Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-5400] inode structure corruption leading to OSS crash https://jira.whamcloud.com/browse/LU-5400 Lustre <p>One of our customer had kernel Null pointer dereference in __iget.<br/> The backtrace is as follows:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>PID: 29825 TASK: ffff88044c49e7b0 CPU: 3 COMMAND: "ll_ost_583" [...] [exception RIP: __iget+45] RIP: ffffffff81180cfd RSP: ffff88044c517ac0 RFLAGS: 00010246 RAX: ffff880040aa5550 RBX: ffff880040aa5540 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88040c7bd3a9 RDI: ffff880040aa5540 RBP: ffff88044c517ac0 R8: 00000000fffffff3 R9: 00000000fffffff6 R10: 0000000000000008 R11: 0000000000000096 R12: ffff8800b59f0a80 R13: ffff88040c7bd300 R14: ffff8804243b22f8 R15: 000000000000000b ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #9 [ffff88044c517ac8] igrab at ffffffff81180fd8 #10 [ffff88044c517ae8] filter_lvbo_init at ffffffffa0bdc795 [obdfilter] #11 [ffff88044c517b18] ldlm_resource_get at ffffffffa07c33a4 [ptlrpc] #12 [ffff88044c517b88] ldlm_lock_create at ffffffffa07bcb85 [ptlrpc] #13 [ffff88044c517bd8] ldlm_handle_enqueue0 at ffffffffa07e40a4 [ptlrpc] #14 [ffff88044c517c48] ldlm_handle_enqueue at ffffffffa07e4ef6 [ptlrpc] #15 [ffff88044c517c88] ost_handle at ffffffffa0964e83 [ost] #16 [ffff88044c517da8] ptlrpc_main at ffffffffa08134e6 [ptlrpc] #17 [ffff88044c517f48] kernel_thread at ffffffff8100412a </pre> </div></div> <p>The crash occurs here:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>crash&gt; dis __iget 0xffffffff81180cd0 &lt;__iget&gt;: push %rbp 0xffffffff81180cd1 &lt;__iget+1&gt;: mov %rsp,%rbp 0xffffffff81180cd4 &lt;__iget+4&gt;: nopl 0x0(%rax,%rax,1) 0xffffffff81180cd9 &lt;__iget+9&gt;: mov 0x48(%rdi),%eax 0xffffffff81180cdc &lt;__iget+12&gt;: test %eax,%eax 0xffffffff81180cde &lt;__iget+14&gt;: jne 0xffffffff81180d30 &lt;__iget+96&gt; 0xffffffff81180ce0 &lt;__iget+16&gt;: lock incl 0x48(%rdi) 0xffffffff81180ce4 &lt;__iget+20&gt;: testq $0x107,0x218(%rdi) 0xffffffff81180cef &lt;__iget+31&gt;: jne 0xffffffff81180d22 &lt;__iget+82&gt; 0xffffffff81180cf1 &lt;__iget+33&gt;: mov 0x18(%rdi),%rdx 0xffffffff81180cf5 &lt;__iget+37&gt;: mov 0x10(%rdi),%rcx 0xffffffff81180cf9 &lt;__iget+41&gt;: lea 0x10(%rdi),%rax 0xffffffff81180cfd &lt;__iget+45&gt;: mov %rdx,0x8(%rcx) &lt;=== HERE </pre> </div></div> <p>which corresponds to :</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre> if (!(inode-&gt;i_state &amp; (I_DIRTY|I_SYNC))) list_move(&amp;inode-&gt;i_list, &amp;inode_in_use); </pre> </div></div> <p>The %rcx is supposed to hold &amp;inode-&gt;i_list, but is NULL.<br/> Looking at the inode structure, all first fields contain zeros:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>struct inode { i_hash = { next = 0x0, pprev = 0x0 }, i_list = { next = 0x0, prev = 0x0 }, i_sb_list = { next = 0x0, prev = 0x0 }, i_dentry = { next = 0x0, prev = 0x0 }, i_ino = 0, i_count = { counter = 1 }, i_nlink = 0, .... </pre> </div></div> <p>Looking at the dentry structure from which the inode address comes from, it looks to be ok:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>crash&gt; struct dentry ffff88040c7bd300 struct dentry { d_count = { counter = 1 }, d_flags = 8, d_lock = { raw_lock = { slock = 2555943 } }, d_mounted = -559087616, d_inode = 0xffff880040aa5540, d_hash = { next = 0xffff88039a004f18, pprev = 0xffff8803b4f8c558 }, d_parent = 0xffff8804235ea9c0, d_name = { hash = 72921089, len = 9, name = 0xffff88040c7bd3a0 "120408088" }, d_lru = { next = 0xffff88040c7bd400, prev = 0xffff88040c7bd280 }, d_u = { d_child = { next = 0xffff88040c31dc10, prev = 0xffff88054d37b950 }, d_rcu = { next = 0xffff88040c31dc10, func = 0xffff88054d37b950 } }, d_subdirs = { next = 0xffff88040c7bd360, prev = 0xffff88040c7bd360 }, d_alias = { next = 0xffff880040aa5570, prev = 0xffff880040aa5570 }, d_time = 0, d_op = 0x0, d_sb = 0xffff880bc74dd400, d_fsdata = 0x0, d_iname = "120408088\000\000\000\000\000\000\000\000\000\b\000\000\000\000\000\000\000\000\000\000\000\000" } </pre> </div></div> <p>and is consistent with its parent directory:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>crash&gt; struct dentry.d_name ffff8804235ea9c0 d_name = { hash = 2243934, len = 3, name = 0xffff8804235eaa60 "d24" } </pre> </div></div> <p>Can you find how this corruption happened ?