https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-5678 Lustre <p> After OSTs were umounted, when running lustre_rmmod, two OSSs crashed with same reason.</p> <p>&lt;4&gt;Lustre: Failing over lustre-OST0019<br/> &lt;4&gt;Lustre: Skipped 2 previous similar messages<br/> &lt;4&gt;Lustre: server umount lustre-OST0019 complete<br/> &lt;4&gt;Lustre: Skipped 2 previous similar messages<br/> &lt;4&gt;Lustre: 28870:0:(client.c:1907:ptlrpc_expire_one_request()) @@@ Request sent has timed out for slow reply: <span class="error">&#91;sent 1404434289/real 1404434289&#93;</span> req@ffff881ff8a42c00 x1472650587225264/t0(0) o251-&gt;MGC10.0.10.151@o2ib@10.0.10.151@o2ib:26/25 lens 224/224 e 0 to 1 dl 1404434295 ref 2 fl Rpc:XN/0/ffffffff rc 0/-1<br/> &lt;4&gt;Lustre: server umount lustre-OST0014 complete<br/> &lt;4&gt;Lustre: Skipped 4 previous similar messages<br/> &lt;3&gt;LNetError: 32984:0:(lib-move.c:1937:lnet_parse()) 10.0.8.230@o2ib, src 10.0.8.230@o2ib: Dropping PUT (error -108 looking up sender)<br/> &lt;1&gt;BUG: unable to handle kernel NULL pointer dereference at 0000000000000010<br/> &lt;1&gt;IP: <span class="error">&#91;&lt;ffffffffa09e2409&gt;&#93;</span> kiblnd_pool_alloc_node+0x49/0x2a0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt;PGD 0 <br/> &lt;4&gt;Oops: 0000 <a href="#1" target="_blank" rel="noopener">1</a> SMP <br/> &lt;4&gt;last sysfs file: /sys/devices/pci0000:40/0000:40:03.0/0000:42:00.0/host7/target7:0:0/7:0:0:66/state<br/> &lt;4&gt;CPU 0 <br/> &lt;4&gt;Modules linked in: jbd2 ko2iblnd(U) ptlrpc<img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/forbidden.png" height="16" width="16" align="absmiddle" alt="" border="0"/>(U) obdclass(U) lnet(U) lvfs(U) sha512_generic sha256_generic crc32c_intel libcfs(U) dm_round_robin autofs4 nfs lockd fscache auth_rpcgss nfs_acl sunrpc ib_srp(U) scsi_transport_srp(U) 8021q garp stp llc acpi_cpufreq freq_table mperf rdma_ucm(U) ib_ucm(U) rdma_cm(U) iw_cm(U) ib_ipoib(U) ib_cm(U) ib_uverbs(U) ib_umad(U) mlx5_ib(U) mlx5_core(U) mlx4_en(U) mlx4_ib(U) ib_sa(U) ib_mad(U) ib_core(U) ib_addr(U) ipv6 mlx4_core(U) compat(U) dm_multipath vhost_net macvtap macvlan tun kvm knem(U) uinput microcode iTCO_wdt iTCO_vendor_support dcdbas power_meter ses enclosure sg shpchp tg3 ptp pps_core lpc_ich mfd_core ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif ahci wmi megaraid_sas dm_mirror dm_region_hash dm_log dm_mod <span class="error">&#91;last unloaded: fld&#93;</span><br/> &lt;4&gt;<br/> &lt;4&gt;Pid: 32983, comm: kiblnd_sd_00_02 Not tainted 2.6.32-431.17.1.el6_lustre.2.5.18.ddn2.x86_64 #1 Dell Inc. PowerEdge R620/01W23F<br/> &lt;4&gt;RIP: 0010:<span class="error">&#91;&lt;ffffffffa09e2409&gt;&#93;</span> <span class="error">&#91;&lt;ffffffffa09e2409&gt;&#93;</span> kiblnd_pool_alloc_node+0x49/0x2a0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt;RSP: 0018:ffff88100bfa5a30 EFLAGS: 00010207<br/> &lt;4&gt;RAX: 0000000000000000 RBX: ffff88202619ad80 RCX: 000000000000003f<br/> &lt;4&gt;RDX: 0000000000000010 RSI: 0000000000000002 RDI: ffff88202619ad80<br/> &lt;4&gt;RBP: ffff88100bfa5a70 R08: 4730000000000000 R09: 3980000000000000<br/> &lt;4&gt;R10: 0000000000000000 R11: 0000000000000000 R12: ffff88202619adb0<br/> &lt;4&gt;R13: ffff88100bfa5a38 R14: ffff88202619ad90 R15: 0000000000000012<br/> &lt;4&gt;FS: 