Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9487961rwl; Wed, 11 Jan 2023 06:22:35 -0800 (PST) X-Google-Smtp-Source: AMrXdXuHB/WSUnxUVE2TUh7hRbPGI5BPn58UL2gS7kafX8O5fcFCVxY2rsuQhoxz7WhpH5GejELo X-Received: by 2002:a05:6a20:7b21:b0:b3:5196:94f0 with SMTP id s33-20020a056a207b2100b000b3519694f0mr59966067pzh.34.1673446955263; Wed, 11 Jan 2023 06:22:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673446955; cv=none; d=google.com; s=arc-20160816; b=m5q76rdc2xMw0RT1Ix4CT7PIMJqLRA770LBwW8LZCKT/iv8WLSFUyvRGbTvOONUN+T BnGNIHg49hxZt+jeETELroN3CtLscNQ4HYtb17TD1I4L+Fd8G8iKKQepIl0ZleI9HVR+ ZYyoGeZDQFDcMti9piSq+W1P4SBLsUjgFosLbo1mFNpz7hqXmkiPwEuNoFz0xzD8T9P6 6yuA1DtiYFr92fvCxc55khMhkbCyerRUUEvMUSjuDovkoh1vTPPh37E8JdVUI//L88DB FKMllx34DTLnhlFbb9a+Z+3AMWiVH32jnGQrANjdfHDLcI1w/CcP+ia0/bdEOcdsNhti o7JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=HxorEMxpAQH/14eWK+igyHgj3lqbp/OBrr0KsmY4S2U=; b=bYFAb8+m5oN1RJWNFLaXndcYokpNTHE3gAv79CJyJNzSR8SablJyD3hoGkdgKXoRje 5/rRpBfk99UuT0GNeQfmzcxcRBcPneO13m3d2hKDg4L/ursOypwE3U9gJD1Srm1hG5NT VxK64nFAxuhTDsJuyXY1dd355GVqrSI3LOSU1n7HMx1WxR2Bq5X4yv6XGvFlEviP1FI8 EFlEuTK16QBvktPu67b4VpyGD0CCkZzWH6windXM9hLZT3LR/ST9l8eX4UIb/Xfa/eXO aYJKR32m/j9IGcii/Gbcwi1qp3Rpz81g9CGEd13nPBySI5fjhIFbCfhb9Awd9TvUYN1b hUvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gAy1UK+m; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b4-20020a170902d50400b00189e2062212si14883825plg.503.2023.01.11.06.22.17; Wed, 11 Jan 2023 06:22:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gAy1UK+m; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238873AbjAKORe (ORCPT + 99 others); Wed, 11 Jan 2023 09:17:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239115AbjAKORI (ORCPT ); Wed, 11 Jan 2023 09:17:08 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36D8B1CFE3 for ; Wed, 11 Jan 2023 06:16:39 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 6B2D6CE1B6F for ; Wed, 11 Jan 2023 14:16:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3FD32C433EF; Wed, 11 Jan 2023 14:16:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1673446595; bh=PERui+XD0jpYxYjddX0utV9jjcmZdCrLOjay0uZOE6w=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=gAy1UK+m3wgTEfK9YsHBr6gxWL9ZdtRA559iw1ZUBFywtDhB4XGzCXysh4pGoxN+Q C+4AOW1roK6ZlVw4ektlJdJtig5AuL6XTEA6ieSNmCLuIffbBjjnFDhbOJTFm6oLbW lAcQqFqvEBpg5uenrhMJizFgXdlduPkDwq0azfYDR344/lQf1phg4VcwXGoqonkQu8 cImzQSiIKyAnqx9qxXCjiycJTvIIX/VkbCzw2+UUWP3q0cj6ZkwJnyZlNIuabrD27S jer4vpvCHfWeXEUC8l9qKy2ENLIJ4KRHVEzFIuT4C8lviKu4QbfqHHJnzb89611FOf Bx8wxfyReBzxQ== Message-ID: <499f102afcb4b018428a8d7ecce685ec564fcd18.camel@kernel.org> Subject: Re: [PATCH 1/1] NFSD: fix WARN_ON_ONCE in __queue_delayed_work From: Jeff Layton To: Mike Galbraith , dai.ngo@oracle.com, Chuck Lever III Cc: Linux NFS Mailing List Date: Wed, 11 Jan 2023 09:16:33 -0500 In-Reply-To: <69604dcf990ac19aa7c8d6b92d11c06fd1aae657.camel@kernel.org> References: <1673333310-24837-1-git-send-email-dai.ngo@oracle.com> <57dc06d57b4b643b4bf04daf28acca202c9f7a85.camel@kernel.org> <71672c07-5e53-31e6-14b1-e067fd56df57@oracle.com> <8C3345FB-6EDF-411A-B942-5AFA03A89BA2@oracle.com> <5e34288720627d2a09ae53986780b2d293a54eea.camel@kernel.org> <42876697-ba42-c38f-219d-f760b94e5fed@oracle.com> <8e0cb925-9f73-720d-b402-a7204659ff7f@oracle.com> <37c80eaf2f6d8a5d318e2b10e737a1c351b27427.camel@gmx.de> <2067b4b4ce029ab5be982820b81241cd457ff475.camel@kernel.org> <5f43a396afec99352bc1dd62a9119281e845c652.camel@kernel.org> <69604dcf990ac19aa7c8d6b92d11c06fd1aae657.camel@kernel.org> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.3 (3.46.3-1.fc37) MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, 2023-01-11 at 09:01 -0500, Jeff Layton wrote: > On Wed, 2023-01-11 at 07:33 -0500, Jeff Layton wrote: > > On Wed, 2023-01-11 at 13:15 +0100, Mike Galbraith wrote: > > > On Wed, 2023-01-11 at 12:19 +0100, Mike Galbraith wrote: > > > > On Wed, 2023-01-11 at 05:55 -0500, Jeff Layton wrote: > > > > > >=20 > > > > > >=20 > > > > > >=20 > > > > > > It might be interesting to turn up KASAN if you're able. > > > >=20 > > > > I can try that. > > >=20 > > > KASAN did not squeak. > > >=20 > > > > > If you still have this vmcore, it might be interesting to do the = pointer > > > > > math and find the nfsd_net structure that contains the above > > > > > delayed_work. Does the rest of it also seem to be corrupt? > > >=20 > > > Virgin source with workqueue.c WARN_ON_ONCE() landmine. > > >=20 > >=20 > > Thanks. Mixed bag here... > >=20 > >=20 > > > crash> nfsd_net -x 0xFFFF8881114E9800 > > > struct nfsd_net { > > > cld_net =3D 0x0, > > > svc_expkey_cache =3D 0xffff8881420f8a00, > > > svc_export_cache =3D 0xffff8881420f8800, > > > idtoname_cache =3D 0xffff8881420f9a00, > > > nametoid_cache =3D 0xffff8881420f9c00, > > > nfsd4_manager =3D { > > > list =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > > > block_opens =3D 0x0 > > > }, > > > grace_ended =3D 0x0, > >=20 > >=20 > > > boot_time =3D 0x0, > > > nfsd_client_dir =3D 0x0, > > > reclaim_str_hashtbl =3D 0x0, > > > reclaim_str_hashtbl_size =3D 0x0, > > > conf_id_hashtbl =3D 0x0, > > > conf_name_tree =3D { > > > rb_node =3D 0x0 > > > }, > > > unconf_id_hashtbl =3D 0x0, > > > unconf_name_tree =3D { > > > rb_node =3D 0x0 > > > }, > > > sessionid_hashtbl =3D 0x0, > > > client_lru =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > > > close_lru =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > > > del_recall_lru =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > > > blocked_locks_lru =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > >=20 > > All of the above list_heads are zeroed out and they shouldn't be. > >=20 > > > laundromat_work =3D { > > > work =3D { > > > data =3D { > > > counter =3D 0x0 > > > }, > > > entry =3D { > > > next =3D 0x0, > > > prev =3D 0x0 > > > }, > > > func =3D 0x0 > > > }, > > > timer =3D { > > > entry =3D { > > > next =3D 0x0, > > > pprev =3D 0x0 > > > }, > > > expires =3D 0x0, > > > function =3D 0x0, > > > flags =3D 0x0 > > > }, > > > wq =3D 0x0, > > > cpu =3D 0x0 > > > }, > > > client_lock =3D { > > > { > > > rlock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > } > > > } > > > }, > > > blocked_locks_lock =3D { > > > { > > > rlock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > } > > > } > > > }, > > > rec_file =3D 0x0, > > > in_grace =3D 0x0, > > > client_tracking_ops =3D 0x0, > > > nfsd4_lease =3D 0x5a, > > > nfsd4_grace =3D 0x5a, > >=20 > > The grace and lease times look ok, oddly enough. > >=20 > > > somebody_reclaimed =3D 0x0, > > > track_reclaim_completes =3D 0x0, > > > nr_reclaim_complete =3D { > > > counter =3D 0x0 > > > }, > > > nfsd_net_up =3D 0x0, > >=20 > > nfsd_net_up is false, which means that this server