753] [] dmu_tx_hold_sa+0x10c/0x152 [zfs]
[10141.736805] [] zfs_sa_set_xattr+0xa6/0x10c [zfs]
[10141.736860] [] zpl_xattr_set+0x172/0x226 [zfs]
[10141.736914] [] zpl_xattr_user_set+0x70/0x89 [zfs]
[10141.736944] [] generic_setxattr+0x68/0x6a
[10141.736973] [] __vfs_setxattr_noperm+0x6b/0xd0
[10141.737002] [] vfs_setxattr+0x79/0x97
[10141.737029] [] setxattr+0xb8/0xd6
[10141.737055] [] ? putname+0x2d/0x36
[10141.737083] [] ? user_path_at_empty+0x5e/0x8f
[10141.737113] [] ? kfree+0x56/0xec
[10141.737141] [] sys_lsetxattr+0x5d/0x82
[10141.737171] [] system_call_fastpath+0x16/0x1b
[10141.737199] Code: 85 d0 74 4f 48 c1 e8 28 4c 8d b5 10 fe ff ff 45 31 e4 25 ff 00 00 00 31 db 4c 8b ac c7 a0 09 00 00 4c 89 f7 e8 3d fc ff ff 89 d8
[10141.737422] RIP [] ddt_prefetch+0x5a/0x92 [zfs]
[10141.737469] RSP
[10141.737492] CR2: 0000000000000090
[10141.737846] ---[ end trace 013bdb5332844955 ]---

[chrisrd]

And again:

