On Thu, 2019-03-21 at 08:44 -0400, Laurence Oberman wrote: > On Wed, 2019-03-20 at 16:35 -0400, Laurence Oberman wrote: > > On Wed, 2019-03-20 at 13:28 -0700, Bart Van Assche wrote: > > > On Wed, 2019-03-20 at 11:11 -0400, Laurence Oberman wrote: > > > > On Wed, 2019-03-20 at 09:45 -0400, Laurence Oberman wrote: > > > > > Hello Bart, I hope all is well with you. > > > > > > > > > > Quick question > > > > > preparing to test v5.1-rc2 SRP, my usual method is first > > > > > validate > > > > > the > > > > > prior kernel I had in place. > > > > > This had passed tests previously (5.0.0-rc2) but I had not > > > > > run > > > > > the > > > > > target server reboot test, just the disconnect tests. > > > > > > > > > > Today with mapped SRP devices I rebooted the target server > > > > > and > > > > > the > > > > > client panicked. > > > > > > > > > > Its been a while and I have been so busy that have not kept > > > > > up > > > > > with > > > > > all > > > > > the fixes. Is this a known issue. > > > > > > > > > > Thanks > > > > > Laurence > > > > > > > > > > 5414228.917507] scsi host2: ib_srp: Path record query failed: > > > > > sgid > > > > > fe80:0000:0000:0000:7cfe:9003:0072:6ed3, dgid > > > > > fe80:0000:0000:0000:7cfe:9003:0072:6e4f, pkey 0xffff, > > > > > service_id > > > > > 0x7cfe900300726e4e > > > > > [5414229.014355] scsi host2: reconnect attempt 7 failed (- > > > > > 110) > > > > > [5414239.318161] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318165] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318167] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318168] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318170] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318172] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318173] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414239.318175] scsi host2: ib_srp: Sending CM DREQ failed > > > > > [5414243.670072] scsi host2: ib_srp: Got failed path rec > > > > > status > > > > > -110 > > > > > [5414243.702179] scsi host2: ib_srp: Path record query > > > > > failed: > > > > > sgid > > > > > fe80:0000:0000:0000:7cfe:9003:0072:6ed3, dgid > > > > > fe80:0000:0000:0000:7cfe:9003:0072:6e4f, pkey 0xffff, > > > > > service_id > > > > > 0x7cfe900300726e4e > > > > > [5414243.799313] scsi host2: reconnect attempt 8 failed (- > > > > > 110) > > > > > [5414247.510115] scsi host1: ib_srp: Sending CM REQ failed > > > > > [5414247.510140] scsi host1: reconnect attempt 1 failed (- > > > > > 104) > > > > > [5414247.849078] BUG: unable to handle kernel NULL pointer > > > > > dereference > > > > > at 00000000000000b8 > > > > > [5414247.893793] #PF error: [normal kernel read fault] > > > > > [5414247.921839] PGD 0 P4D 0 > > > > > [5414247.937280] Oops: 0000 [#1] SMP PTI > > > > > [5414247.958332] CPU: 4 PID: 7773 Comm: kworker/4:1H Kdump: > > > > > loaded > > > > > Tainted: G I 5.0.0-rc2+ #2 > > > > > [5414248.012856] Hardware name: HP ProLiant DL380 G7, BIOS > > > > > P67 > > > > > 