0000000000000000(0000) GS:ffff880061c00000(0000) knlGS:0000000000000000<br/> &lt;4&gt;CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b<br/> &lt;4&gt;CR2: 0000000000000010 CR3: 0000001025add000 CR4: 00000000001407f0<br/> &lt;4&gt;DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br/> &lt;4&gt;DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400<br/> &lt;4&gt;Process kiblnd_sd_00_02 (pid: 32983, threadinfo ffff88100bfa4000, task ffff88100a87cae0)<br/> &lt;4&gt;Stack:<br/> &lt;4&gt; 00000000000007ed 0000000000000000 ffff88100bfa5a70 ffff88100b7874f0<br/> &lt;4&gt;&lt;d&gt; ffff880ff19b2ea8 ffff880ff19b2eb8 ffff88100d33c680 0000000000000012<br/> &lt;4&gt;&lt;d&gt; ffff88100bfa5a90 ffffffffa09ed149 ffff88100b382000 ffff880ff19b2e00<br/> &lt;4&gt;Call Trace:<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09ed149&gt;&#93;</span> kiblnd_get_idle_tx+0x29/0x2c0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f0765&gt;&#93;</span> kiblnd_check_sends+0x425/0x610 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f2d7e&gt;&#93;</span> kiblnd_post_rx+0x15e/0x3b0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f30e6&gt;&#93;</span> kiblnd_recv+0x116/0x560 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa057ae9b&gt;&#93;</span> lnet_ni_recv+0xbb/0x320 <span class="error">&#91;lnet&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa057bcc1&gt;&#93;</span> lnet_drop_message+0x81/0xa0 <span class="error">&#91;lnet&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa05805a2&gt;&#93;</span> lnet_parse+0x1b2/0x18c0 <span class="error">&#91;lnet&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff8106a39b&gt;&#93;</span> ? enqueue_task_fair+0xfb/0x100<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff81061b6e&gt;&#93;</span> ? try_to_wake_up+0x24e/0x3e0<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa03a3bf4&gt;&#93;</span> ? mlx5_ib_poll_cq+0x1b4/0xbf0 <span class="error">&#91;mlx5_ib&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f37fb&gt;&#93;</span> kiblnd_handle_rx+0x2cb/0x640 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff81061d12&gt;&#93;</span> ? default_wake_function+0x12/0x20<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f44e3&gt;&#93;</span> kiblnd_rx_complete+0x2d3/0x420 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f4692&gt;&#93;</span> kiblnd_complete+0x62/0xe0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f4a4a&gt;&#93;</span> kiblnd_scheduler+0x33a/0x7b0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff81061d00&gt;&#93;</span> ? default_wake_function+0x0/0x20<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffffa09f4710&gt;&#93;</span> ? kiblnd_scheduler+0x0/0x7b0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff8109ab56&gt;&#93;</span> kthread+0x96/0xa0<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff8100c20a&gt;&#93;</span> child_rip+0xa/0x20<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff8109aac0&gt;&#93;</span> ? kthread+0x0/0xa0<br/> &lt;4&gt; <span class="error">&#91;&lt;ffffffff8100c200&gt;&#93;</span> ? child_rip+0x0/0x20<br/> &lt;4&gt;Code: 44 00 00 4c 8d 67 30 4c 8d 77 10 4c 8d 6d c8 48 89 fb 48 89 df e8 48 86 b4 e0 48 8b 43 30 4c 39 e0 48 89 45 c8 74 77 48 8d 50 10 &lt;48&gt; 39 50 10 74 61 83 40 30 01 48 8b 15 a6 b4 22 e1 48 8b 45 c8 <br/> &lt;1&gt;RIP <span class="error">&#91;&lt;ffffffffa09e2409&gt;&#93;</span> kiblnd_pool_alloc_node+0x49/0x2a0 <span class="error">&#91;ko2iblnd&#93;</span><br/> &lt;4&gt; RSP &lt;ffff88100bfa5a30&gt;<br/> &lt;pre&gt;<br/> &lt;4&gt;CR2: 0000000000000010<br/> &lt;/pre&gt;</p> <p>Following is some output of crash command:<br/> crash /usr/lib/debug/lib/modules/2.6.32-431.17.1.el6_lustre.2.5.18.ddn2.x86_64/vmlinux /var/crash/127.0.0.1-2014-07-04-09\:38\:48/vmcore<br/> crash&gt; mod -s ko2iblnd<br/> crash&gt; disas kiblnd_pool_alloc_node<br/> Dump of assembler code for function kiblnd_pool_alloc_node:<br/> 0xffffffffa09db3c0 &lt;+0&gt;: push %rbp<br/> 0xffffffffa09db3c1 &lt;+1&gt;: mov %rsp,%rbp<br/> 0xffffffffa09db3c4 &lt;+4&gt;: sub $0x40,%rsp<br/> 0xffffffffa09db3c8 &lt;+8&gt;: mov %rbx,-0x28(%rbp)<br/> 0xffffffffa09db3cc &lt;+12&gt;: mov %r12,-0x20(%rbp)<br/> 0xffffffffa09db3d0 &lt;+16&gt;: mov %r13,-0x18(%rbp)<br/> 0xffffffffa09db3d4 &lt;+20&gt;: mov %r14,-0x10(%rbp)<br/> 0xffffffffa09db3d8 &lt;+24&gt;: mov %r15,-0x8(%rbp)<br/> 0xffffffffa09db3dc &lt;+28&gt;: nopl 0x0(%rax,%rax,1)<br/> 0xffffffffa09db3e1 &lt;+33&gt;: lea 0x30(%rdi),%r12<br/> 0xffffffffa09db3e5 &lt;+37&gt;: lea 0x10(%rdi),%r14<br/> 0xffffffffa09db3e9 &lt;+41&gt;: lea -0x38(%rbp),%r13<br/> 0xffffffffa09db3ed &lt;+45&gt;: mov %rdi,%rbx<br/> 0xffffffffa09db3f0 &lt;+48&gt;: mov %rbx,%rdi<br/> 0xffffffffa09db3f3 &lt;+51&gt;: callq 0xffffffff8152aa40 &lt;_spin_lock&gt;<br/> 0xffffffffa09db3f8 &lt;+56&gt;: mov 0x30(%rbx),%rax<br/> 0xffffffffa09db3fc &lt;+60&gt;: cmp %r12,%rax<br/> 0xffffffffa09db3ff &lt;+63&gt;: mov %rax,-0x38(%rbp)<br/> 0xffffffffa09db403 &lt;+67&gt;: je 0xffffffffa09db47c &lt;kiblnd_pool_alloc_node+188&gt;<br/> 0xffffffffa09db405 &lt;+69&gt;: lea 0x10(%rax),%rdx<br/> 0xffffffffa09db409 &lt;+73&gt;: cmp %rdx,0x10(%rax)<br/> &#8211; Crash here<br/> 0xffffffffa09db40d &lt;+77&gt;: je 0xffffffffa09db470 &lt;kiblnd_pool_alloc_node+176&gt;<br/> 0xffffffffa09db40f &lt;+79&gt;: addl $0x1,0x30(%rax)<br/> 0xffffffffa09db413 &lt;+83&gt;: mov -0x1edcdb5a(%rip),%rdx # 0xffffffff81c0d8c0<br/> 0xffffffffa09db41a &lt;+90&gt;: mov -0x38(%rbp),%rax<br/> 0xffffffffa09db41e &lt;+94&gt;: add $0x493e0,%rdx<br/> 0xffffffffa09db425 &lt;+101&gt;: mov %rdx,0x28(%rax)<br/> 0xffffffffa09db429 &lt;+105&gt;: mov -0x38(%rbp),%rax<br/> 0xffffffffa09db42d &lt;+109&gt;: mov 0x10(%rax),%r12<br/> 0xffffffffa09db431 &lt;+113&gt;: mov %r12,%rdi<br/> 0xffffffffa09db434 &lt;+116&gt;: callq 0xffffffff81294630 &lt;list_del&gt;<br/> 0xffffffffa09db439 &lt;+121&gt;: mov 0x78(%rbx),%rax<br/> 0xffffffffa09db43d &lt;+125&gt;: test %rax,%rax<br/> 0xffffffffa09db440 &lt;+128&gt;: je 0xffffffffa09db44b &lt;kiblnd_pool_alloc_node+139&gt;<br/> 0xffffffffa09db442 &lt;+130&gt;: mov %r12,%rsi<br/> 0xffffffffa09db445 &lt;+133&gt;: mov -0x38(%rbp),%rdi<br/> 0xffffffffa09db449 &lt;+137&gt;: callq *%rax<br/> 0xffffffffa09db44b &lt;+139&gt;: incw (%rbx)<br/> 0xffffffffa09db44e &lt;+142&gt;: data32 xchg %ax,%ax<br/> 0xffffffffa09db451 &lt;+145&gt;: mov %r12,%rax<br/> 0xffffffffa09db454 &lt;+148&gt;: mov -0x28(%rbp),%rbx<br/> 0xffffffffa09db458 &lt;+152&gt;: mov -0x20(%rbp),%r12<br/> 0xffffffffa09db45c &lt;+156&gt;: mov -0x18(%rbp),%r13<br/> 0xffffffffa09db460 &lt;+160&gt;: mov -0x10(%rbp),%r14<br/> 0xffffffffa09db464 &lt;+164&gt;: mov -0x8(%rbp),%r15<br/> 0xffffffffa09db468 &lt;+168&gt;: leaveq <br/> 0xffffffffa09db469 &lt;+169&gt;: retq <br/> 0xffffffffa09db46a &lt;+170&gt;: nopw 0x0(%rax,%rax,1)<br/> 