SPL PANIC when creating a pool on top of a Ceph RBD

[tdb]

I'm trying to create a pool on top of a Ceph RBD. My setup is:

• Running on a VMware VM
• Ubuntu precise using linux-generic-lts-raring kernel (3.8.0.22.21)
• ZFS/SPL 0.6.1 from ppa:zfs-native/stable
• Ceph 0.61.2 from ceph.com repository

I can create a pool on top of a local disk without any problems. But when I put it on top of a Ceph RBD (block device) I get the following error:

# rbd ls -l
NAME     SIZE PARENT FMT PROT LOCK
cephzfs 1024G          1
# rbd map cephzfs --pool rbd --name client.admin
# ls -la /dev/rbd/rbd/cephzfs /dev/rbd1
brw-rw---- 1 root disk 251, 0 May 24 16:04 /dev/rbd1
lrwxrwxrwx 1 root root     10 May 24 16:04 /dev/rbd/rbd/cephzfs -> ../../rbd1
# zpool create pool1 /dev/rbd/rbd/cephzfs
cannot open 'pool1': dataset does not exist

And this panic:

[10582.132665] VERIFY(shpp->sh_eof == shpp->sh_pool_create_len) failed
[10582.132816] SPLError: 1746:0:(spa_history.c:276:spa_history_log_sync()) SPL PANIC
[10582.132958] SPL: Showing stack for process 1746
[10582.132962] Pid: 1746, comm: txg_sync Tainted: PF          O 3.8.0-22-generic #33~precise1-Ubuntu
[10582.132963] Call Trace:
[10582.132999]  [] spl_debug_dumpstack+0x27/0x40 [spl]
[10582.133006]  [] spl_debug_bug+0x82/0xe0 [spl]
[10582.133045]  [] spa_history_log_sync+0x428/0x650 [zfs]
[10582.133077]  [] dsl_sync_task_group_sync+0x123/0x210 [zfs]
[10582.133107]  [] dsl_pool_sync+0x41b/0x530 [zfs]
[10582.133140]  [] spa_sync+0x3a8/0xa50 [zfs]
[10582.133160]  [] ? ktime_get_ts+0x4c/0xe0
[10582.133195]  [] txg_sync_thread+0x2df/0x540 [zfs]
[10582.133229]  [] ? txg_init+0x250/0x250 [zfs]
[10582.133238]  [] thread_generic_wrapper+0x78/0x90 [spl]
[10582.133246]  [] ? __thread_create+0x310/0x310 [spl]
[10582.133255]  [] kthread+0xc0/0xd0
[10582.133259]  [] ? flush_kthread_worker+0xb0/0xb0
[10582.133272]  [] ret_from_fork+0x7c/0xb0
[10582.133275]  [] ? flush_kthread_worker+0xb0/0xb0

And then the following repeats after that until I reboot:

[10779.414291] INFO: task txg_sync:1746 blocked for more than 120 seconds.
[10779.414442] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[10779.414588] txg_sync        D ffff88003737b460     0  1746      2 0x00000000
[10779.414596]  ffff88003c517ad8 0000000000000046 0000000000000013 ffff88003fc13f40
[10779.414601]  ffff88003c517fd8 ffff88003c517fd8 ffff88003c517fd8 0000000000013f40
[10779.414604]  ffff88003b2d9740 ffff88003b08c5c0 ffffffff81c15347 0000000000000000
[10779.414607] Call Trace:
[10779.414624]  [] schedule+0x29/0x70
[10779.414652]  [] spl_debug_bug+0xb5/0xe0 [spl]
[10779.414716]  [] spa_history_log_sync+0x428/0x650 [zfs]
[10779.414751]  [] dsl_sync_task_group_sync+0x123/0x210 [zfs]
[10779.414785]  [] dsl_pool_sync+0x41b/0x530 [zfs]
[10779.414818]  [] spa_sync+0x3a8/0xa50 [zfs]
[10779.414825]  [] ? ktime_get_ts+0x4c/0xe0
[10779.414863]  [] txg_sync_thread+0x2df/0x540 [zfs]
[10779.414897]  [] ? txg_init+0x250/0x250 [zfs]
[10779.414906]  [] thread_generic_wrapper+0x78/0x90 [spl]
[10779.414914]  [] ? __thread_create+0x310/0x310 [spl]
[10779.414919]  [] kthread+0xc0/0xd0
[10779.414922]  [] ? flush_kthread_worker+0xb0/0xb0
[10779.414926]  [] ret_from_fork+0x7c/0xb0
[10779.414929]  [] ? flush_kthread_worker+0xb0/0xb0
[10899.176620] INFO: task txg_sync:1746 blocked for more than 120 seconds.
[10899.176758] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[10899.176902] txg_sync        D ffff88003737b460     0  1746      2 0x00000000
[10899.176906]  ffff88003c517ad8 0000000000000046 0000000000000013 ffff88003fc13f40
[10899.176910]  ffff88003c517fd8 ffff88003c517fd8 ffff88003c517fd8 0000000000013f40
[10899.176913]  ffff88003b2d9740 ffff88003b08c5c0 ffffffff81c15347 0000000000000000
[10899.176917] Call Trace:
[10899.176926]  [] schedule+0x29/0x70
[10899.176958]  [] spl_debug_bug+0xb5/0xe0 [spl]
[10899.176998]  [] spa_history_log_sync+0x428/0x650 [zfs]
[10899.177030]  [] dsl_sync_task_group_sync+0x123/0x210 [zfs]
[10899.177059]  [] dsl_pool_sync+0x41b/0x530 [zfs]
[10899.177092]  [] spa_sync+0x3a8/0xa50 [zfs]
[10899.177097]  [] ? ktime_get_ts+0x4c/0xe0
[10899.177132]  [] txg_sync_thread+0x2df/0x540 [zfs]
[10899.177166]  [] ? txg_init+0x250/0x250 [zfs]
[10899.177178]  [] thread_generic_wrapper+0x78/0x90 [spl]
[10899.177186]  [] ? __thread_create+0x310/0x310 [spl]
[10899.177191]  [] kthread+0xc0/0xd0
[10899.177194]  [] ? flush_kthread_worker+0xb0/0xb0
[10899.177198]  [] ret_from_fork+0x7c/0xb0
[10899.177202]  [] ? flush_kthread_worker+0xb0/0xb0

I'm happy to provide any further information required or do testing as needed.

Thank you.
Tim.

[hvenzke]

use the real physical name /dev/rbd1
no symlinks with zfs !!

[tdb]

It makes no difference I'm afraid. The panic is identical.

[hvenzke]

Well , then the bug is at Ceph RBD ´s logic basicly as that provide the storange .

ZFS on linux is known to work with native drbd fine.

Ceph RBD snapshoot featgers are overkill as ZFS does that itsself.

Can you try make an gfs cluster or lustre fs on it ?

[tdb]

Ceph RBD works fine with other file systems for me, and ZFS works fine with other underlying storage. So it's hard to be precise about where the problem lies. In any case, ZFS shouldn't panic, surely? That's a bug.

Ceph provides a distributed file system which is why I want to use it. ZFS also has some great features for managing multiple file systems within a single pool including snapshots.

[behlendorf]

@tdb You're hitting a VERIFY in the code while attempting to sync out the history buffer to disk. For some reason the buffer lengths aren't being correctly updated. Since this only happens on top of a ceph rbd I suspect their block device is behaving slightly differently that the rest of the Linux block drivers. For the purposes of a test you could try commenting out the VERIFY like this, although I my suspicion is you'll likely hit another issue quickly. However, that failure may shed some more light on exactly what's going wrong.

