Here are the messages:
http://eu.ddn.com:8080/lustre/DDN-SR19805-r7i1n8.messages.gz

Before the crash there appears to be a network problem:
Mar 11 13:39:47 r7i1n8 kernel: LustreError: 3229:0:(o2iblnd_cb.c:2914:kiblnd_check_txs()) Timed out tx: tx_queue, 3 seconds
Mar 11 13:39:47 r7i1n8 kernel: LustreError: 3229:0:(o2iblnd_cb.c:2977:kiblnd_check_conns()) Timed out RDMA with 10.175.31.242@o2ib4 (65)

Here is the vmcore:
http://eu.ddn.com:8080/lustre/DDN-SR19805-r7i1n8.dump.tar.gz

Let me know if there is any more information I can provide.

is this from our rpms or did you build it yourself? If you built it, we also need kernel-debuginfo rpm and lustre-modules rpm to make the crashdump useful.

Also the assertion is the same as old bugzilla 14238 that we landed a patch for quite a while ago (patch by Isaac http://git.whamcloud.com/gitweb?p=fs/lustre-dev.git;a=commitdiff;h=85f59695534ddd167fa491c091ed64b1504cdaf7 )

I'm seeing two things:

1- The log "Timed out RDMA.." is indicating that we have not seen any activity from 10.175.31.242@o2ib4 for 65 seconds. As such, we are giving up on it and closing the connection.

2- There is only one assert in lnet_match_md() and that is when we see something unexpected with our MD queue. I am assuming this has happened as a result of the closed connection. But, that is no reason to assert (if something can feasibly happen, we should not be asserting).

I checked the latest code tree and there seems to be some changes to how locks work in this area of code. It may be possible there is a race condition here.

I need to check with a couple of other devs more familiar with this area of code to get their opinion.

first, the assertion is reasonable at here, no matter what happened, @me has to equal to @me->me_md->md_me unless me->me_md is NULL, that's the way we implement this. Because locking changes are only on 2.3 or later, and this bug is on 1.8.8, so at least it's not a new race condition, and unfortunately I didn't see any race even when I make those lock changes.
I believe the first time we saw this is bz11130, and there is no fix for it...
let's see what Isaac will comment for this, and my suggestion is to change LASSERT to LASSERTF and try to see if "me", "me->me_md", "me->me_md->md_me" are not polluted by something else.

Liang, there's a crashdump available, so we can check all the values there.

Hi Oleg,

We built them ourselves. Here's the kernel-debug:
http://vault.centos.org/6.3/updates/x86_64/Packages/kernel-debug-2.6.32-279.5.2.el6.x86_64.rpm

Here's the lustre-modules:
http://eu.ddn.com:8080/lustre/lustre-client-modules-1.8.8-wc1_2.6.32_279.5.2.el6.x86_64_gbc88c4c.x86_64.rpm

We haven't been able to find the lustre-modules debuginfo yet..is that also needed? If so, could we potentially try to rebuild identical modules in order to regenerate the debug info?

Thanks,
Kit

Thanks.
So the clients run unmodified kernel and we can just grab the debuginfo for it from centos?

As far as lustre debug info goes, we don't really strip debug symbols in 1.8 (and in 2.x prior to 2.4), so just lustre modules rpm is enough, debug module symbols are embedded in the modules themselves.

I believe it's a bug in the generic LNet layer, i.e. under lnet/lnet. It has happened over different LNDs in the past, and shouldn't be LND specific. My patch in Bug 14238 wasn't a real fix - it just closed a couple of cases where corruption or dangling pointer could happen. The root cause wasn't found out, due to lack of debug information. But this time we have a good dump.

Oleg, yes, it is an unmodified kernel.

FWIW, we are also seeing this at another customer site, but only their RHEL6 frontends are affected. In that case appears to be coincident with OOM errors, so maybe it's related to memory pressure?

Thanks

I was wondering how the analysis was going. Is there anything we can do to help?

