Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753016AbcKHO71 (ORCPT ); Tue, 8 Nov 2016 09:59:27 -0500 Received: from arcturus.aphlor.org ([188.246.204.175]:43848 "EHLO arcturus.aphlor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751296AbcKHO7W (ORCPT ); Tue, 8 Nov 2016 09:59:22 -0500 Date: Tue, 8 Nov 2016 09:59:13 -0500 From: Dave Jones To: Chris Mason , Linus Torvalds , Jens Axboe , Andy Lutomirski , Andy Lutomirski , Al Viro , Josef Bacik , David Sterba , linux-btrfs , Linux Kernel , Dave Chinner Subject: Re: btrfs btree_ctree_super fault Message-ID: <20161108145912.fcjvwxcpqgd7kjei@codemonkey.org.uk> Mail-Followup-To: Dave Jones , Chris Mason , Linus Torvalds , Jens Axboe , Andy Lutomirski , Andy Lutomirski , Al Viro , Josef Bacik , David Sterba , linux-btrfs , Linux Kernel , Dave Chinner References: <2bdc068d-afd5-7a78-f334-26970c91aaca@fb.com> <203e0319-bc9b-245c-e162-709267540d22@fb.com> <20161026233808.GC15247@clm-mbp.thefacebook.com> <20161026234751.e66xyzjiwifvbuha@codemonkey.org.uk> <20161031185514.b22zvbxvga4xcinz@codemonkey.org.uk> <20161031194454.GA49877@clm-mbp.thefacebook.com> <20161106165539.ybwm6rqvzh2k6uja@codemonkey.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161106165539.ybwm6rqvzh2k6uja@codemonkey.org.uk> User-Agent: NeoMutt/20161014 (1.7.1) X-Spam-Flag: skipped (authorised relay user) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4610 Lines: 89 On Sun, Nov 06, 2016 at 11:55:39AM -0500, Dave Jones wrote: > > > On Mon, Oct 31, 2016 at 01:44:55PM -0600, Chris Mason wrote: > > On Mon, Oct 31, 2016 at 12:35:16PM -0700, Linus Torvalds wrote: > > >On Mon, Oct 31, 2016 at 11:55 AM, Dave Jones wrote: > > >> > > >> BUG: Bad page state in process kworker/u8:12 pfn:4e0e39 > > >> page:ffffea0013838e40 count:0 mapcount:0 mapping:ffff8804a20310e0 index:0x100c > > >> flags: 0x400000000000000c(referenced|uptodate) > > >> page dumped because: non-NULL mapping > > > > > >Hmm. So this seems to be btrfs-specific, right? > > > > > >I searched for all your "non-NULL mapping" cases, and they all seem to > > >have basically the same call trace, with some work thread doing > > >writeback and going through btrfs_writepages(). > > > > > >Sounds like it's a race with either fallocate hole-punching or > > >truncate. I'm not seeing it, but I suspect it's btrfs, since DaveJ > > >clearly ran other filesystems too but I am not seeing this backtrace > > >for anything else. > > > > Agreed, I think this is a separate bug, almost certainly btrfs specific. > > I'll work with Dave on a better reproducer. > > Still refining my 'capture ftrace when trinity detects taint' feature, > but in the meantime, here's a variant I don't think we've seen before: And another new one: kernel BUG at fs/btrfs/ctree.c:3172! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU: 0 PID: 22702 Comm: trinity-c40 Not tainted 4.9.0-rc4-think+ #1 task: ffff8804ffde37c0 task.stack: ffffc90002188000 RIP: 0010:[] [] btrfs_set_item_key_safe+0x179/0x190 [btrfs] RSP: 0000:ffffc9000218b8a8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8804fddcf348 RCX: 0000000000001000 RDX: 0000000000000000 RSI: ffffc9000218b9ce RDI: ffffc9000218b8c7 RBP: ffffc9000218b908 R08: 0000000000004000 R09: ffffc9000218b8c8 R10: 0000000000000000 R11: 0000000000000001 R12: ffffc9000218b8b6 R13: ffffc9000218b9ce R14: 0000000000000001 R15: ffff880480684a88 FS: 00007f7c7f998b40(0000) GS:ffff880507800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000044f15f000 CR4: 00000000001406f0 DR0: 00007f4ce439d000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Stack: ffff880501430000 d305ffffa00a2245 006c000000000002 0500000000000010 6c000000000002d3 0000000000001000 000000006427eebb ffff880480684a88 0000000000000000 ffff8804fddcf348 0000000000002000 0000000000000000 Call Trace: [] __btrfs_drop_extents+0xb00/0xe30 [btrfs] [] ? function_trace_call+0x13c/0x190 [] ? __btrfs_drop_extents+0x5/0xe30 [btrfs] [] ? do_raw_write_lock+0xb0/0xc0 [] btrfs_log_changed_extents+0x35d/0x630 [btrfs] [] ? release_extent_buffer+0xa4/0x110 [btrfs] [] ? btrfs_log_changed_extents+0x5/0x630 [btrfs] [] btrfs_log_inode+0xb05/0x11d0 [btrfs] [] ? trace_function+0x6c/0x80 [] ? log_directory_changes+0xc0/0xc0 [btrfs] [] ? btrfs_log_inode_parent+0x240/0x940 [btrfs] [] ? function_trace_call+0x13c/0x190 [] btrfs_log_inode_parent+0x240/0x940 [btrfs] [] ? btrfs_log_inode_parent+0x5/0x940 [btrfs] [] ? dget_parent+0x71/0x150 [] btrfs_log_dentry_safe+0x62/0x80 [btrfs] [] btrfs_sync_file+0x344/0x4d0 [btrfs] [] vfs_fsync_range+0x4b/0xb0 [] ? __fget_light+0x5/0x60 [] do_fsync+0x3d/0x70 [] ? do_fsync+0x5/0x70 [] SyS_fdatasync+0x13/0x20 [] do_syscall_64+0x61/0x170 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: 48 8b 45 b7 48 8d 7d bf 4c 89 ee 48 89 45 c8 0f b6 45 b6 88 45 c7 48 8b 45 ae 48 89 45 bf e8 af f2 ff ff 85 c0 0f 8f 43 ff ff ff <0f> 0b 0f 0b e8 ee f3 02 e1 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 Unfortunatly, because this was a BUG_ON, it locked up the box so it didn't save any additional debug info. Tempted to see if making BUG_ON a no-op will at least let it live long enough to save the ftrace buffer. Given this seems to be mutating every time I see something go wrong, I'm wondering if this is fallout from memory corruption again. Dave