[LU-14024] ofd_inconsistency_verification_main use after free on shutdown. Created: 12/Oct/20  Updated: 04/Mar/21  Resolved: 03/Dec/20

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: None
Fix Version/s: Lustre 2.14.0, Lustre 2.12.7

Type: Bug Priority: Minor
Reporter: Oleg Drokin Assignee: Oleg Drokin
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Related
is related to LU-12564 ptlrpcd daemon sleeps while holding i... Resolved
Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

It seems LU-12564 patch is exposing a weakness in ofd_inconsistency_verification_main:

        thread_set_flags(thread, SVC_STOPPED);
        wake_up_all(&thread->t_ctl_waitq);
        spin_unlock(&ofd->ofd_inconsistency_lock);
        lu_env_fini(&env);

the spi-unlock then proceeds to crash on unmapped memory:

[405815.935072] BUG: unable to handle kernel paging request at ffff8802d78127f4
[405815.937427] IP: [<ffffffff8140a0e5>] do_raw_spin_unlock+0x5/0x90
[405815.953412] PGD 241c067 PUD 33e9f9067 PMD 33e93c067 PTE 80000002d7812063
[405815.955679] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[405815.957829] Modules linked in: lustre(OE) ofd(OE) osp(OE) lod(OE) ost(OE) mdt(OE) mdd(OE) mgs(OE) osd_ldiskfs(OE) ldiskfs(OE) lquota(OE) lfsck(OE) obdecho(OE) mgc(OE) mdc(OE) lov(OE) osc(OE) lmv(OE) fid(OE) fld(OE) ptlrpc_gss(OE) ptlrpc(OE) obdclass(OE) ksocklnd(OE) lnet(OE) libcfs(OE) dm_flakey dm_mod pcc_cpufreq loop zfs(PO) zunicode(PO) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) jbd2 mbcache crc_t10dif crct10dif_generic sb_edac edac_core iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd i2c_piix4 virtio_console virtio_balloon pcspkr ip_tables rpcsec_gss_krb5 ata_generic pata_acpi drm_kms_helper ttm drm ata_piix crct10dif_pclmul drm_panel_orientation_quirks crct10dif_common virtio_blk crc32c_intel libata serio_raw i2c_core floppy [last unloaded: libcfs]
[405816.028386] 
[405816.030183] CPU: 4 PID: 4908 Comm: inconsistency_v Kdump: loaded Tainted: P           OE  ------------   3.10.0-7.7-debug #1
[405816.048472] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[405816.050687] task: ffff8802dc486d00 ti: ffff8802ca4f8000 task.ti: ffff8802ca4f8000
[405816.139729] RIP: 0010:[<ffffffff8140a0e5>]  [<ffffffff8140a0e5>] do_raw_spin_unlock+0x5/0x90
[405816.154191] RSP: 0018:ffff8802ca4fbd60  EFLAGS: 00010292
[405816.156260] RAX: 0000000000000000 RBX: ffff8802d78127e0 RCX: dead000000000200
[405816.166949] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffff8802d78127f0
[405816.171118] RBP: ffff8802ca4fbd68 R08: ffff8800ab47bb48 R09: ffffffff8221eb80
[405816.175495] R10: 0000000000000000 R11: 0000000000000400 R12: ffff8802d7812000
[405816.195126] R13: ffff8802d78127f0 R14: ffff8802dc486d00 R15: ffff88032514b680
[405816.204188] FS:  0000000000000000(0000) GS:ffff88033db00000(0000) knlGS:0000000000000000
[405816.209047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[405816.218345] CR2: ffff8802d78127f4 CR3: 0000000001c10000 CR4: 00000000001607e0
[405816.234013] Call Trace:
[405816.236025]  [<ffffffff817d662e>] _raw_spin_unlock+0xe/0x20
[405816.252333]  [<ffffffffa0fd5472>] ofd_inconsistency_verification_main+0xd52/0xde0 [ofd]
[405816.259324]  [<ffffffff8140a129>] ? do_raw_spin_unlock+0x49/0x90
[405816.261588]  [<ffffffff810b93f0>] ? wake_up_atomic_t+0x30/0x30
[405816.263625]  [<ffffffffa0fd4720>] ? ofd_cb_soft_sync+0x240/0x240 [ofd]
[405816.265897]  [<ffffffff810b8254>] kthread+0xe4/0xf0
[405816.268022]  [<ffffffff810b8170>] ? kthread_create_on_node+0x140/0x140
[405816.270246]  [<ffffffff817e0ddd>] ret_from_fork_nospec_begin+0x7/0x21
[405816.272514]  [<ffffffff810b8170>] ? kthread_create_on_node+0x140/0x140

I am not 100% sure how it unfolds but at the time of crash two other CPUs are running vfree from delayed work

It almost sounds like the parallel ofd_fini thread does the vfree that's kicked out to the delayed work that has a better chance to run than both the ofd_fini and the inconsistency threads for some reason.

It seems we really should do that unlock before the wake up call though.

 Comments   
Comment by Peter Jones [ 12/Oct/20 ]

IIUC the LU-12564 patch has not landed on any branch yet. Should it have a -1 until this issue has been worked out?

Comment by Oleg Drokin [ 12/Oct/20 ]

the race seems to be very narrow and only hits when you try to stop a server side. Still I guess I'll try to contain it before landing LU-12564 to master.

Comment by Gerrit Updater [ 12/Oct/20 ]

Oleg Drokin (green@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/40222
Subject: LU-14024 ofd: Avoid use after free in ofd_inconsistency_verification_main
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: fa95b61f9227b6bde692cfdd59541bf1c5fafbe7

Comment by Gerrit Updater [ 03/Dec/20 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/40222/
Subject: LU-14024 ofd: Avoid use after free in ofd_inconsistency_verification_main
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 1123bbd3fc4d5abeb111ddc6bd762d1fb2c1ce82

Comment by Peter Jones [ 03/Dec/20 ]

Landed for 2.14

Comment by Gerrit Updater [ 06/Dec/20 ]

Oleg Drokin (green@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/40881
Subject: LU-14024 ofd: Avoid use after free in ofd_inconsistency_verification_main
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: 678cd818a1892de0df59dc1ece741a7fc27b5ab8

Comment by Gerrit Updater [ 04/Mar/21 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/40881/
Subject: LU-14024 ofd: Avoid use after free in ofd_inconsistency_verification_main
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: b1e0ba8cfc5fd1aa000841b55420e89a96d9f6bc

Generated at Sat Feb 10 03:06:11 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.