Hi Kit,

The kernel-debug-2.6.32-279.5.2.el6.x86_64.rpm you pointed to was a kernel with all sorts of run-time debugging options enabled. Usually it's not used in production system. Also, when I used the vmlinux from the corresponding debuginfo RPM, crash wouldn't even start. Then I tried to use the debuginfo RPM for normal (i.e. without debugging options) kernel of the same verion, crash would start with a warning on kernel version inconsistency between vmlinux and dumpfile. Can you please verify the client kernel version and point me to where the vmlinux is?

With vmlinux from kernel-debuginfo-2.6.32-279.5.2.el6.x86_64.rpm, I got a panic that's different from the one reported. Instead of "(lib-move.c:184:lnet_match_md()) ASSERTION(me == md->md_me) failed" in process kiblnd_sd_04, I got:
(events.c:418:ptlrpc_master_callback()) ASSERTION(callback == request_out_callback || callback == reply_in_callback || callback == client_bulk_callback || callback == request_in_callback || callback == reply_out_callback || callback == server_bulk_callback) failed
in kiblnd_sd_01.

Hi Isaac,

It looks like the RHEL and Centos kernel RPMs are slightly different, and they were running the RHEL one. I am getting the RHEL debuginfo currently and will update the ticket when I get it uploaded. If you happen to have an RHN account, that should work too.

Here are the kerneldebug rpms:
http://eu.ddn.com:8080/lustre/kernel-debuginfo-2.6.32-279.19.1.el6.x86_64.rpm
http://eu.ddn.com:8080/lustre/kernel-debuginfo-common-x86_64-2.6.32-279.19.1.el6.x86_64.rpm

Thanks,
Kit

Strange, with the RHEL debuginfo, I got the same version warning and then crash failed with other errors. I'll continue to debug with the CentOS debuginfo which seemed to work despite the version warning. Also, it seemed that the original report was based on another crash dump, because both the DATE and UPTIME in the dump differed. It'd give me more data if that dump is also available. Although this dump had a different failure, it's similar in many ways.

Oh doh, I uploaded the wrong debuginfo, 279.19.1 vs 279.5.2. I am uploading the correct one now and will send you the link.

correct kerneldebug rpms:
http://eu.ddn.com:8080/lustre/kernel-debuginfo-2.6.32-279.5.2.el6.x86_64.rpm
http://eu.ddn.com:8080/lustre/kernel-debuginfo-common-x86_64-2.6.32-279.5.2.el6.x86_64.rpm

Thanks - this one worked perfectly, no warning at all.

I've been digging through the crash dump, and it appeared that the kernel slab allocation states got corrupted somehow.

The assertion failure on callback pointer in ptlrpc_master_callback() was an indication of memory corruption because the 'callback' pointer from the MD object was NEVER changed by the code after initialization. It looked almost impossible to be a result of racing code - no code changes that 'callback' pointer at all. Use-after-free can also be ruled out because: the MD object is bigger than a page, and crash dump contained only the initial part of the object, because the rest of the object resided in a free page that was not included in the partial dump - if it were use-after-free, both pages should have been excluded from the dump. Moreover, the initial part of the MD object contained correct reference counter. So I was led to believe that the SLAB allocation states got screwed up and a same chunk of memory was returned to multiple callers, and thus the 'callback' pointer got messed up by someone else unknowingly.

In the past, we've seen similar bugs where the root cause was never found out, and the solution was to disable some experimental Lustre feature that looked suspicious. In fact, the culprit might not be Lustre at all - any kernel code is technically capable of such screw-ups. My suggestion is to:
1. Kit, would it be possible to run the kernel-debug RPM (and corresponding Lustre modules which might need to be rebuilt) on a couple of clients where the error has been observed? The kernel-debug kernel should have enabled many SLAB and VM debugging options, and I think that'd catch any SLAB/VM issues much earlier and would move us closer to the root cause.

2. Doug, I think it'd make sense to have some Lustre folk to double check the errors from file system level. I was glancing over the code, and some didn't look good, e.g.:
ll_file_join():
2696 tail = igrab(tail_filp->f_dentry->d_inode);

igrab() can return NULL yet the code didn't check that. Maybe ll_file_join() wasn't even compiled, it was just something that raised my eyebrows.