</p> Bull environment LU-5400 inode structure corruption leading to OSS crash Bug Major Resolved Cannot Reproduce Bruno Faccini Sebastien Piechurski Wed, 23 Jul 2014 22:55:06 +0000 Wed, 7 Jun 2017 12:00:52 +0000 Wed, 7 Jun 2017 12:00:52 +0000 Lustre 2.1.6 0 4 <p>Hello Seb,<br/> I think you meant that "%rcx is supposed to hold inode-&gt;i_list.next", right ?</p> <p>You say the beginning of Inode at address 0xffff880040aa5540 has been zeroed, but what about later fields do they look ok? I already see that i_count's value is 1 !</p> <p>Also, can you check memory content just before this inode structure and to which slab kmem_cache it belongs to?</p> <p>Hi Bruno <img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/smile.png" height="16" width="16" align="absmiddle" alt="" border="0"/></p> <p>I was meaning %rcx == inode-&gt;i_list, not &amp;inode-&gt;i_list, with the crash occurring when trying to access i_list.prev in the inlined call to list_move.</p> <p>I looked the 400 bytes preceding the inode address, and everything is set to zeros.<br/> The i_count value was incremented just a few instructions before the crash, which is why it is the only value != 0.<br/> However, not all fields in the inode struct are zeros, only the beginning, but all others are not consistent. <br/> I attach the complete inode struct dump as well as the hex dump.<br/> You will notice in the hex dump, that there seems to be an incrementing pattern every 32 bytes like:</p> <p>ffff880040aa6220: 00 <b>300011</b> 00300001 00000be300300221 <br/> ffff880040aa6230: 0000000000040252 65a7000000000000 <br/> ffff880040aa6240: 00 <b>300012</b> 00300002 0000092b00300422 <br/> ffff880040aa6250: 00000000000401ec 921e000000000000 <br/> ffff880040aa6260: 00 <b>300013</b> 00300003 00000f1800300623 </p> <p>Finally, it looks like we have a ldiskfs_inode slab corruption:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>crash&gt; kmem -s ffff880040aa5540 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa72c0 bad next pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa72c0 bad prev pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa72c0 bad inuse counter: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa72c0 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: full list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: full list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: free list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: free list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: partial list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: full list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: full list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: free list: slab: ffff880040aa5000 bad next pointer: 0 kmem: ldiskfs_inode_cache: free list: slab: ffff880040aa5000 bad s_mem pointer: 0 kmem: ldiskfs_inode_cache: address not found in cache: ffff880040aa5540 </pre> </div></div> <p>To be linked to <a href="https://jira.whamcloud.com/browse/LU-5284" title="GPF in radix_tree_lookup_slot on OSS" class="issue-link" data-issue-key="LU-5284"><del>LU-5284</del></a> ? The crash comes from the same customer ...</p> <p>Humm, I am late on <a href="https://jira.whamcloud.com/browse/LU-5284" title="GPF in radix_tree_lookup_slot on OSS" class="issue-link" data-issue-key="LU-5284"><del>LU-5284</del></a> crash-dump analysis, but this can be suspected sure!<br/> Let me check further and I will get back with some more ideas ...</p> <p>After some work on crash-dump for <a href="https://jira.whamcloud.com/browse/LU-5284" title="GPF in radix_tree_lookup_slot on OSS" class="issue-link" data-issue-key="LU-5284"><del>LU-5284</del></a>, I can already confirm that the corruption looks really similar (serie of 4 quad-words with similarities/increments).</p> <p>Humm and the corruption address range is very close too !! Could this be the same node that failed both time ??</p> <p>No the occurrence here and in <a href="https://jira.whamcloud.com/browse/LU-5284" title="GPF in radix_tree_lookup_slot on OSS" class="issue-link" data-issue-key="LU-5284"><del>LU-5284</del></a> are not on the same node, even though on the same site.</p> <p>Humm this is very strange, I know it is not an easy question/answer, but is there something specific (HW/SW configs, work-load, ...) for these 2 nodes vs others ??</p> <p>Did you encounter new crashes ?</p> <p>Same thing. Old ticket and problem disappeared ...</p> <p>Please close.</p> <p>Thanks!</p> Development End date Wed, 17 Sep 2014 22:55:06 +0000 Rank 1|hzws4v: Rank (Obsolete) 15033 Severity Start date Wed, 23 Jul 2014 22:55:06 +0000