From: Vivek Goyal <vgoyal@redhat.com>
To: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Jens Axboe <jaxboe@fusionio.com>, Paul Bolle <pebolle@tiscali.nl>,
linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: Mysterious CFQ crash and RCU
Date: Mon, 23 May 2011 11:21:41 -0400 [thread overview]
Message-ID: <20110523152141.GB4019@redhat.com> (raw)
In-Reply-To: <20110521210013.GJ2271@linux.vnet.ibm.com>
On Sat, May 21, 2011 at 02:00:13PM -0700, Paul E. McKenney wrote:
[..]
> > In summary once in a while people notice CFQ crash. Debugging shows that
> > we have a rcu protected hlist of elements of type cfq_io_context. Head of
> > the list is at ioc->cic_list. We crash while traversing ioc->cic_list
> > under rcu.
> >
> > Looks like an element which we are trying to fetch the next pointer from got
> > freed to slab, and the object got poisoned with 0x6b6b6b6b.. and then we
> > tried to fetch the next object pointer and ended up dereferencing a
> > freed object and CFQ crashes.
> >
> > The function in question here is call_for_each_cic() in block/cfq-iosched.c
> >
> > We free the cfq_io_context object using call_rcu(). So on the surface
> > it looks like that we decoupled a cfq_io_context object from the hash
> > list and scheduled a call_rcu() so that it is freed after rcu grace
> > period but somehow object got freed earlier and got released to slab
> > and got poisoned.
> >
> > Is it possible? We have looked at the code many a times and we think
> > that rcu locking around it is fine. Is it possible that a call_rcu()
> > can fire before rcu grace period is over.
>
> If it does, that would be a bug in RCU.
>
> > I had put a debug patch in CFQ (details are in bugzilla) and I can
> > see that after decoupling the object from the hash list, it got
> > freed while we were still under rcu_read_lock().
> >
> > Is there any known issue or is there any quick tip on how can I
> > go about debugging it further from rcu point of view.
>
Thanks for the response paul.
> First for uses of RCU:
>
> o One thing to try would be CONFIG_PROVE_RCU, which could help
> find missing rcu_read_lock()s and similar. Some years back, it
> used to be the case that spin_lock() implied rcu_read_lock(),
> but it no longer does. There might still be some cases where
> spin_lock() needs to have an rcu_read_lock() added.
>
I believe that PaulB already had CONFIG_PROVE_RCU=y for his kernels. I
also built a kernel CONFIG_PROVE_RCU=y and no warning popped up. In
fact it looks like (comment 113 in bz 577968) that with 2.6.39 if PaulB
takes fedora kernel release config andn enabled CONFIG_PROVE_RCU=y, he
can reproduce the problem.
I am wondering if CONFIG_PROVE_RCU has some side affects.
> o There are a few entries in the bugzilla mentioning that elements
> are being removed more often than expected. There is a config
> option CONFIG_DEBUG_OBJECTS_RCU_HEAD that complains if the same
> object is passed to call_rcu() before the grace period ends for
> the first round.
I noticed that CONFIG_DEBUG_OBJECTS_RCU_HEAD gets enabled only if
PREEMPT is enabled. In Paul's fedora config preemption is not enabled
and I see following.
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
So are you suggesting that we should explicitly enable preemption
and set CONFIG_PREEMPT=y and CONFIG_DEBUG_OBJECTS_RCU_HEAD=y and try
to reproduce the problem again?
>
> o Try switching between CONFIG_TREE_RCU and CONFIG_TREE_PREEMPT_RCU.
> These two settings are each sensitive to different forms of abuse.
> For example, if you have CONFIG_PREEMPT=n and CONFIG_TREE_RCU=y,
> illegally placing a synchronize_rcu() -- or anything else that
> blocks -- in an RCU read-side critical section will silently
> partition that RCU read-side critical section. In contrast,
> CONFIG_TREE_PREEMPT_RCU=y will complain about this.
Again CONFIG_TREE_PREEMPT_RCU is available only if PREEMPT=y. So should
we enable preemtion and CONFIG_TREE_PREEMPT_RCU=y and try to reproduce
the issue?
>
> Second, for RCU itself, CONFIG_RCU_TRACE enables counter-based tracing
> in RCU. Sampling each of the files in the debugfs directory "rcu"
> before and after the badness (if possible) could help me see if anything
> untoward is happening.
This sounds doable. So you don't want periodic polling of these rcu
files? I am assuming that this reading of rcu files is happening in
user space. How do I do polling at specific events (before and after
badness). Any suggestions ?
After badness we try to capture the crash dump. So hopefully appropriate
files we should be able to read from crash dump. So the key quesiton
would be what's the easiest way to let a user space process poll these
files before badness and display on console.
Thanks
Vivek
next prev parent reply other threads:[~2011-05-23 15:21 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-19 22:24 Mysterious CFQ crash and RCU Vivek Goyal
2011-05-21 21:00 ` Paul E. McKenney
2011-05-21 22:23 ` Paul Bolle
2011-05-21 23:54 ` Paul E. McKenney
2011-05-22 19:30 ` Paul Bolle
2011-05-22 20:13 ` Paul E. McKenney
2011-05-23 15:21 ` Vivek Goyal [this message]
2011-05-23 15:38 ` Paul E. McKenney
2011-05-23 22:20 ` Paul Bolle
2011-05-24 4:14 ` Paul E. McKenney
2011-05-24 9:41 ` Jens Axboe
2011-05-24 14:35 ` Paul E. McKenney
2011-05-24 14:51 ` Jens Axboe
2011-05-24 15:42 ` Paul E. McKenney
2011-05-24 15:51 ` Paul E. McKenney
2011-05-25 8:28 ` Paul Bolle
2011-05-25 8:46 ` Jens Axboe
2011-05-25 9:13 ` Paul Bolle
2011-05-25 9:30 ` Jens Axboe
2011-05-25 9:40 ` Paul Bolle
2011-05-25 12:48 ` Paul Bolle
2011-05-25 12:51 ` Jens Axboe
2011-05-25 17:28 ` Paul Bolle
2011-05-25 18:59 ` Jens Axboe
2011-05-25 10:17 ` Paul Bolle
2011-05-25 15:33 ` Paul E. McKenney
2011-05-25 17:44 ` Paul Bolle
2011-05-25 20:40 ` Paul E. McKenney
2011-05-26 9:15 ` Paul Bolle
2011-06-03 5:07 ` Paul E. McKenney
2011-06-03 13:45 ` Vivek Goyal
2011-06-03 15:33 ` Paul E. McKenney
2011-06-03 16:54 ` Paul E. McKenney
2011-06-04 12:22 ` Paul Bolle
2011-06-04 12:50 ` Paul Bolle
2011-06-04 16:03 ` Paul E. McKenney
2011-06-04 22:48 ` Paul Bolle
2011-06-04 23:06 ` Paul E. McKenney
2011-08-04 15:05 ` Vivek Goyal
2011-08-04 19:43 ` Jens Axboe
2011-08-04 19:51 ` Vivek Goyal
2011-06-05 6:56 ` Jens Axboe
2011-06-05 8:39 ` Paul Bolle
2011-06-05 10:38 ` Paul Bolle
2011-06-05 22:51 ` Jens Axboe
2011-06-06 14:28 ` Vivek Goyal
2011-05-23 15:36 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110523152141.GB4019@redhat.com \
--to=vgoyal@redhat.com \
--cc=jaxboe@fusionio.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pebolle@tiscali.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).