[57470.618574] BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
[57470.618625] IP: [<ffffffffa03a07a2>] ddt_prefetch+0x5a/0x92 [zfs]
[57470.618681] PGD 4ea90c067 PUD 58d04a067 PMD 0 
[57470.618712] Oops: 0000 [#2] SMP 
[57470.618740] CPU 1 
[57470.618746] Modules linked in: fuse nfsd exportfs zfs(P) zcommon(P) znvpair(P) zavl(P) zunicode(P) spl zlib_deflate sha256_generic aesni_intel cryptd aes_x86_64
aes_generic cbc dm_crypt dm_mod nfs lockd auth_rpcgss nfs_acl sunrpc bridge stp llc sg sd_mod usbhid hid uhci_hcd mpt2sas psmouse scsi_transport_sas raid_class scsi_mod i2c_i801 i2c_core io
atdma ehci_hcd igb dca button processor thermal_sys
[57470.619012] 
[57470.619032] Pid: 23047, comm: rsync Tainted: P      D     3.0.14-otn-00018-g2c7c13d #1 Supermicro X8DTH-i/6/iF/6F/X8DTH
[57470.619089] RIP: 0010:[<ffffffffa03a07a2>]  [<ffffffffa03a07a2>] ddt_prefetch+0x5a/0x92 [zfs]
[57470.619153] RSP: 0018:ffff8805abad99a8  EFLAGS: 00010206
[57470.619179] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000037353963
[57470.619209] RDX: 0000003337353963 RSI: 0000000000003963 RDI: ffff8805abad99c8
[57470.619238] RBP: ffff8805abad9b98 R08: ffff88063fc54a80 R09: 0000000000000000
[57470.619267] R10: ffff8805abad9b10 R11: 6231326634373965 R12: 0000000000000000
[57470.619296] R13: 0000000000000000 R14: ffff8805abad99a8 R15: 000000000061fc11
[57470.619326] FS:  00007ff426353700(0000) GS:ffff88063fc40000(0000) knlGS:0000000000000000
[57470.619371] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[57470.619398] CR2: 0000000000000090 CR3: 00000004fd9d0000 CR4: 00000000000006e0
[57470.619427] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[57470.619456] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[57470.619486] Process rsync (pid: 23047, threadinfo ffff8805abad8000, task ffff880482d9c350)
[57470.619530] Stack:
[57470.619550]  373731340e000000 3a3020302c302035 0000000000003038 0000000000000000
[57470.619601]  0000003337353963 0000000000000000 0000000000000000 0000000000000000
[57470.619653]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[57470.619704] Call Trace:
[57470.619742]  [<ffffffffa039dab5>] ? dbuf_read+0x15e/0x60b [zfs]
[57470.619772]  [<ffffffff810f0443>] ? kfree+0x56/0xec
[57470.619804]  [<ffffffffa02f16a4>] ? kmem_free_debug+0x11/0x13 [spl]
[57470.619846]  [<ffffffffa039d030>] ? dbuf_rele_and_unlock+0x192/0x197 [zfs]
[57470.619890]  [<ffffffffa039d364>] ? dmu_buf_rele+0x25/0x2c [zfs]
[57470.619919]  [<ffffffff810f00d7>] ? __kmalloc+0x47/0x118
[57470.619949]  [<ffffffffa02f193b>] ? kmem_alloc_debug+0x76/0xd1 [spl]
[57470.620000]  [<ffffffffa03bb098>] dsl_dataset_block_freeable+0x37/0x43 [zfs]
[57470.620048]  [<ffffffffa03ad558>] dmu_tx_hold_spill+0x61/0x8f [zfs]
[57470.620096]  [<ffffffffa03ae830>] dmu_tx_hold_sa+0x10c/0x152 [zfs]
[57470.620152]  [<ffffffffa04007fb>] zfs_sa_set_xattr+0xa6/0x10c [zfs]
[57470.620207]  [<ffffffffa04180b7>] zpl_xattr_set+0x172/0x226 [zfs]
[57470.620261]  [<ffffffffa041824b>] zpl_xattr_user_set+0x70/0x89 [zfs]
[57470.620290]  [<ffffffff811121fa>] generic_setxattr+0x68/0x6a
[57470.620318]  [<ffffffff81112ae3>] __vfs_setxattr_noperm+0x6b/0xd0
[57470.620346]  [<ffffffff81112bc1>] vfs_setxattr+0x79/0x97
[57470.620373]  [<ffffffff81112c97>] setxattr+0xb8/0xd6
[57470.620399]  [<ffffffff81103e38>] ? putname+0x2d/0x36
[57470.620425]  [<ffffffff81104823>] ? user_path_at_empty+0x5e/0x8f
[57470.620454]  [<ffffffff810f0443>] ? kfree+0x56/0xec
[57470.620480]  [<ffffffff81112dbd>] sys_lsetxattr+0x5d/0x82
[57470.620508]  [<ffffffff812c23d2>] system_call_fastpath+0x16/0x1b
[57470.620534] Code: 85 d0 74 4f 48 c1 e8 28 4c 8d b5 10 fe ff ff 45 31 e4 25 ff 00 00 00 31 db 4c 8b ac c7 a0 09 00 00 4c 89 f7 e8 3d fc ff ff 89 d8 
[57470.620748] RIP  [<ffffffffa03a07a2>] ddt_prefetch+0x5a/0x92 [zfs]
[57470.620748] RIP  [<ffffffffa03a07a2>] ddt_prefetch+0x5a/0x92 [zfs]
[57470.620794]  RSP <ffff8805abad99a8>
[57470.620816] CR2: 0000000000000090
[57470.621158] ---[ end trace 013bdb5332844956 ]---

[behlendorf]

Thanks, we'll look in to it. That's a bit odd. Related to SA based xattrs have you observed any other troubles aside from this and issue #503?

[chrisrd]

No, I haven't had any other troubles related to SA based xattrs other than #503.

(On returning from leave I can see my kern.log has a few more of these same NULL pointer in ddt_prefetch messages.)

[behlendorf]

OK, thanks. We'll certainly try and get these two issues nailed down since in the relatively near future we expect to be using SA based xattrs as well here at LLNL. That's after all why I added the original support. :)

[chrisrd]

The whole "Busy hang" problem (#539) may have been related to this NULL pointer problem rather than anything to do with openzfs/spl@ec2b410.

I had a case where a 'getfattr -d' on a particular directory would just hang (on the directory itself rather than on the contents). In trying to use stap to see if it could tell me anything useful I rebooted (due to the stap module unload problem described in #503), and after the reboot the getfattr on that same directory succeeded.

I was then able to 'getfattr -d' on a large list of directories without problems. Some time later, after a number of NULL pointer dereferences, I was getting a getfattr hang on one of the directories that was previously ok.

I suspect the NULL pointer dereference problem then causes later xattr accesses to the same (or some other?) file or directory to hang.