08/16/2015 > > > > > [5414248.026174] device-mapper: multipath: Failing path 8:48. > > > > > > > > > > > > > > > [5414248.050003] Workqueue: kblockd blk_mq_run_work_fn > > > > > [5414248.108378] RIP: 0010:blk_mq_dispatch_rq_list+0xc9/0x590 > > > > > [5414248.139724] Code: 0f 85 c2 04 00 00 83 44 24 28 01 48 8b > > > > > 45 > > > > > 00 > > > > > 48 > > > > > 39 c5 0f 84 ea 00 00 00 48 8b 5d 00 80 3c 24 00 4c 8d 6b b8 > > > > > 4c > > > > > 8b > > > > > 63 > > > > > c8 > > > > > 75 25 <49> 8b 84 24 b8 00 00 00 48 8b 40 40 48 8b 40 10 48 85 > > > > > c0 > > > > > 74 > > > > > 10 > > > > > 4c > > > > > [5414248.246176] RSP: 0018:ffffb1cd8760fd90 EFLAGS: 00010246 > > > > > [5414248.275599] RAX: ffffa049d67a1308 RBX: ffffa049d67a1308 > > > > > RCX: > > > > > 0000000000000004 > > > > > [5414248.316090] RDX: 0000000000000000 RSI: ffffb1cd8760fe20 > > > > > RDI: > > > > > ffffa0552ca08000 > > > > > [5414248.356884] RBP: ffffb1cd8760fe20 R08: 0000000000000000 > > > > > R09: > > > > > 8080808080808080 > > > > > [5414248.397632] R10: 0000000000000001 R11: 0000000000000001 > > > > > R12: > > > > > 0000000000000000 > > > > > [5414248.439323] R13: ffffa049d67a12c0 R14: 0000000000000000 > > > > > R15: > > > > > ffffa0552ca08000 > > > > > [5414248.481743] FS: 0000000000000000(0000) > > > > > GS:ffffa04a37880000(0000) > > > > > knlGS:0000000000000000 > > > > > [5414248.528310] CS: 0010 DS: 0000 ES: 0000 CR0: > > > > > 0000000080050033 > > > > > [5414248.561779] CR2: 00000000000000b8 CR3: 0000000e9d40e004 > > > > > CR4: > > > > > 00000000000206e0 > > > > > [5414248.602420] Call Trace: > > > > > [5414248.616660] blk_mq_sched_dispatch_requests+0x15c/0x180 > > > > > [5414248.647066] __blk_mq_run_hw_queue+0x5f/0xf0 > > > > > [5414248.672633] process_one_work+0x171/0x370 > > > > > [5414248.695443] worker_thread+0x49/0x3f0 > > > > > [5414248.716730] kthread+0xf8/0x130 > > > > > [5414248.735085] ? max_active_store+0x80/0x80 > > > > > [5414248.758569] ? kthread_bind+0x10/0x10 > > > > > [5414248.779953] ret_from_fork+0x35/0x40 > > > > > > > > > > [5414248.801005] Modules linked in: ib_isert iscsi_target_mod > > > > > target_core_mod ib_srp rpcrdma scsi_transport_srp rdma_ucm > > > > > ib_iser > > > > > ib_ipoib ib_umad rdma_cm libiscsi iw_cm scsi_transport_iscsi > > > > > ib_cm > > > > > sunrpc mlx5_ib ib_uverbs ib_core intel_powerclamp coretemp > > > > > kvm_intel > > > > > kvm irqbypass ipmi_ssif crct10dif_pclmul crc32_pclmul > > > > > ghash_clmulni_intel aesni_intel iTCO_wdt crypto_simd cryptd > > > > > gpio_ich > > > > > iTCO_vendor_support glue_helper joydev ipmi_si > > > > > dm_service_time > > > > > pcspkr > > > > > ipmi_devintf hpilo hpwdt sg ipmi_msghandler acpi_power_meter > > > > > lpc_ich > > > > > i7core_edac pcc_cpufreq dm_multipath ip_tables xfs libcrc32c > > > > > radeon > > > > > sd_mod i2c_algo_bit drm_kms_helper syscopyarea sysfillrect > > > > > sysimgblt > > > > > fb_sys_fops ttm drm mlx5_core crc32c_intel serio_raw i2c_core > > > > > hpsa > > > > > bnx2 > > > > > scsi_transport_sas mlxfw devlink dm_mirror dm_region_hash > > > > > dm_log > > > > > dm_mod > > > > > [5414249.199354] CR2: 00000000000000b8 > > > > > > > > > > > > > > > > > > Looking at the vmcore > > > > > > > > PID: 7773 TASK: ffffa04a2c1e2b80 CPU: 4 COMMAND: > > > > "kworker/4:1H" > > > > #0 [ffffb1cd8760fab0] machine_kexec at ffffffffaaa6003f > > > > #1 [ffffb1cd8760fb08] __crash_kexec at ffffffffaab373ed > > > > #2 [ffffb1cd8760fbd0] crash_kexec at ffffffffaab385b9 > > > > #3 [ffffb1cd8760fbe8] oops_end at ffffffffaaa31931 > > > > #4 [ffffb1cd8760fc08] no_context at ffffffffaaa6eb59 > > > > #5 [ffffb1cd8760fcb0] do_page_fault at ffffffffaaa6feb2 > > > > #6 [ffffb1cd8760fce0] page_fault at ffffffffab2010ee > > > > [exception RIP: blk_mq_dispatch_rq_list+201] > > > > RIP: ffffffffaad90589 RSP: ffffb1cd8760fd90 RFLAGS: > > > > 00010246 > > > > RAX: ffffa049d67a1308 RBX: ffffa049d67a1308 RCX: > > > > 0000000000000004 > > > > RDX: 0000000000000000 RSI: ffffb1cd8760fe20 RDI: > > > > ffffa0552ca08000 > > > > RBP: ffffb1cd8760fe20 R8: 0000000000000000 R9: > > > > 8080808080808080 > > > > R10: 0000000000000001 R11: 0000000000000001 R12: > > > > 0000000000000000 > > > > R13: ffffa049d67a12c0 R14: 0000000000000000 R15: > > > > ffffa0552ca08000 > > > > ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 > > > > #7 [ffffb1cd8760fe18] blk_mq_sched_dispatch_requests at > > > > ffffffffaad9570c > > > > #8 [ffffb1cd8760fe60] __blk_mq_run_hw_queue at > > > > ffffffffaad8de3f > > > > #9 [ffffb1cd8760fe78] process_one_work at ffffffffaaab0ab1 > > > > #10 [ffffb1cd8760feb8] worker_thread at ffffffffaaab11d9 > > > > #11 [ffffb1cd8760ff10] kthread at ffffffffaaab6758 > > > > #12 [ffffb1cd8760ff50] ret_from_fork at ffffffffab200215 > > > > > > > > We were working on this request_queue for > > > > blk_mq_sched_dispatch_requests > > > > > > > > crash> dev -d | grep ffffa0552ca08000 > > > > 8 > > > > ffffa055c81b5800 sdd ffffa0552ca08000 0 0 > > > > > > > > 0 > > > > ] > > > > > > > > That device was no longer accessible > > > > > > > > sdev_state = SDEV_TRANSPORT_OFFLINE, > > > > > > > > So it looks like we tried to process a no longer valid list > > > > entry > > > > in > > > > blk_mq_dispatch_rq_list > > > > > > > > /home/loberman/rpmbuild/BUILD/kernel-5.0.0_rc2+/block/blk-mq.h: > > > > 211 > > > > 0xffffffffaad90589 > > > > <blk_mq_dispatch_rq_list+201>: mov 0xb8(%r12),%rax > > > > > > > > R12 is NULL > > > > > > > > > > > > From > > > > static inline bool blk_mq_get_dispatch_budget(struct > > > > blk_mq_hw_ctx > > > > *hctx) > > > > { > > > > struct request_queue *q = hctx->queue; > > > > > > > > if (q->mq_ops->get_budget) > > > > return q->mq_ops->get_budget(hctx); > > > > return true; > > > > } > > > > > > > > Willw ait for a reply befaore i try the newer kernel, but looks > > > > like a > > > > use after free to me > > > > > > Hi Laurence, > > > > > > I don't think that any of the recent SRP initiator changes can be > > > the > > > root > > > cause of this crash. However, significant changes went upstream > > > in > > > the block > > > layer core during the v5.1-rc1 merge window, e.g. multi-page bvec > > > support. > > > Is it possible for you to bisect this kernel oops? > > > > > > Thanks, > > > > > > Bart. > > > > > > > OK, I will see I can reproduce on the fly and I will bisect. > > I do agree its not SRP, more likley some block layer race. > > I was just able to reproduce it using SRP > > > > Note that this was on 5.0.0-rc2+, prior to me trying 5.1. > > > > I usually reboot the target server as part of my test series but > > when > > I > > last tested 5.0.0-rc2+ I only reset the SRP interfaces and had > > devices > > get rediscovered. > > > > I did not see it during those tests. > > > > Back when I have more to share. > > > > Many Thanks for your time as always > > Laurence > > > > > > Something crept in, in the block layer causing a use after free > 4.19.0-rc1+ does not have the issue, so I will narrow the bisect > Thanks > Laurence > This took a long time to bisect. Repeating the issue seen. We have changes that when the target is rebooted with mapped srp devices the client then experiences a ist corruption and panic as already shown. Some stacks [ 222.631998] scsi host1: ib_srp: Path record query failed: sgid fe80:0000:0000:0000:7cfe:9003:0072:6ed2, dgid fe80:0000:0000:0000:7cfe:9003:0072:6e4e, pkey 0xffff, service_id 0x7cfe900300726e4e [ 222.729639] scsi host1: reconnect attempt 1 failed (-110) [ 223.176766] fast_io_fail_tmo expired for SRP port-1:1 / host1. [ 223.518759] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8 [ 223.519736] sd 1:0:0:0: rejecting I/O to offline device [ 223.563769] #PF error: [normal kernel read fault] [ 223.563770] PGD 0 P4D 0 [ 223.563774] Oops: 0000 [#1] SMP PTI [ 223.563778] CPU: 3 PID: 9027 Comm: kworker/3:1H Tainted: G I 5.0.0-rc1 #22 [ 223.563779] Hardware name: HP ProLiant DL380 G7, BIOS P67 08/16/2015 [ 223.563787] Workqueue: kblockd blk_mq_run_work_fn [ 223.593723] device-mapper: multipath: Failing path 8:48. [ 223.620801] RIP: 0010:blk_mq_dispatch_rq_list+0xc9/0x590 [ 223.635266] print_req_error: I/O error, dev dm-6, sector 8191872 flags 80700 [ 223.655565] Code: 0f 85 c2 04 00 00 83 44 24 28 01 48 8b 45 00 48 39 c5 0f 84 ea 00 00 00 48 8b 5d 00 80 3c 24 00 4c 8d 6b b8 4c 8b 63 c8 75 25 <49> 8b 84 24 b8 00 00 00 48 8b 40 40 48 8b 40 10 48 85 c0 74 10 4c [ 223.655566] RSP: 0018:ffffa65b4c43fd90 EFLAGS: 00010246 [ 223.655570] RAX: ffff93ed9bfdbbc8 RBX: ffff93ed9bfdbbc8 RCX: 0000000000000004 [ 223.702351] print_req_error: I/O error, dev dm-6, sector 8191872 flags 0 [ 223.737640] RDX: 0000000000000000 RSI: ffffa65b4c43fe20 RDI: ffff93ed9b838000 [ 223.737641] RBP: ffffa65b4c43fe20 R08: 0000000000000000 R09: 8080808080808080 [ 223.737642] R10: 0000000000000001 R11: 071c71c71c71c71c R12: 0000000000000000 [ 223.737643] R13: ffff93ed9bfdbb80 R14: 0000000000000000 R15: ffff93ed9b838000 [ 223.737645] FS: 