Kernel panics on pool import

[aliblong]

System information

Type	Version/Name
Distribution Name	TrueNAS
Distribution Version	12.0
Kernel Version	(will check after I finish a system operation)
Architecture	amd64
OpenZFS Version	2.0 (zfs-2.0.7-1)

Describe the problem you're observing

Kernel panic on import pool. Unable to recover by rolling back to a previous transaction.

Describe how to reproduce the problem

Boot my machine -> import pool -> kernel panic -> boot loop

Include any warning/errors/backtraces from the system logs

(transcribed from my display)

panic: VERIFY3(size <= SPA_MAXBLOCKSIZE) failed (20855296 <= 16777216)

cpuid = 2
time = 1643981209
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0096bd7b20
vpanic() at vpanic+0x17b/frame 0xfffffe0096bd7b70
spl_panic() at spl_panic+0x3a/frame 0xfffffe0096bd7bd0
abd_alloc() at abd_alloc+0xdf/frame 0xfffffe0096bd7c00
arc_hdr_alloc_abd() at arc_hdr_alloc_abd+0xb7/frame 0xfffffe0096bd7c30
arc_hdr_alloc() at arc_hdr_alloc+0x12/frame 0xfffffe0096bd7c80
arc_read() at arc_read+0x463/frame 0xfffffe0096bd7d40
traverse_prefetch_metadata() at traverse_prefetch_metadata+0x12c/frame 0xfffffe0096bd7d80
traverse_visitbp() at traverse_visitbp+0xb1d/frame 0xfffffe0096bd7e40
traverse_visitbp() at traverse_visitbp+0x45c/frame 0xfffffe0096bd7f00
traverse_visitbp() at traverse_visitbp+0x45c/frame 0xfffffe0096bd7fc0
traverse_visitbp() at traverse_visitbp+0x45c/frame 0xfffffe0096bd8080
traverse_visitbp() at traverse_visitbp+0x45c/frame 0xfffffe0096bd8140
traverse_visitbp() at traverse_visitbp+0x45c/frame 0xfffffe0096bd8200
traverse_dnode() at traverse_visitbp+0xe2/frame 0xfffffe0096bd8270
traverse_visitbp() at traverse_visitbp+0x7f0/frame 0xfffffe0096bd8330
traverse_impl() at traverse_impl+0x343/frame 0xfffffe0096bd83b0
traverse_pool() at traverse_pool+0x14f/frame 0xfffffe0096bd8470
spa_load() at spa_load+0x15c9/frame 0xfffffe0096bd85d0
spa_load_best() at spa_load_best+0x65/frame 0xfffffe0096bd8620
spa_import() at spa_import+0x2c3/frame 0xfffffe0096bd86d0
zfs_loc_pool_limport() at zfs_loc_pool_import+8xbBlframe 0xfffffe0096bd8710
zfsdev_ioctl_common() at zfsdev_ioctl_common+0x480/frame 0xfffffe0096bd87b0
zfsdev_ioctl() at zfsdev_ioctl+0x148/frame 0xfffffe0096bd87e0
devfs_ioctl() at devfs_ioctl+0xb0/frame 0xfffffe0096bd8830
VOP_lOCTL_APV() at VOP_lOCTL_APV+0x7b/frame  0xfffffe0096bd8860
vn_ioctl() at vn_ioctl+0x16a/frame 0xfffffe0096bd8970
devfs_ioctl_f() at devfs_1octl_f+Bxle/frame 0xfffffe0096bd8990
kern_loctl() at kern_loctl~Bx2b7/frame 0xfffffe0096bd89f0
sgs_loctl() at sgs_loctl+Bxfa/frame 0xfffffe0096bd8ac0
amd64_syscall() at amd64_syscall+0x367/frame 0xfffffe0096bd8bf0
fast_syscall_common() at fast_syscall common+0xf8/frame 0xfffffe0096bd8ac0
--- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x80087bcaa, rsp = 0x7fffffffbc80, rb = 0x7ffff //... (cut off)
KDB: enter: panic
[ thread pid 31 tid 100512 ]
Stopped at      kdb_enter+0x37: movq    $0.0x164ad36(%rip)

I was advised by someone who works on ZFS to report this as a kernel bug -- that this apparent metadata corruption shouldn't cause a kernel panic.

Looks similar to #13003. I've already tried the advice suggested there of "grabbing a list of txgs still visible with e.g. zdb -lu and then trying manually specifying -T [for zpool import]" to no avail (panics every time).

[pcd1193182]

That someone was me! In general, we shouldn't allow a kernel panic to occur when attempting an import, even if the pool contains corrupted metadata. There are some blkptr_verify calls in the arc_read codepath that prevent this in most cases, but it seems there might be some holes in that protection. We should try to improve that.

[behlendorf]

PR #12535 may resolve your issue and let you import the pool. One of the holes @pcd1193182 alluded to in arc_read() is for embedded block pointers, this PR closes that hole. This fix didn't make it in to the 2.0.7 release, but it is included in the 2.1.2 tag. I'd suggest trying that newer version if you can.