So the "Busy hang" was likely due to rsync and other utilities (e.g. "ls -l" will access xattrs) coming across one of the previously-faulted xattrs.

The scenario for thinking that the hangs were related to openzfs/spl@ec2b410 was because rebooting into the kernel with that commit reverted (and later rebooting into the kernel with the openzfs/spl@3c6ed54 fix) cleared the previously-seen xattr errors.

[chrisrd]

FYI, still getting these (with the same call trace) with linux-3.1.10, openzfs/spl@3c6ed54, b4b599d.

Is there anything I can do to help track this down?

In case it matters... as mentioned, I suspect this issue is the underlying cause for my processes getting "stuck" in zfs operations and becoming unkillable, to the point of requiring a reboot. 'ps' shows the unkillable processes with WCHAN of 'call_rwsem_down_read_failed'.

[behlendorf]

Yes, the #539 issue could have been caused by the NULL deref. Once you've had a NULL dereferences basically all bets are off and you should really reboot your kernel.

As for this bug I haven't looked in to it closely yet but I can probably propose a short term work around. If you set the zfs_dedup_prefetch=0 module option you should be able to avoid this code path. Please give it a try and let me know if you still observe problems.

[chrisrd]

Was running most yesterday with xattr=dir without any NULL derefs. But that could have been coincidence as I've also had previous days without any. Now running with xattr=dir and zfs_dedup_prefetch=0. Let's see how that goes!

[chrisrd]

FYI, got the following possibly related BUGs (i.e. via zfs_sa_set_xattr) on linux-3.0.18, openzfs/spl@3c6ed54, b4b599d.

This was with zfs_dedup_prefetch=0, xattr=sa.

This happened on a fs where I'd forgotten to revert to xattr=dir and we were testing gluster which does a lot of trusted xattr rewriting, as opposed to the previous BUGs which came from being a target of 'rsync -X', i.e. mostly user xattr writing. I think this may explain the different code paths.

I.e. the zfs_dedup_prefetch=0 may not have helped.

On the other hand, the fs where we saw the previous BUGs has been running the rsync target workload trouble free for the last 8 days with zfs_dedup_prefetch=0, xattr=dir.