0xffffffffa09db470 &lt;+176&gt;: mov (%rax),%rax<br/> 0xffffffffa09db473 &lt;+179&gt;: cmp %r12,%rax<br/> 0xffffffffa09db476 &lt;+182&gt;: mov %rax,-0x38(%rbp)<br/> 0xffffffffa09db47a &lt;+186&gt;: jne 0xffffffffa09db405 &lt;kiblnd_pool_alloc_node+69&gt;<br/> 0xffffffffa09db47c &lt;+188&gt;: mov 0x58(%rbx),%r15d<br/> 0xffffffffa09db480 &lt;+192&gt;: test %r15d,%r15d<br/> 0xffffffffa09db483 &lt;+195&gt;: jne 0xffffffffa09db558 &lt;kiblnd_pool_alloc_node+408&gt;<br/> 0xffffffffa09db489 &lt;+201&gt;: mov -0x1edcdbd0(%rip),%rax # 0xffffffff81c0d8c0<br/> 0xffffffffa09db490 &lt;+208&gt;: cmp 0x50(%rbx),%rax<br/> 0xffffffffa09db494 &lt;+212&gt;: js 0xffffffffa09db645 &lt;kiblnd_pool_alloc_node+645&gt;<br/> 0xffffffffa09db49a &lt;+218&gt;: movl $0x1,0x58(%rbx)<br/> 0xffffffffa09db4a1 &lt;+225&gt;: incw (%rbx)<br/> 0xffffffffa09db4a4 &lt;+228&gt;: data32 xchg %ax,%ax<br/> 0xffffffffa09db4a7 &lt;+231&gt;: testb $0x2,-0x4deee9(%rip) # 0xffffffffa04fc5c5<br/> 0xffffffffa09db4ae &lt;+238&gt;: je 0xffffffffa09db510 &lt;kiblnd_pool_alloc_node+336&gt;<br/> 0xffffffffa09db4b0 &lt;+240&gt;: testb $0x8,-0x4deef6(%rip) # 0xffffffffa04fc5c1<br/> 0xffffffffa09db4b7 &lt;+247&gt;: je 0xffffffffa09db510 &lt;kiblnd_pool_alloc_node+336&gt;<br/> 0xffffffffa09db4b9 &lt;+249&gt;: mov %r14,%rdx<br/> 0xffffffffa09db4bc &lt;+252&gt;: mov $0xffffffffa09f42c8,%rsi<br/> 0xffffffffa09db4c3 &lt;+259&gt;: mov $0xffffffffa0a01760,%rdi<br/> 0xffffffffa09db4ca &lt;+266&gt;: xor %eax,%eax<br/> 0xffffffffa09db4cc &lt;+268&gt;: movl $0x800,0x2629a(%rip) # 0xffffffffa0a01770 &lt;msgdata.69576+16&gt;<br/> 0xffffffffa09db4d6 &lt;+278&gt;: movq $0xffffffffa09f3528,0x2627f(%rip) # 0xffffffffa0a01760 &lt;msgdata.69576&gt;<br/> 0xffffffffa09db4e1 &lt;+289&gt;: movq $0xffffffffa09f2660,0x2627c(%rip) # 0xffffffffa0a01768 &lt;msgdata.69576+8&gt;<br/> 0xffffffffa09db4ec &lt;+300&gt;: movl $0x763,0x2627e(%rip) # 0xffffffffa0a01774 &lt;msgdata.69576+20&gt;<br/> 0xffffffffa09db4f6 &lt;+310&gt;: movq $0x0,0x2627f(%rip) # 0xffffffffa0a01780 &lt;msgdata.69576+32&gt;<br/> 0xffffffffa09db501 &lt;+321&gt;: movl $0x200,0x2626d(%rip) # 0xffffffffa0a01778 &lt;msgdata.69576+24&gt;<br/> 0xffffffffa09db50b &lt;+331&gt;: callq 0xffffffffa04db8d0<br/> 0xffffffffa09db510 &lt;+336&gt;: mov 0x5c(%rbx),%esi<br/> 0xffffffffa09db513 &lt;+339&gt;: mov %r13,%rdx<br/> 0xffffffffa09db516 &lt;+342&gt;: mov %rbx,%rdi<br/> 0xffffffffa09db519 &lt;+345&gt;: callq *0x68(%rbx)<br/> 0xffffffffa09db51c &lt;+348&gt;: mov %rbx,%rdi<br/> 0xffffffffa09db51f &lt;+351&gt;: mov %eax,%r15d<br/> 0xffffffffa09db522 &lt;+354&gt;: callq 0xffffffff8152aa40 &lt;_spin_lock&gt;<br/> 0xffffffffa09db527 &lt;+359&gt;: test %r15d,%r15d<br/> 0xffffffffa09db52a &lt;+362&gt;: movl $0x0,0x58(%rbx)<br/> 0xffffffffa09db531 &lt;+369&gt;: jne 0xffffffffa09db5d8 &lt;kiblnd_pool_alloc_node+536&gt;<br/> 0xffffffffa09db537 &lt;+375&gt;: mov 0x38(%rbx),%rsi<br/> 0xffffffffa09db53b &lt;+379&gt;: mov -0x38(%rbp),%rdi<br/> 0xffffffffa09db53f &lt;+383&gt;: mov %r12,%rdx<br/> 0xffffffffa09db542 &lt;+386&gt;: callq 0xffffffff812946d0 &lt;__list_add&gt;<br/> 0xffffffffa09db547 &lt;+391&gt;: incw (%rbx)<br/> 0xffffffffa09db54a &lt;+394&gt;: data32 xchg %ax,%ax<br/> 0xffffffffa09db54d &lt;+397&gt;: jmpq 0xffffffffa09db3f0 &lt;kiblnd_pool_alloc_node+48&gt;<br/> 0xffffffffa09db552 &lt;+402&gt;: nopw 0x0(%rax,%rax,1)<br/> 0xffffffffa09db558 &lt;+408&gt;: incw (%rbx)<br/> 0xffffffffa09db55b &lt;+411&gt;: data32 xchg %ax,%ax<br/> 0xffffffffa09db55e &lt;+414&gt;: testb $0x2,-0x4defa0(%rip) # 0xffffffffa04fc5c5<br/> 0xffffffffa09db565 &lt;+421&gt;: je 0xffffffffa09db5c7 &lt;kiblnd_pool_alloc_node+519&gt;<br/> 0xffffffffa09db567 &lt;+423&gt;: testb $0x8,-0x4defad(%rip) # 0xffffffffa04fc5c1<br/> 0xffffffffa09db56e &lt;+430&gt;: je 0xffffffffa09db5c7 &lt;kiblnd_pool_alloc_node+519&gt;<br/> 0xffffffffa09db570 &lt;+432&gt;: mov %r14,%rdx<br/> 0xffffffffa09db573 &lt;+435&gt;: mov $0xffffffffa09f4280,%rsi<br/> 0xffffffffa09db57a &lt;+442&gt;: mov $0xffffffffa0a017a0,%rdi<br/> 0xffffffffa09db581 &lt;+449&gt;: xor %eax,%eax<br/> 0xffffffffa09db583 &lt;+451&gt;: movl $0x800,0x26223(%rip) # 0xffffffffa0a017b0 &lt;msgdata.69574+16&gt;<br/> 0xffffffffa09db58d &lt;+461&gt;: movq $0xffffffffa09f3528,0x26208(%rip) # 0xffffffffa0a017a0 &lt;msgdata.69574&gt;<br/> 0xffffffffa09db598 &lt;+472&gt;: movq $0xffffffffa09f2660,0x26205(%rip) # 0xffffffffa0a017a8 &lt;msgdata.69574+8&gt;<br/> 0xffffffffa09db5a3 &lt;+483&gt;: movl $0x755,0x26207(%rip) # 0xffffffffa0a017b4 &lt;msgdata.69574+20&gt;<br/> 0xffffffffa09db5ad &lt;+493&gt;: movq $0x0,0x26208(%rip) # 0xffffffffa0a017c0 &lt;msgdata.69574+32&gt;<br/> 0xffffffffa09db5b8 &lt;+504&gt;: movl $0x200,0x261f6(%rip) # 0xffffffffa0a017b8 &lt;msgdata.69574+24&gt;<br/> 0xffffffffa09db5c2 &lt;+514&gt;: callq 0xffffffffa04db8d0<br/> 0xffffffffa09db5c7 &lt;+519&gt;: callq 0xffffffff81527c70 &lt;schedule&gt;<br/> 0xffffffffa09db5cc &lt;+524&gt;: jmpq 0xffffffffa09db3f0 &lt;kiblnd_pool_alloc_node+48&gt;<br/> 0xffffffffa09db5d1 &lt;+529&gt;: nopl 0x0(%rax)<br/> 0xffffffffa09db5d8 &lt;+536&gt;: mov -0x1edcdd1f(%rip),%rax # 0xffffffff81c0d8c0<br/> 0xffffffffa09db5df &lt;+543&gt;: mov %r14,%rdx<br/> 0xffffffffa09db5e2 &lt;+546&gt;: mov $0xffffffffa09f4248,%rsi<br/> 0xffffffffa09db5e9 &lt;+553&gt;: mov $0xffffffffa0a01720,%rdi<br/> 0xffffffffa09db5f0 &lt;+560&gt;: add $0x3e8,%rax<br/> 0xffffffffa09db5f6 &lt;+566&gt;: mov %rax,0x50(%rbx)<br/> 0xffffffffa09db5fa &lt;+570&gt;: xor %eax,%eax<br/> 0xffffffffa09db5fc &lt;+572&gt;: movl $0x800,0x2612a(%rip) # 0xffffffffa0a01730 &lt;msgdata.69578+16&gt;<br/> 0xffffffffa09db606 &lt;+582&gt;: movq $0xffffffffa09f3528,0x2610f(%rip) # 0xffffffffa0a01720 &lt;msgdata.69578&gt;<br/> 0xffffffffa09db611 &lt;+593&gt;: movq $0xffffffffa09f2660,0x2610c(%rip) # 0xffffffffa0a01728 &lt;msgdata.69578+8&gt;<br/> 0xffffffffa09db61c &lt;+604&gt;: movl $0x76e,0x2610e(%rip) # 0xffffffffa0a01734 &lt;msgdata.69578+20&gt;<br/> 0xffffffffa09db626 &lt;+614&gt;: movq $0xffffffffa0a01750,0x2610f(%rip) # 0xffffffffa0a01740 &lt;msgdata.69578+32&gt;<br/> 0xffffffffa09db631 &lt;+625&gt;: movl $0x20000,0x260fd(%rip) # 0xffffffffa0a01738 &lt;msgdata.69578+24&gt;<br/> 0xffffffffa09db63b &lt;+635&gt;: callq 0xffffffffa04db8d0<br/> 0xffffffffa09db640 &lt;+640&gt;: jmpq 0xffffffffa09db547 &lt;kiblnd_pool_alloc_node+391&gt;<br/> 0xffffffffa09db645 &lt;+645&gt;: incw (%rbx)<br/> 0xffffffffa09db648 &lt;+648&gt;: data32 xchg %ax,%ax<br/> 0xffffffffa09db64b &lt;+651&gt;: xor %r12d,%r12d<br/> 0xffffffffa09db64e &lt;+654&gt;: jmpq 0xffffffffa09db451 &lt;kiblnd_pool_alloc_node+145&gt;<br/> End of assembler dump.</p> <p>It seems ps-&gt;ps_pool_list was broken since it had a NULL entry.</p> LU-5678

kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()

