[Bugs] [Bug 1456385] glusterfs client crash on io-cache.so(__ioc_page_wakeup+0x44 )

Mon May 29 10:09:42 UTC 2017

https://bugzilla.redhat.com/show_bug.cgi?id=1456385

--- Comment #1 from Nithya Balachandran <nbalacha at redhat.com> ---
Core was generated by `/usr/sbin/glusterfs
--volfile-server=redhatstorage.web.skynas.local --volfile-i'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f45e525e5b4 in __ioc_page_wakeup (page=0x7f43246e1500,
page at entry=0x7f45f17d0d64, op_errno=0) at page.c:960
960            gf_msg_trace (page->inode->table->xl->name, 0,
Missing separate debuginfos, use: debuginfo-install libgcc-4.8.5-4.el7.x86_64
(gdb) bt
#0  0x00007f45e525e5b4 in __ioc_page_wakeup (page=0x7f43246e1500,
page at entry=0x7f45f17d0d64, op_errno=0) at page.c:960
#1  0x00007f45e525ffa4 in ioc_inode_wakeup (frame=0x7f45e00396c8,
frame at entry=0x7f45f17d0d64, ioc_inode=ioc_inode at entry=0x7f45e0e62160, 
    stbuf=stbuf at entry=0x7f45e69cca10) at ioc-inode.c:119
#2  0x00007f45e5257b2b in ioc_cache_validate_cbk (frame=0x7f45f17d0d64,
cookie=<optimized out>, this=<optimized out>, op_ret=0, 
    op_errno=<optimized out>, stbuf=<optimized out>, xdata=0x0) at
io-cache.c:402
#3  0x00007f45e566edfa in ra_attr_cbk (frame=0x7f45f17e22e0, cookie=<optimized
out>, this=<optimized out>, op_ret=0, op_errno=0, buf=0x7f45e69cca10, 
    xdata=0x0) at read-ahead.c:721
#4  0x00007f45f3c47ada in default_fstat_cbk (frame=0x7f45f17b7188,
cookie=<optimized out>, this=<optimized out>, op_ret=0, op_errno=0, 
    buf=0x7f45e69cca10, xdata=0x0) at defaults.c:1053
#5  0x00007f45e5aea505 in dht_file_attr_cbk (frame=0x7f45f17ba090,
cookie=<optimized out>, this=<optimized out>, op_ret=<optimized out>, 
    op_errno=<optimized out>, stbuf=<optimized out>, xdata=0x0) at
dht-inode-read.c:214
#6  0x00007f45e5d27de1 in afr_fstat_cbk (frame=0x7f45f17562d8,
cookie=<optimized out>, this=<optimized out>, op_ret=0, op_errno=0,
buf=0x7f45e69cca10, 
    xdata=0x0) at afr-inode-read.c:291
#7  0x00007f45e5fa7f8e in client3_3_fstat_cbk (req=<optimized out>,
iov=<optimized out>, count=<optimized out>, myframe=0x7f45f17e1c28)
    at client-rpc-fops.c:1574
#8  0x00007f45f3a0c990 in rpc_clnt_handle_reply
(clnt=clnt at entry=0x7f45e03547c0, pollin=pollin at entry=0x7f45e1033480) at
rpc-clnt.c:764
#9  0x00007f45f3a0cc4f in rpc_clnt_notify (trans=<optimized out>,
mydata=0x7f45e03547f0, event=<optimized out>, data=0x7f45e1033480) at
rpc-clnt.c:905
#10 0x00007f45f3a08793 in rpc_transport_notify (this=<optimized out>,
event=<optimized out>, data=<optimized out>) at rpc-transport.c:546
#11 0x00007f45e86a19b4 in socket_event_poll_in (this=0x7f45e0364440) at
socket.c:2355
#12 0x00007f45e86a45f4 in socket_event_handler (fd=<optimized out>, idx=8,
data=0x7f45e0364440, poll_in=1, poll_out=0, poll_err=0) at socket.c:2469
#13 0x00007f45f3cacc0a in event_dispatch_epoll_handler (event=0x7f45e69cce80,
event_pool=0x7f45f507c350) at event-epoll.c:570
#14 event_dispatch_epoll_worker (data=0x7f45f50d2ff0) at event-epoll.c:678
#15 0x00007f45f2aa6dc5 in start_thread (arg=0x7f45e69cd700) at
pthread_create.c:308
#16 0x00007f45f23ebced in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) p *page
$1 = {page_lru = {next = 0xbabebabe, prev = 0xcafecafe}, inode = 0x0, priority
= 0x0, dirty = 0 '\000', ready = 1 '\001', vector = 0x0, count = 1, 
  offset = 356384768, size = 131072, waitq = 0x0, iobref = 0x7f45d235fe40,
page_lock = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, 
      __kind = -1, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, 
    __size = '\000' <repeats 16 times>, "\377\377\377\377", '\000' <repeats 19
times>, __align = 0}, op_errno = 0, stale = 1 '\001'}

