Bug #56249: crash: int Client::_do_remount(bool): abort - CephFS - Ceph

Actions

Copy link

Bug #56249

closed

crash: int Client::_do_remount(bool): abort

Added by Telemetry Bot almost 2 years ago. Updated about 1 year ago.

Status:

Resolved

Priority:

Normal

Assignee:

Xiubo Li

Category:

Target version:

Ceph - v18.0.0

% Done:

Source:

Telemetry

Tags:

backport_processed

Backport:

quincy,pacific

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

Ceph - v17.1.0

ceph-qa-suite:

Component(FS):

Client

Labels (FS):

Pull request ID:

47620

Crash signature (v1):

97e13040c15aa2bae337c24391bb31795b267fb6425c39aea3bd1efddf065920

Crash signature (v2):

e023ce46f46b39b4a3c88a317c424d5472918b3a3be586dd320a767e159b2d8a

Description

http://telemetry.front.sepia.ceph.com:4000/d/jByk5HaMz/crash-spec-x-ray?orgId=1&var-sig_v2=e023ce46f46b39b4a3c88a317c424d5472918b3a3be586dd320a767e159b2d8a

Assert condition: abort
Assert function: int Client::_do_remount(bool)

Sanitized backtrace:

    pthread_kill()
    raise()
    Client::_do_remount(bool)
    Context::complete(int)
    Finisher::finisher_thread_entry()

Crash dump sample:

{
    "assert_condition": "abort",
    "assert_file": "client/Client.cc",
    "assert_func": "int Client::_do_remount(bool)",
    "assert_line": 4428,
    "assert_msg": "client/Client.cc: In function 'int Client::_do_remount(bool)' thread 7fb2027fc640 time 2022-04-23T13:37:17.465777-0400\nclient/Client.cc: 4428: ceph_abort_msg(\"abort() called\")",
    "assert_thread_name": "fn_anonymous",
    "backtrace": [
        "/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7fb216cb0520]",
        "pthread_kill()",
        "raise()",
        "abort()",
        "(ceph::__ceph_abort(char const*, int, char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+0x190) [0x7fb217422a6e]",
        "(Client::_do_remount(bool)+0x2fa) [0x555eec2a7b9a]",
        "(Context::complete(int)+0xd) [0x555eec311dbd]",
        "(Finisher::finisher_thread_entry()+0x175) [0x7fb2174bacb5]",
        "/lib/x86_64-linux-gnu/libc.so.6(+0x94b43) [0x7fb216d02b43]",
        "/lib/x86_64-linux-gnu/libc.so.6(+0x126a00) [0x7fb216d94a00]" 
    ],
    "ceph_version": "17.1.0",
    "crash_id": "2022-04-23T17:37:17.499177Z_94ef73b0-10d3-4ccc-8763-5785eb804805",
    "entity_name": "client.590b341930fefd001f0579e71f44665ac78a651f",
    "os_id": "22.04",
    "os_name": "Ubuntu Jammy Jellyfish (development branch)",
    "os_version": "22.04 (Jammy Jellyfish)",
    "os_version_id": "22.04",
    "process_name": "ceph-fuse",
    "stack_sig": "97e13040c15aa2bae337c24391bb31795b267fb6425c39aea3bd1efddf065920",
    "timestamp": "2022-04-23T17:37:17.499177Z",
    "utsname_machine": "x86_64",
    "utsname_release": "5.15.0-17-generic",
    "utsname_sysname": "Linux",
    "utsname_version": "#17-Ubuntu SMP Thu Jan 13 16:27:23 UTC 2022" 
}

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Updated by Telemetry Bot almost 2 years ago

Crash signature (v1) updated (diff)
Crash signature (v2) updated (diff)
Affected Versions v17.1.0 added

Actions

Copy link

Updated by Xiubo Li almost 2 years ago

Should be fixed by https://tracker.ceph.com/issues/54049.

Actions

Copy link

Updated by Venky Shankar over 1 year ago

Xiubo Li wrote:

Should be fixed by https://tracker.ceph.com/issues/54049.

Looks the same. However, I'm not sure if the client used to crash with the bracktrace as in this tracker.

Actions

Copy link

Updated by Xiubo Li over 1 year ago

Venky,

Please check this one https://tracker.ceph.com/issues/56532. It should be the same bug with this one.