diff --git a/module/zfs/spa_history.c b/module/zfs/spa_history.c
index 9fb75f3..2d45266 100644
--- a/module/zfs/spa_history.c
+++ b/module/zfs/spa_history.c
@@ -272,8 +272,8 @@ spa_history_log_sync(void *arg1, void *arg2, dmu_tx_t *tx)
            NV_ENCODE_XDR, KM_PUSHPAGE) == 0);

        mutex_enter(&spa->spa_history_lock);
-       if (hap->ha_log_type == LOG_CMD_POOL_CREATE)
-               VERIFY(shpp->sh_eof == shpp->sh_pool_create_len);
+//     if (hap->ha_log_type == LOG_CMD_POOL_CREATE)
+//             VERIFY(shpp->sh_eof == shpp->sh_pool_create_len);

        /* write out the packed length as little endian */
        le_len = LE_64((uint64_t)reclen);

Related to this most people usually think about putting ceph on top over zfs not vise-versa. This behavior was recently fixed in master so you might try that. It won't get you features like distributed snapshots but it will bring many of zfs's other benefits.

[tdb]

@behlendorf Thanks for the reply. I made the change suggested (against 0.6.1) and saw the following:

# zpool create pool1 /dev/rbd1
cannot open 'pool1': dataset does not exist

So that's the same as before. Checking zpool status afterwards showed a good pool, but zfs status didn't show any filesystems. No panic though.

Then I tried to repeat it. This time I got a panic after creating the pool, and zpool status hung. The panic was:

[  183.924160] divide error: 0000 [#1] SMP
[  183.924349] Modules linked in: coretemp(F) microcode(F) psmouse(F) ppdev(F) vmw_balloon(F) serio_raw(F) i2c_piix4(F) vmwgfx(F) mac_hid(F) ttm(F) shpchp(F) drm(F) parport_pc(F) rbd(F) libceph(F) lp(F) parport(F) zfs(POF) zcommon(POF) znvpair(POF) zavl(POF) zunicode(POF) spl(OF) floppy(F) e1000(F) mptspi(F) mptscsih(F) mptbase(F) btrfs(F) zlib_deflate(F) libcrc32c(F)
[  183.926033] CPU 0
[  183.926100] Pid: 2019, comm: txg_sync Tainted: PF          O 3.8.0-23-generic #34~precise1-Ubuntu VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
[  183.926385] RIP: 0010:[]  [] spa_history_write+0x82/0x1d0 [zfs]
[  183.926631] RSP: 0018:ffff88003c549ab8  EFLAGS: 00010246
[  183.926742] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  183.926878] RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000000
[  183.927015] RBP: ffff88003c549b28 R08: ffff88003cfb4b40 R09: 0000000000000003
[  183.927151] R10: ffff880037062303 R11: 316462722f766564 R12: ffff88003c496600
[  183.927287] R13: ffff88003be36000 R14: ffff88003cf9a000 R15: 0000000000000008
[  183.927424] FS:  0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[  183.927574] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  183.927690] CR2: 00007f3b12ef0000 CR3: 000000003b141000 CR4: 00000000000007f0
[  183.927924] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  183.928132] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  183.928312] Process txg_sync (pid: 2019, threadinfo ffff88003c548000, task ffff88003bc8ae80)
[  183.928535] Stack:
[  183.928633]  0000000000000002 ffffffffa01e3360 ffff88003cfb4b40 ffff88003c549ba0
[  183.929007]  ffff88003cf9a000 0000000000000008 ffff88003be36000 0000000068163d54
[  183.929382]  ffff88003b8a2cc0 ffff88003b8a2cc0 ffff88003be36000 ffff88003cfb4b40
[  183.929757] Call Trace:
[  183.929903]  [] spa_history_log_sync+0x221/0x610 [zfs]
[  183.930106]  [] dsl_sync_task_group_sync+0x123/0x210 [zfs]
[  183.930312]  [] dsl_pool_sync+0x41b/0x530 [zfs]
[  183.930507]  [] spa_sync+0x3a8/0xa50 [zfs]
[  183.930667]  [] ? ktime_get_ts+0x4c/0xe0
[  183.930852]  [] txg_sync_thread+0x2df/0x540 [zfs]
[  183.931049]  [] ? txg_init+0x250/0x250 [zfs]
[  183.931219]  [] thread_generic_wrapper+0x78/0x90 [spl]
[  183.931397]  [] ? __thread_create+0x310/0x310 [spl]
[  183.931568]  [] kthread+0xc0/0xd0
[  183.936038]  [] ? flush_kthread_worker+0xb0/0xb0
[  183.936149]  [] ret_from_fork+0x7c/0xb0
[  183.936251]  [] ? flush_kthread_worker+0xb0/0xb0
[  183.936360] Code: 55 b0 48 89 fa 48 29 f2 48 01 c2 48 39 55 b8 0f 82 bc 00 00 00 4c 8b 75 b0 41 bf 08 00 00 00 48 29 c8 31 d2 49 8b b5 70 08 00 00 <48> f7 f7 4c 8d 45 c0 4c 89 f7 48 01 ca 48 29 d3 48 83 fb 08 49
[  183.938433] RIP  [] spa_history_write+0x82/0x1d0 [zfs]
[  183.938599]  RSP 
[  183.938710] ---[ end trace f7a46262c37aea79 ]---