Hi Isaac,

Thanks for the analysis. I will try to get the debug kernel installed, but it might take a little bit of time. Would the full vmcore be of any use? Also this seems to appear fairly consistently with RHEL6 clients. Do you think it would be possible to look at differences in the kernel functions that the Lustre client calls? Perhaps there are too many, but if at all possible, it would be good to keep looking for the cause.

Isaac: ll_file_join is (was) a known problematic area that was removed in later versions.
It's not used by anybody anyway.

Hi Kit, a vmcore with free pages included would be a bit more helpful. Also it doesn't require kdump to go through data structures tracking free pages, so in case that those structures also get corrupted kdump would still be able to create the dump - kdump may hang if asked to exclude free pages but those data structures got corrupted. At this point, I think kernel-bug is the best way to go - we'd be extremely lucky to be able to find something useful by going through that much code almost blindly, like trying to walk out of a dark rain forest with little guide. The callback pointer corruption was a good indication that somebody else stepped on our toes because our code doesn't change it at all and I've already double checked all pointer arithmetic code in lnet to make sure that it was not ourselves that shot our own feet.

Oleg, thanks the comment on file join. I saw errors like ...:
LustreError: 12905:0:(file.c:3331:ll_inode_revalidate_fini()) failure -2 inode 406847678

... before the assertion happened. Does it ring any alarm to you?

Isaac, this error is a somewhat usual race.
Wht it means is the client believes a particular name is valid, yet when it tries to get inode attributes, the file is already gone. Could happen frequently in rm vs find/ls workloads.

Isaac,

I've gotten a lot more stack traces from 1.8.9 clients. Some of them are only in the IB functions, not Lustre related, which I find interesting. Are you aware of any memory corruption bugs in the RHEL6 line of RDMA modules? I spent some time looking, but couldn't find anything definitive. There is:

BZ#873949
Previously, the IP over Infiniband (IPoIB) driver maintained state information about neighbors on the network by attaching it to the core network's neighbor structure. However, due to a race condition between the freeing of the core network neighbor struct and the freeing of the IPoIB network struct, a use after free condition could happen, resulting in either a kernel oops or 4 or 8 bytes of kernel memory being zeroed when it was not supposed to be. These patches decouple the IPoIB neighbor struct from the core networking stack's neighbor struct so that there is no race between the freeing of one and the freeing of the other.

There is also a crash in Lustre code that doesn't seem to be related to IB:
IP: [<ffffffffa0761569>] lov_change_cbdata+0xd9/0x780 [lov]
which translates to this line:
2247 rc = obd_change_cbdata(lov->lov_tgts[loi->loi_ost_idx]->ltd_exp,
2248 &submd, it, data);

So it's very confusing. Here are all the stack traces if you would like to take a look at them:
ftp://shell.sgi.com/collect/NOAADDN

Our next step I think is to put the debug kernel on some of the clients and see what happens. It's been impossible to find any pattern to what triggers the crashes, so it will be only by random chance that we reproduce it. Let me know if you see anything in the stack traces, or if you would like to see a vmcore.

Do you know if there are already any prebuilt client RPMs against the kernel-debug RPM that we could use?

Thanks.

Hi, I've looked at the crashes and they all appeared like memory corruptions: bad pointer dereferences, inconsistent data structures caught by assertions, and even a BUG in mm/slab.c. They seemed to have been triggered by memory pressures and increased chances of racing through the 24 CPUs.

The crashes in IB had nothing to do with Lustre - the o2iblnd never uses the IB functions involved in the crashes. In the past, there had a been a few memory corruption issues fixed in OFED like the one you pointed out. But so far no clue has pointed at OFED yet - anything in the kernel space could have been the culprit. I still believe that kernel-debug would shed some light and move us closer to the root cause. Unfortunately we don't build RPMs for kernel-debug.

Another option would be to upgrade some clients to RHEL 6.4 which included the fix of the IB memory corruption you mentioned, but that's likely more work than trying kernel-debug of 6.3.

Per Isaac's comments, this appears to be some form of memory corruption, possibly related to the IB code in the RHEL kernel.