This segfaults in gf_msg_trace :

(gdb) p *page->inode
Cannot access memory at address 0x0

(gdb) f 1
#1  0x00007f45e525ffa4 in ioc_inode_wakeup (frame=0x7f45e00396c8,
frame at entry=0x7f45f17d0d64, ioc_inode=ioc_inode at entry=0x7f45e0e62160, 
    stbuf=stbuf at entry=0x7f45e69cca10) at ioc-inode.c:119
119                                            page_waitq =
(gdb) l
114                    if (waiter_page) {
115                            if (cache_still_valid) {
116                                    /* cache valid, wake up page */
117                                    ioc_inode_lock (ioc_inode);
118                                    {
119                                            page_waitq =
120                                                    __ioc_page_wakeup
(waiter_page,
121                                                                      
waiter_page->op_errno);
122                                    }
123                                    ioc_inode_unlock (ioc_inode);
(gdb) p waiter_page
$2 = (ioc_page_t *) 0x7f45f17d0d64
(gdb) p *waiter_page
$3 = {page_lru = {next = 0x7f45f15a95ec, prev = 0x0}, inode = 0x7f45f15a9c54,
priority = 0x7f45f17e22f0, dirty = -56 '\310', ready = -106 '\226', 
  vector = 0x7f45e0029c20, count = 0, offset = 4294967296, size = 0, waitq =
0x0, iobref = 0x0, page_lock = {__data = {__lock = 0, __count = 0, 
      __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev =
0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}, 
  op_errno = 0, stale = 0 '\000'}

(gdb) f 0
(gdb) p page->inode
$49 = (struct ioc_inode *) 0x0

(gdb) p page->inode
$49 = (struct ioc_inode *) 0x0
(gdb) p waitq
$50 = (ioc_waitq_t *) 0x0

No symbol "inode" in current context.
(gdb) l
955            waitq = page->waitq;
956            page->waitq = NULL;
957    
958            page->ready = 1;
959    
960            gf_msg_trace (page->inode->table->xl->name, 0,
961                          "page is %p && waitq = %p", page, waitq);
962    
963            for (trav = waitq; trav; trav = trav->next) {
964                    frame = trav->data;
(gdb) p page
$51 = (ioc_page_t *) 0x7f43246e1500

(gdb) p *page
$52 = {page_lru = {next = 0xbabebabe, prev = 0xcafecafe}, inode = 0x0, priority
= 0x0, 
  dirty = 0 '\000', ready = 1 '\001', vector = 0x0, count = 1, offset =
356384768, size = 131072, 
  waitq = 0x0, iobref = 0x7f45d235fe40, page_lock = {__data = {__lock = 0,
__count = 0, 
      __owner = 0, __nusers = 0, __kind = -1, __spins = 0, __list = {__prev =
0x0, __next = 0x0}}, 
    __size = '\000' <repeats 16 times>, "\377\377\377\377", '\000' <repeats 19
times>, 
    __align = 0}, op_errno = 0, stale = 1 '\001'}

This page has already been freed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.