[richlj]

I seem to be getting a similar error on Debian Stable (as well as Ubuntu LTS) with zfs version

zfs-2.1.99-1083_gec4d860eb
zfs-kmod-2.1.99-1083_gec4d860eb

 VERIFY3(size <= SPA_MAXBLOCKSIZE) failed (33449984 <= 16777216)
 PANIC at abd.c:187:abd_alloc()
 Showing stack for process 14105
 CPU: 2 PID: 14105 Comm: zpool Tainted: P           OE     4.19.0-20-amd64 #1 Debian 4.19.235-1
 Hardware name: Supermicro X9SCL-II/X9SCM-II/X9SCL-II/X9SCM-II, BIOS 2.00 04/16/2012
 Call Trace:
  dump_stack+0x66/0x81
  spl_panic+0xd3/0xfb [spl]
  ? _cond_resched+0x15/0x30
  ? mutex_lock+0xe/0x30
  ? _cond_resched+0x15/0x30
  ? mutex_lock+0xe/0x30
  ? _cond_resched+0x15/0x30
  ? mutex_lock+0xe/0x30
  ? aggsum_add+0x179/0x190 [zfs]
  ? spl_kmem_cache_free+0xec/0x1c0 [spl]
  ? _cond_resched+0x15/0x30
  ? mutex_lock+0xe/0x30
  ? mutex_lock+0xe/0x30
  abd_alloc+0x95/0xa0 [zfs]
  spa_load_verify_cb+0x167/0x1e0 [zfs]
  traverse_visitbp+0x303/0xaf0 [zfs]
  traverse_visitbp+0x458/0xaf0 [zfs]
  traverse_visitbp+0x458/0xaf0 [zfs]
  traverse_visitbp+0x458/0xaf0 [zfs]
  traverse_dnode+0xb9/0x1e0 [zfs]
  traverse_visitbp+0x984/0xaf0 [zfs]
  ? spl_kmem_cache_free+0xec/0x1c0 [spl]
  traverse_impl+0x1e6/0x4a0 [zfs]
  traverse_dataset_resume+0x42/0x50 [zfs]
  ? spa_sync+0xfc0/0xfc0 [zfs]
  traverse_pool+0x15e/0x190 [zfs]
  ? spa_sync+0xfc0/0xfc0 [zfs]
  spa_load+0x9a4/0x1330 [zfs]
  spa_load_best+0x54/0x2d0 [zfs]
  ? zpool_get_load_policy+0x1ab/0x1c0 [zcommon]
  spa_import+0x1e9/0x670 [zfs]
  zfs_ioc_pool_import+0x128/0x140 [zfs]
  zfsdev_ioctl_common+0x5e1/0x890 [zfs]
  ? kmalloc_large_node+0x37/0x60
  ? __kmalloc_node+0x213/0x2c0
  zfsdev_ioctl+0x4f/0xe0 [zfs]
  do_vfs_ioctl+0xa4/0x630
  ? handle_mm_fault+0xd6/0x200
  ksys_ioctl+0x60/0x90
  __x64_sys_ioctl+0x16/0x20
  do_syscall_64+0x53/0x110
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd0287a3e57
 Code: 00 00 90 48 8b 05 39 a0 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 a0 0c 00 f7 d8 64 89 01 48          
 RSP: 002b:00007ffe85374cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 00007ffe85375640 RCX: 00007fd0287a3e57
 RDX: 00007ffe85375640 RSI: 0000000000005a02 RDI: 0000000000000003
 RBP: 00007ffe85378c20 R08: 0000562c619ddd20 R09: 00007fd02886f440
 R10: 0000562c619b6010 R11: 0000000000000246 R12: 0000562c619b7530
 R13: 0000562c619bc4d0 R14: 0000562c619bce10 R15: 0000000000000000

System memory is 32GB of unbuffered ECC, and had the same error with an Asus P8B-WS motherboard, and with 8GB and 16GB RAM. Currently using an LSI SAS-2008 adapter in IT mode; have had the same result using the onboard SATA ports.

The volume is a ZFS mirror and the drives are

1x WDC WD8004FRYZ-0 8TB
1x Toshiba MG09ACA18TE 18TB

And are different sizes because I had planned to upgrade the remaining 8TB drive in the near future. I mention this because that's around the ceiling for HDD capacity at the moment, and I have seen a number of error dumps in other bug reports with the SPA_MAXBLOCKSIZE value as 16MB, and I noticed that my value is almost exactly twice that value. S.M.A.R.T. status is showing a clean bill of health.

EDIT: I can see that max value for SPA_MAXBLOCKSIZE is hard-coded to 16MB. I'll wait for your guidance to see whether increasing this is likely to be help with mounting this volume (so that I can access files that were modified since the last backup).

EDIT2: I have now resolved this by disabling the following parameters

/sys/module/zfs/parameters/spa_load_verify_data
/sys/module/zfs/parameters/spa_load_verify_metadata

importing the pool without kernel panic, re-enabling the verification parameters, and then successfully reimporting the pool with verification.

[behlendorf]

@richlj thanks for reporting this! Unfortunately, it appears you discovered one of the holes in the block pointer verification that happens, this was mentioned in a previous comment. Your solution of disabling the spa_load_verify_data and spa_load_verify_metadata during the initial import is exactly what I would have recommended.

I'm glad to hear you were then able to import the pool. However, the fact that you hit this does indicate a damaged block pointer was written to the pool. I'd strongly suggest scrubbing the pool, depending on exactly what was damaged it may be correctable. If nothing is reported as a persistent error then it will have been repaired, or the block may have already been freed.

We can take a look at hardening this call path now that we're aware of it.