Bug Major Resolved Fixed Amir Shehata Li Xi p4b patch Mon, 29 Sep 2014 02:44:44 +0000 Thu, 14 Jun 2018 21:41:36 +0000 Thu, 9 Jul 2015 15:53:50 +0000 Lustre 2.7.0 Lustre 2.8.0 Lustre 2.5.4 Lustre 2.7.0 0 11 <p>There might be better solutions, but following patch helps us to aviod this crash.</p> <p><a href="http://review.whamcloud.com/12104" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12104</a></p> <p>Amir</p> <p>Could you please review this patch?</p> <p>Thanks</p> <p>Peter</p> <p>I think probably we should not send NOOP anymore in o2iblnd when LNet is shutting down.</p> <p>thanks lixi, I have reviewed this patch, it's on the right direction, but can be simplified to two lines.</p> <p>Lixi, I updated your patch due to problem found by Isaac, could you check it?</p> <p>I think I found the real issue here, in kiblnd_post_rx():</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre> kib_conn_t *conn = rx-&gt;rx_conn; ...... rc = ib_post_recv(conn-&gt;ibc_cmid-&gt;qp, &amp;rx-&gt;rx_wrq, &amp;bad_wrq); if (rc != 0) { CERROR("Can't post rx for %s: %d, bad_wrq: %p\n", libcfs_nid2str(conn-&gt;ibc_peer-&gt;ibp_nid), rc, bad_wrq); rx-&gt;rx_nob = 0; } </pre> </div></div> <p>At this point, because we have posted RX, so we don't own it anymore, and we don't own rx_conn as well because another thread may poll this RX again, then drop it and release reference on connection, which means all below code lines can refer to an already destroyed connection.</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre> spin_lock(&amp;conn-&gt;ibc_lock); if (credit == IBLND_POSTRX_PEER_CREDIT) conn-&gt;ibc_outstanding_credits++; else conn-&gt;ibc_reserved_credits++; spin_unlock(&amp;conn-&gt;ibc_lock); kiblnd_check_sends(conn); </pre> </div></div> <p>I will post a new patch to address this issue.</p> <p>Liang Zhen (liang.zhen@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/12852" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12852</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5678" title="kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()" class="issue-link" data-issue-key="LU-5678"><del>LU-5678</del></a> o2iblnd: connection refcount fix<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 8d865f36efeb2ad3eeb1fa5094683661fe463f35</p> <p>BTW, looks like we had a similar issue a very long time ago:<br/> <a href="https://projectlava.xyratex.com/show_bug.cgi?id=21911" class="external-link" target="_blank" rel="nofollow noopener">https://projectlava.xyratex.com/show_bug.cgi?id=21911</a></p> <p>And there seemed to be some work undone there, which was why I kept it open. I'll look into that.</p> <p>Isaac, could you take a look at this patch when you have time? <a href="http://review.whamcloud.com/#/c/12718/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/12718/</a><br/> it should be able to improve lock usage for this piece of code, although I'd like to have above patch patch in our releases first.</p> <p>Comments posted.</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/12852/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12852/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5678" title="kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()" class="issue-link" data-issue-key="LU-5678"><del>LU-5678</del></a> o2iblnd: connection refcount fix for kiblnd_post_rx<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 01eb2aefde36892d7a9576b6c6dd18da8529933f</p> <p>Patch landed to Master. Patches for other versions tracked externally.