[462944.374871] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[462944.374926] IP: [<ffffffffa0377c16>] sa_build_layouts+0x39b/0x70b [zfs]
[462944.375004] PGD 4dde58067 PUD 4f70c9067 PMD 0 
[462944.375037] Oops: 0000 [#1] SMP 
[462944.375066] CPU 8 
[462944.375073] Modules linked in: configfs fuse nfsd exportfs zfs(P) zcommon(P) znvpair(P) zavl(P) zunicode(P) spl zlib_deflate sha256_generic aesni_intel cryptd aes_x86_64 aes_generic cbc dm_crypt dm_mod nfs lockd auth_rpcgss nfs_acl sunrpc bridge stp llc sg sd_mod usbhid hid uhci_hcd mpt2sas scsi_transport_sas raid_class psmouse scsi_mod i2c_i801 i2c_core ioatdma ehci_hcd igb dca button processor thermal_sys
[462944.375361] 
[462944.375383] Pid: 26722, comm: glusterfsd Tainted: P            3.0.18-otn-00020-gb06ea41 #1 Supermicro X8DTH-i/6/iF/6F/X8DTH
[462944.375442] RIP: 0010:[<ffffffffa0377c16>]  [<ffffffffa0377c16>] sa_build_layouts+0x39b/0x70b [zfs]
[462944.375579] RSP: 0018:ffff8805ef8fd988  EFLAGS: 00010206
[462944.375607] RAX: 0000000000000000 RBX: ffff880ae19e0928 RCX: 000000000000000e
[462944.375652] RDX: 0000000000000803 RSI: ffff8805fdee9b60 RDI: ffff880620982480
[462944.375696] RBP: ffff8805ef8fda58 R08: ffff8805cb0a8f00 R09: ffff8805ef8fda08
[462944.375742] R10: 7472632e746f6f52 R11: 2e746f6f525f7365 R12: ffff880bb3618200
[462944.375787] R13: ffff880bb3618300 R14: ffff880620982480 R15: ffff880529088400
[462944.375833] FS:  00007eff375e0700(0000) GS:ffff88063fd00000(0000) knlGS:0000000000000000
[462944.375930] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[462944.375958] CR2: 0000000000000018 CR3: 00000005b1e0b000 CR4: 00000000000006e0
[462944.376003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[462944.376048] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[462944.376093] Process glusterfsd (pid: 26722, threadinfo ffff8805ef8fc000, task ffff88062757ace0)
[462944.376140] Stack:
[462944.376161]  ffff8805ef8fda20 ffff8805ef8fda18 0000000000000000 0000000000000000
[462944.376216]  2e184cf536f3067f 0000000000000020 00000044000080d0 ffff8804a5c57a00
[462944.376271]  0000000100000010 000000020000002c 62c9ffb4caaba6ef 000000000000000f
[462944.376325] Call Trace:
[462944.376385]  [<ffffffffa0378256>] sa_modify_attrs+0x2d0/0x311 [zfs]
[462944.376450]  [<ffffffffa03785e0>] sa_attr_op+0x2f8/0x320 [zfs]
[462944.376514]  [<ffffffffa0378665>] sa_bulk_update_impl+0x5d/0x8e [zfs]
[462944.376578]  [<ffffffffa037876d>] sa_update+0x41/0x56 [zfs]
[462944.376645]  [<ffffffffa03abb35>] zfs_sa_set_xattr+0xdc/0x10c [zfs]
[462944.376711]  [<ffffffffa03c3433>] zpl_xattr_set+0x172/0x226 [zfs]
[462944.376777]  [<ffffffffa03c3832>] zpl_xattr_trusted_set+0x6c/0x85 [zfs]
[462944.376810]  [<ffffffff811124aa>] generic_setxattr+0x68/0x6a
[462944.376839]  [<ffffffff81112d93>] __vfs_setxattr_noperm+0x6b/0xd0
[462944.376870]  [<ffffffff81112e71>] vfs_setxattr+0x79/0x97
[462944.376898]  [<ffffffff81112f47>] setxattr+0xb8/0xd6
[462944.376927]  [<ffffffff8110402c>] ? putname+0x2d/0x36
[462944.376955]  [<ffffffff81104a17>] ? user_path_at_empty+0x5e/0x8f
[462944.376986]  [<ffffffff8111306d>] sys_lsetxattr+0x5d/0x82
[462944.377016]  [<ffffffff812c2b12>] system_call_fastpath+0x16/0x1b
[462944.377045] Code: c1 e8 0a 33 45 ac c1 e0 0a 31 d0 66 41 89 44 24 04 48 8b 55 b0 8b 52 30 31 c2 66 81 e2 ff 03 31 c2 66 41 89 54 24 04 48 8b 43 28 <4c> 8b 60 18 41 c7 04 24 5a 50 2f 00 48 8b 85 48 ff ff ff 48 8b 
[462944.377273] RIP  [<ffffffffa0377c16>] sa_build_layouts+0x39b/0x70b [zfs]
[462944.377341]  RSP <ffff8805ef8fd988>
[462944.377365] CR2: 0000000000000018
[462944.377722] ---[ end trace c68c9b00f66de06e ]---

And again, soon after rebooting:

[ 2651.828448] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[ 2651.828500] IP: [<ffffffffa0370c16>] sa_build_layouts+0x39b/0x70b [zfs]
[ 2651.828563] PGD 627198067 PUD 6211aa067 PMD 0 
[ 2651.828595] Oops: 0000 [#1] SMP 
[ 2651.828622] CPU 0 
[ 2651.828628] Modules linked in: configfs fuse nfsd exportfs zfs(P) zcommon(P) znvpair(P) zavl(P) zunicode(P) spl zlib_deflate sha256_generic aesni_intel cryptd aes_x86_64 aes_generic cbc dm_crypt dm_mod nfs lockd auth_rpcgss nfs_acl sunrpc bridge stp llc sg sd_mod usbhid hid uhci_hcd mpt2sas psmouse scsi_transport_sas raid_class scsi_mod i2c_i801 i2c_core ioatdma ehci_hcd igb dca button processor thermal_sys
[ 2651.828898] 
[ 2651.828918] Pid: 9549, comm: glusterfsd Tainted: P            3.0.18-otn-00020-gb06ea41 #1 Supermicro X8DTH-i/6/iF/6F/X8DTH
[ 2651.828975] RIP: 0010:[<ffffffffa0370c16>]  [<ffffffffa0370c16>] sa_build_layouts+0x39b/0x70b [zfs]
[ 2651.829048] RSP: 0018:ffff8806084a3988  EFLAGS: 00010206
[ 2651.829074] RAX: 0000000000000000 RBX: ffff88060f085388 RCX: 000000000000000e
[ 2651.829103] RDX: 0000000000000803 RSI: ffff880623941940 RDI: ffff880600972cc0
[ 2651.829133] RBP: ffff8806084a3a58 R08: ffff8806125b6a80 R09: ffff8806084a3a08
[ 2651.829162] R10: 7472632e746f6f52 R11: 2e746f6f525f7365 R12: ffff8806084f2600
[ 2651.829191] R13: ffff8806084f2700 R14: ffff880600972cc0 R15: ffff880615abf400
[ 2651.829221] FS:  00007fac220c7700(0000) GS:ffff88063fc00000(0000) knlGS:0000000000000000
[ 2651.829266] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2651.829293] CR2: 0000000000000018 CR3: 00000005ff27f000 CR4: 00000000000006f0
[ 2651.829322] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2651.829352] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2651.829381] Process glusterfsd (pid: 9549, threadinfo ffff8806084a2000, task ffff880621702ce0)
[ 2651.829427] Stack:
[ 2651.829446]  ffff8806084a3a20 ffff8806084a3a18 0000000000000000 0000000000000000
[ 2651.829498]  2e184cf536f3067f 0000000000000020 000000440002c1dc ffff88060a181d20
[ 2651.829550]  0000000100000010 000000020000002c 62c9ffb4caaba6ef 000000000000000f
[ 2651.829601] Call Trace:
[ 2651.829647]  [<ffffffffa0371256>] sa_modify_attrs+0x2d0/0x311 [zfs]
[ 2651.829699]  [<ffffffffa03715e0>] sa_attr_op+0x2f8/0x320 [zfs]
[ 2651.829750]  [<ffffffffa0371665>] sa_bulk_update_impl+0x5d/0x8e [zfs]
[ 2651.829802]  [<ffffffffa037176d>] sa_update+0x41/0x56 [zfs]
[ 2651.829855]  [<ffffffffa03a4b35>] zfs_sa_set_xattr+0xdc/0x10c [zfs]
[ 2651.829907]  [<ffffffffa03bc433>] zpl_xattr_set+0x172/0x226 [zfs]
[ 2651.829959]  [<ffffffffa03bc832>] zpl_xattr_trusted_set+0x6c/0x85 [zfs]
[ 2651.829990]  [<ffffffff811124aa>] generic_setxattr+0x68/0x6a
[ 2651.830018]  [<ffffffff81112d93>] __vfs_setxattr_noperm+0x6b/0xd0
[ 2651.830046]  [<ffffffff81112e71>] vfs_setxattr+0x79/0x97
[ 2651.830073]  [<ffffffff81112f47>] setxattr+0xb8/0xd6
[ 2651.830100]  [<ffffffff8110402c>] ? putname+0x2d/0x36
[ 2651.830126]  [<ffffffff81104a17>] ? user_path_at_empty+0x5e/0x8f
[ 2651.830155]  [<ffffffff8111306d>] sys_lsetxattr+0x5d/0x82
[ 2651.830183]  [<ffffffff812c2b12>] system_call_fastpath+0x16/0x1b
[ 2651.830210] Code: c1 e8 0a 33 45 ac c1 e0 0a 31 d0 66 41 89 44 24 04 48 8b 55 b0 8b 52 30 31 c2 66 81 e2 ff 03 31 c2 66 41 89 54 24 04 48 8b 43 28 <4c> 8b 60 18 41 c7 04 24 5a 50 2f 00 48 8b 85 48 ff ff ff 48 8b 
[ 2651.830419] RIP  [<ffffffffa0370c16>] sa_build_layouts+0x39b/0x70b [zfs]
[ 2651.830473]  RSP <ffff8806084a3988>
[ 2651.830496] CR2: 0000000000000018
[ 2651.830890] ---[ end trace 57211a6f56ea1676 ]---

[behlendorf]

Closing issue the SA_HDL_PRIVATE change should have addressed this. Please file a new issue if this is observed again.