isn't running (or > > that the memory here was scribbled over). > >=20 > > > lockd_up =3D 0x0, > > > writeverf_lock =3D { > > > seqcount =3D { > > > seqcount =3D { > > > sequence =3D 0x0 > > > } > > > }, > > > lock =3D { > > > { > > > rlock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > } > > > } > > > } > > > }, > > > writeverf =3D "\000\000\000\000\000\000\000", > > > max_connections =3D 0x0, > > > clientid_base =3D 0x37b4ca7b, > > > clientid_counter =3D 0x37b4ca7d, > > > clverifier_counter =3D 0xa8ee910d, > > > nfsd_serv =3D 0x0, > > > keep_active =3D 0x0, > > > s2s_cp_cl_id =3D 0x37b4ca7c, > > > s2s_cp_stateids =3D { > > > idr_rt =3D { > > > xa_lock =3D { > > > { > > > rlock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > } > > > } > > > }, > > > xa_flags =3D 0x0, > > > xa_head =3D 0x0 > > > }, > > > idr_base =3D 0x0, > > > idr_next =3D 0x0 > > > }, > > > s2s_cp_lock =3D { > > > { > > > rlock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > } > > > } > > > }, > > > nfsd_versions =3D 0x0, > > > nfsd4_minorversions =3D 0x0, > > > drc_hashtbl =3D 0xffff88810a2f0000, > > > max_drc_entries =3D 0x14740, > > > maskbits =3D 0xb, > > > drc_hashsize =3D 0x800, > > > num_drc_entries =3D { > > > counter =3D 0x0 > > > }, > > > counter =3D {{ > > > lock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > }, > > > count =3D 0x0, > > > list =3D { > > > next =3D 0xffff888103f98dd0, > > > prev =3D 0xffff8881114e9a18 > > > }, > > > counters =3D 0x607dc8402e10 > > > }, { > > > lock =3D { > > > raw_lock =3D { > > > { > > > val =3D { > > > counter =3D 0x0 > > > }, > > > { > > > locked =3D 0x0, > > > pending =3D 0x0 > > > }, > > > { > > > locked_pending =3D 0x0, > > > tail =3D 0x0 > > > } > > > } > > > } > > > }, > > > count =3D 0x0, > > > list =3D { > > > next =3D 0xffff8881114e99f0, > > > prev =3D 0xffff88810b5743e0 > > > }, > > > counters =3D 0x607dc8402e14 > > > }}, > > > longest_chain =3D 0x0, > > > longest_chain_cachesize =3D 0x0, > > > nfsd_reply_cache_shrinker =3D { > > > count_objects =3D 0xffffffffa0e4e9b0 , > > > scan_objects =3D 0xffffffffa0e4f020 , > >=20 > > Shrinker pointers look ok, as does its list_head. >=20 > I think I might see what's going on here: >=20 > This struct is consistent with an nfsd_net structure that allocated and > had its ->init routine run on it, but that has not had nfsd started in > its namespace. >=20 > pernet structs are kzalloc'ed. The shrinker registrations and the > lease/grace times are set just after allocation in the ->init routine. > The rest of the fields are not set until nfsd is started (specifically > when /proc/fs/nfsd/threads is written to). >=20 > My guess is that Mike is doing some activity that creates new net > namespaces, and then once we start getting into OOM conditions the > shrinker ends up hitting uninitialized fields in the nfsd_net and > kaboom. >=20 > I haven't yet looked to see when this bug was introduced, but the riggith= t > fix is probably to ensure that everything important for this job is > initialized after the pernet ->init operation runs. It might even be best to just move the shrinker registrations to occur when nfsd is started rather than doing it at nfsd_net initialization time. Obviously, if nfsd isn't running, then it'll have nothing to free, and it's a waste of time to register the shrinker at all. --=20 Jeff Layton