</p> <p>We still hit this bug after applying patch <a href="http://review.whamcloud.com/12852/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12852/</a> on the 2.5.3 lustre version.<br/> What is the status of patch <a href="http://review.whamcloud.com/#/c/12718/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/12718/</a> ?</p> <p>Sebastien, I will recheck this problem</p> <p>Amir</p> <p>Could you please look into this issue?</p> <p>Thanks</p> <p>Peter</p> <p>Sebastien, I want to clarify, have you tried to apply: <a href="http://review.whamcloud.com/#/c/12718/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/12718/</a> and did it fix your issue?</p> <p>Hi Amir,</p> <p>We get the following error when trying to access <a href="http://review.whamcloud.com/#/c/12718/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/12718/</a> : "The page you requested was not found, or you do not have permission to view this page."<br/> So we were not able to access this patch in the first place.</p> <p>Cheers,<br/> Sebastien.</p> <p>Sebastien</p> <p>Do you have a reliable reproducer for this issue?</p> <p>Peter</p> <p>What would be helpful is if you can attach the vmcore and vmlinux of the crash, so I can investigate further.</p> <p>Hi Amir,</p> <p>I have uploaded a tarball with a dump and the matching vmlinux and module files on the FTP site under /uploads/<a href="https://jira.whamcloud.com/browse/LU-5678" title="kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()" class="issue-link" data-issue-key="LU-5678"><del>LU-5678</del></a>/<a href="https://jira.whamcloud.com/browse/LU-5678" title="kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()" class="issue-link" data-issue-key="LU-5678"><del>LU-5678</del></a>-2015-04-01.tar.xz</p> <p>Regards,</p> <p>Sebastien.</p> <p>Hi Sebastien,</p> <p>Can you please let me know the version of Lustre you're running, and list all the patches that have been applied to it.</p> <p>Also regarding the core, is it possible to upload the System.map file.</p> <p>Have you ever tried out this patch: <a href="http://review.whamcloud.com/12104" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12104</a></p> <p>I also want to confirm that you see this crash on shutdown? Is it consistently reproducible?</p> <p>thanks</p> <p>Hi Amir,</p> <p>The version of Lustre is based on a 2.5.3 plus some patches. I don't have a complete mapping of these patches to the review.whamcloud.com site, but I uploaded those patches on the ftp site under uploads/<a href="https://jira.whamcloud.com/browse/LU-5678" title="kernel crash due to NULL pointer dereference in kiblnd_pool_alloc_node()" class="issue-link" data-issue-key="LU-5678"><del>LU-5678</del></a>/lustre-bullpatches.tar.gz. Most of them have references to Jira number and/or review pages. Others are specific to our distribution.<br/> I also uploaded the System.map file in the same ftp directory.</p> <p>The crash is seen when unmounting a target, either on OSS or MDS, but this is not consistently reproducible.<br/> We can see this frequently when unmounting a large number of targets on a large number of servers which have run for quite some time.</p> <p>Thanks for the extra info. I'm currently investigating and will update the bug as soon as I make more progress.