0000000000000000(0000) GS:ffff93ee33840000(0000) knlGS:0000000000000000 [ 223.737646] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 223.737646] CR2: 00000000000000b8 CR3: 000000059da0e006 CR4: 00000000000206e0 [ 223.737648] Call Trace: [ 223.737657] blk_mq_sched_dispatch_requests+0x15c/0x180 *** Freed already [ 223.737660] __blk_mq_run_hw_queue+0x5f/0xf0 [ 223.737665] process_one_work+0x171/0x370 [ 223.737667] worker_thread+0x49/0x3f0 [ 223.737670] kthread+0xf8/0x130 [ 223.737673] ? max_active_store+0x80/0x80 And: [ 643.425005] device-mapper: multipath: Failing path 67:0. [ 643.696365] ------------[ cut here ]------------ [ 643.722927] list_add corruption. prev->next should be next (ffffc8c0c3bd9448), but was ffff93b971965e08. (prev=ffff93b971965e08). [ 643.787089] WARNING: CPU: 14 PID: 6533 at lib/list_debug.c:28 __list_add_valid+0x6a/0x70 [ 643.830951] Modules linked in: ib_isert iscsi_target_mod target_core_mod ib_srp scsi_transport_srp rpcrdma ib_ipoib ib_umad rdma_ucm ib_iser rdma_cm iw_cm libiscsi sunrpc scsi_transport_iscsi ib_cm mlx5_ib ib_uverbs ib_core intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul iTCO_wdt ghash_clmulni_intel ipmi_ssif aesni_intel iTCO_vendor_support gpio_ich crypto_simd dm_service_time cryptd glue_helper joydev ipmi_si ipmi_devintf pcspkr hpilo hpwdt sg ipmi_msghandler acpi_power_meter pcc_cpufreq lpc_ich i7core_edac dm_multipath ip_tables xfs libcrc32c radeon sd_mod i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel serio_raw mlx5_core i2c_core bnx2 hpsa mlxfw scsi_transport_sas dm_mirror dm_region_hash dm_log dm_mod [ 644.224150] CPU: 14 PID: 6533 Comm: kworker/14:1H Tainted: G I 4.20.0+ #26 [ 644.269637] Hardware name: HP ProLiant DL380 G7, BIOS P67 08/16/2015 [ 644.305110] Workqueue: kblockd blk_mq_run_work_fn [ 644.330984] RIP: 0010:__list_add_valid+0x6a/0x70 [ 644.357601] Code: 31 c0 48 c7 c7 70 e4 ab b6 e8 22 a6 cc ff 0f 0b 31 c0 c3 48 89 d1 48 c7 c7 20 e4 ab b6 48 89 f2 48 89 c6 31 c0 e8 06 a6 cc ff <0f> 0b 31 c0 c3 90 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 [ 644.462542] RSP: 0018:ffffa8ccc72bfc00 EFLAGS: 00010286 [ 644.491594] RAX: 0000000000000000 RBX: ffff93b971965dc0 RCX: 0000000000000000 [ 644.532745] RDX: 0000000000000001 RSI: ffff93b9b79d67b8 RDI: ffff93b9b79d67b8 [ 644.573533] RBP: ffffc8c0c3bd9448 R08: 0000000000000000 R09: 000000000000072c [ 644.614180] R10: 0000000000000000 R11: ffffa8ccc72bf968 R12: ffff93b96d454c00 [ 644.654683] R13: ffffc8c0c3bd9440 R14: ffff93b971965e08 R15: ffff93b971965e08 [ 644.694275] FS: 0000000000000000(0000) GS:ffff93b9b79c0000(0000) knlGS:0000000000000000 [ 644.739906] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 644.771879] CR2: 00007fd566c10000 CR3: 0000000253e0e002 CR4: 00000000000206e0 [ 644.811438] Call Trace: [ 644.824809] __blk_mq_insert_request+0x62/0x130 [ 644.849886] blk_mq_sched_insert_request+0x13c/0x1b0 [ 644.877402] blk_mq_try_issue_directly+0x105/0x2c0 [ 644.904452] blk_insert_cloned_request+0x9a/0x130 [ 