Actions

Copy link

Updated by Xiubo Li over 1 year ago

This only exist in the v17.1.0 and the logic has been changed after [1]²³ below. When trying remount to invalidate the kernel dcache, it may fail dues to the mount is still busy. After v17.1.0 it will be allowed to retry it at most of mds_max_retries_on_remount_failure time instead of crash the client in _do_remout() directly.

[1] https://tracker.ceph.com/issues/27657
[2] https://tracker.ceph.com/issues/54049
[2] https://tracker.ceph.com/issues/56532

This could be closed directly.

Actions

Copy link

Updated by Xiubo Li over 1 year ago

Xiubo Li wrote:

This only exist in the v17.1.0 and the logic has been changed after [1]²³ below. When trying remount to invalidate the kernel dcache, it may fail dues to the mount is still busy. After v17.1.0 it will be allowed to retry it at most of mds_max_retries_on_remount_failure time instead of crash the client in _do_remout() directly.

[1] https://tracker.ceph.com/issues/27657
[2] https://tracker.ceph.com/issues/54049
[2] https://tracker.ceph.com/issues/56532

This could be closed directly.

I might be wrong, actually the [2] introduced one bug, that is when the remount failed for more than mds_max_retries_on_remount_failure time we should abort the client to avoid the client cannot do invalidate the dentry cache and then the MDS cache cannot shrink which can cause the MDS to fail.

Actions

Copy link

Updated by Xiubo Li over 1 year ago

Went through the kernel code I couldn't find any case in our case could cause the failure.

And from https://tracker.ceph.com/issues/56532#note-1:

$ grep 'to trim kernel dentries' client.* -rn
client.0.774355.log:98:2022-07-14T14:24:03.984+0530 7fbbd5ffb640 -1 client.4495 failed to remount (to trim kernel dentries): return code = 1
client.0.792060.log:137:2022-07-14T14:34:49.030+0530 7f46017fa640 -1 client.10512 failed to remount (to trim kernel dentries): return code = 32
client.0.793575.log:137:2022-07-14T14:35:32.033+0530 7f779aff5640 -1 client.10990 failed to remount (to trim kernel dentries): return code = 32
client.0.795072.log:137:2022-07-14T14:36:15.771+0530 7f899e7fc640 -1 client.11499 failed to remount (to trim kernel dentries): return code = 32
client.1.774461.log:98:2022-07-14T14:24:05.570+0530 7f766bfff640 -1 client.4505 failed to remount (to trim kernel dentries): return code = 1

The return code 1 is:

1      incorrect invocation or permissions

And from util-linux, the 1 is util-linux, just suppose we may passed invalidate options. And then went through the client/Client.cc and ceph_fuse.cc code more carefully, found that it's possible we may do use-after-free for the mountpoint:

1254 static int remount_cb(void *handle)
1255 { 
1256   // used for trimming kernel dcache. when remounting a file system, linux kernel
1257   // trims all unused dentries in the file system
1258   char cmd[128+PATH_MAX];
1259   CephFuse::Handle *cfuse = (CephFuse::Handle *)handle;
1260   snprintf(cmd, sizeof(cmd), "LIBMOUNT_FSTAB=/dev/null mount -i -o remount %s",                                                                   
1261 #if FUSE_VERSION >= FUSE_MAKE_VERSION(3, 0)
1262                   cfuse->opts.mountpoint);
1263 #else
1264                   cfuse->mountpoint);
1265 #endif
1266   int r = system(cmd);
1267   if (r != 0 && r != -1) {    
1268     r = WEXITSTATUS(r);
1269   }
1270   
1271   return r;
1272 } 
1273

Because in ceph_fuse.cc it will do client->unmount() and then do cfuse->finalize(), which will free the mountpoint and then call client->shutdown(), which will stop the remount_finisher queue.

 92 int main(int argc, const char **argv, const char *envp[]) {

...
333   out_client_unmount:
334     client->unmount();                                                                                                                             
335     cfuse->finalize();
336   out_shutdown:
337     icp.stop();
338     client->shutdown();
339   out_init_failed:
...
}

The remount_finisher queue is a queue will run the remount_cb().

That means after the mountpoint freed the remount_finisher maybe not empty.

Actions

Copy link