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">crash&gt; bt PID: 9622 TASK: ffff881066c50080 CPU: 1 COMMAND: <span class="code-quote">"kiblnd_sd_00_02"</span> #0 [ffff880f23ee3630] machine_kexec at ffffffff8103b71b #1 [ffff880f23ee3690] crash_kexec at ffffffff810c9852 #2 [ffff880f23ee3760] oops_end at ffffffff8152ec30 #3 [ffff880f23ee3790] no_context at ffffffff8104c80b #4 [ffff880f23ee37e0] __bad_area_nosemaphore at ffffffff8104ca95 #5 [ffff880f23ee3830] bad_area_nosemaphore at ffffffff8104cb63 #6 [ffff880f23ee3840] __do_page_fault at ffffffff8104d2bf #7 [ffff880f23ee3960] do_page_fault at ffffffff81530b7e #8 [ffff880f23ee3990] page_fault at ffffffff8152df35 [exception RIP: kiblnd_pool_alloc_node+73] RIP: ffffffffa0b77439 RSP: ffff880f23ee3a40 RFLAGS: 00010207 RAX: 0000000000000000 RBX: ffff880fec59ce40 RCX: 000000000000003f RDX: 0000000000000010 RSI: 0000000000000002 RDI: ffff880fec59ce40 RBP: ffff880f23ee3a80 R8: 72f8000000000000 R9: 97c0000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff880fec59ce70 R13: ffff880f23ee3a48 R14: ffff880fec59ce50 R15: 0000000000000012 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #9 [ffff880f23ee3a88] kiblnd_get_idle_tx at ffffffffa0b81fa9 [ko2iblnd] #10 [ffff880f23ee3aa8] kiblnd_check_sends at ffffffffa0b857b5 [ko2iblnd] #11 [ffff880f23ee3b08] kiblnd_post_rx at ffffffffa0b87dd8 [ko2iblnd] #12 [ffff880f23ee3b58] kiblnd_recv at ffffffffa0b882c6 [ko2iblnd] #13 [ffff880f23ee3be8] lnet_ni_recv at ffffffffa05f9ecb [lnet] #14 [ffff880f23ee3c38] lnet_drop_message at ffffffffa05facf1 [lnet] #15 [ffff880f23ee3c78] lnet_parse at ffffffffa05ff672 [lnet] #16 [ffff880f23ee3d58] kiblnd_handle_rx at ffffffffa0b889db [ko2iblnd] #17 [ffff880f23ee3da8] kiblnd_rx_complete at ffffffffa0b896c3 [ko2iblnd] #18 [ffff880f23ee3df8] kiblnd_complete at ffffffffa0b89872 [ko2iblnd] #19 [ffff880f23ee3e08] kiblnd_scheduler at ffffffffa0b89c2a [ko2iblnd] #20 [ffff880f23ee3ee8] kthread at ffffffff8109e66e #21 [ffff880f23ee3f48] kernel_thread at ffffffff8100c20a crash&gt; (gdb) l *kiblnd_pool_alloc_node+73 0x3469 is in kiblnd_pool_alloc_node (/home/ashehata/LU-5678/lnet/klnds/o2iblnd/o2iblnd.c:1855). 1850 <span class="code-object">int</span> rc; 1851 1852 again: 1853 spin_lock(&amp;ps-&gt;ps_lock); 1854 cfs_list_for_each_entry(pool, &amp;ps-&gt;ps_pool_list, po_list) { 1855 <span class="code-keyword">if</span> (cfs_list_empty(&amp;pool-&gt;po_free_list)) 1856 <span class="code-keyword">continue</span>; 1857 1858 pool-&gt;po_allocated ++; 1859 pool-&gt;po_deadline = cfs_time_shift(IBLND_POOL_DEADLINE); (gdb) </pre> </div></div> <p>We're looking at the possibility that this might not be the same race condition as the one addressed by the previous patch.</p> <p>Is it possible to enable net and malloc debugging:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">lctl set_param debug=+net lctl set_param debug=+malloc </pre> </div></div> <p>And try to reproduce the issue? I'm hoping to get some insight into the system state before the crash occurs.</p> <p>Given that the fix that has landed to master seems to have met the needs of the original reporter I suggest that we recluse this ticket and that Bull open a new ticket to track any similar issue that is still outstanding.</p> Related LU-7099 Development Rank 1|hzwx9z: Rank (Obsolete) 15902 Severity