644.931146] ? ktime_get+0x37/0x90 [ 644.950545] dm_mq_queue_rq+0x21c/0x3f0 [dm_mod] [ 644.977064] ? blk_mq_get_driver_tag+0xa1/0x120 [ 645.003002] blk_mq_dispatch_rq_list+0x8e/0x590 [ 645.029812] ? __switch_to_asm+0x40/0x70 [ 645.052059] ? __switch_to_asm+0x34/0x70 [ 645.074664] ? __switch_to_asm+0x40/0x70 [ 645.097111] ? __switch_to_asm+0x34/0x70 [ 645.119948] ? __switch_to_asm+0x34/0x70 [ 645.143101] ? __switch_to_asm+0x40/0x70 [ 645.165273] ? syscall_return_via_sysret+0x10/0x7f [ 645.192161] blk_mq_sched_dispatch_requests+0xe8/0x180 [ 645.221460] __blk_mq_run_hw_queue+0x5f/0xf0 [ 645.244766] process_one_work+0x171/0x370 [ 645.267164] worker_thread+0x49/0x3f0 [ 645.287860] kthread+0xf8/0x130 [ 645.304894] ? max_active_store+0x80/0x80 [ 645.327748] ? kthread_bind+0x10/0x10 [ 645.347898] ret_from_fork+0x35/0x40 [ 645.368298] ---[ end trace afa70bf68ffb006b ]--- [ 645.397356] ------------[ cut here ]------------ [ 645.423878] list_add corruption. prev->next should be next (ffffc8c0c3bd9448), but was ffff93b971965e08. (prev=ffff93b971965e08). [ 645.488009] WAR NING: CPU: 14 PID: 6533 at lib/list_debug.c:28 __list_add_valid+0x6a/0x70 I started just looking at block but nothing made sense so re-ran the bisect with the entire kernel. $ git bisect start $ git bisect good v4.20 $ git bisect bad v5.0-rc1 Bisecting: 5477 revisions left to test after this (roughly 13 steps) *** Groan I got to here and the problem is its an entire merge [loberman@ibclient linux_torvalds]$ git bisect bad 4b9254328254bed12a4ac449cdff2c332e630837 is the first bad commit [loberman@ibclient linux_torvalds]$ git show 4b9254328254bed12a4ac449cdff2c332e630837 commit 4b9254328254bed12a4ac449cdff2c332e630837 Merge: 1a9430d cd19181 Author: Jens Axboe <axboe@xxxxxxxxx> Date: Tue Dec 18 08:29:53 2018 -0700 Merge branch 'for-4.21/block' into for-4.21/aio * for-4.21/block: (351 commits) blk-mq: enable IO poll if .nr_queues of type poll > 0 blk-mq: change blk_mq_queue_busy() to blk_mq_queue_inflight() blk-mq: skip zero-queue maps in blk_mq_map_swqueue block: fix blk-iolatency accounting underflow blk-mq: fix dispatch from sw queue block: mq-deadline: Fix write completion handling nvme-pci: don't share queue maps blk-mq: only dispatch to non-defauly queue maps if they have queues blk-mq: export hctx->type in debugfs instead of sysfs blk-mq: fix allocation for queue mapping table blk-wbt: export internal state via debugfs blk-mq-debugfs: support rq_qos block: update sysfs documentation block: loop: check error using IS_ERR instead of IS_ERR_OR_NULL in loop_add() aoe: add __exit annotation block: clear REQ_HIPRI if polling is not supported blk-mq: replace and kill blk_mq_request_issue_directly blk-mq: issue directly with bypass 'false' in blk_mq_sched_insert_requests blk-mq: refactor the code of issue request directly block: remove the bio_integrity_advance export ... Definitley looks like a list corruption and use after free but its the merge so looking for ideas now from the block folks,