If I had a more concrete idea of what was happening I'd be happy to file a bug with Ceph.

[behlendorf]

Divide by zero, now that's interesting. Can you dump the exact code for your build as follows, it should look something like this but the exact line might differ. I want to know where that device by zero occurred.

[behlendo@rhel-6-2-amd64 zfs]$ gdb module/zfs/zfs.ko
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/behlendo/src/git/zfs/module/zfs/zfs.ko...done.
(gdb) 
(gdb)  list *(spa_history_write+0x82)
0x58a62 is in spa_history_write (/home/behlendo/src/git/zfs/module/zfs/../../module/zfs/spa_history.c:129).
124             int err;
125
126             phys_bof = spa_history_log_to_phys(shpp->sh_bof, shpp);
127             firstread = MIN(sizeof (reclen), shpp->sh_phys_max_off - phys_bof);
128
129             if ((err = dmu_read(mos, spa->spa_history, phys_bof, firstread,
130                 buf, DMU_READ_PREFETCH)) != 0)
131                     return (err);
132             if (firstread != sizeof (reclen)) {
133                     if ((err = dmu_read(mos, spa->spa_history,
(gdb) quit

[tdb]

I've been building the module using dkms, but it appears to be stripping the module or not building it with symbols in the first place. Is there a way to modify that behaviour? Or am I going to need to ditch that and build it myself?

I've tried setting the relevant things in /etc/default/zfs.

[chrisrd]

Given previously failing VERIFY:

+//     if (hap->ha_log_type == LOG_CMD_POOL_CREATE)
+//             VERIFY(shpp->sh_eof == shpp->sh_pool_create_len);

...static analysis suggests:

static int
spa_history_write(spa_t *spa, void *buf, uint64_t len, spa_history_phys_t *shpp,
    dmu_tx_t *tx)
{
    ...
        phys_eof = spa_history_log_to_phys(shpp->sh_eof, shpp);
    ...
}

static uint64_t
spa_history_log_to_phys(uint64_t log_off, spa_history_phys_t *shpp)
{
        uint64_t phys_len;

        phys_len = shpp->sh_phys_max_off - shpp->sh_pool_create_len;
        return ((log_off - shpp->sh_pool_create_len) % phys_len      <<<< BOOM!
            + shpp->sh_pool_create_len);
}

[behlendorf]

@tdb It depends on your kernel and what the default build options are. For example, the Ubuntu kernels will always strip the symbols. It may also not be needed since @chrisrd has likely spotted the offending line here.

It seems likely that we're somehow reading bogus data from the ceph rbd. It would be useful to see what those values are. If you're still interested in chasing this can you try the following patch. It will log the offending value to the console before the crash. It would be useful to run it several times to see if the values remain constant or change.

diff --git a/module/zfs/spa_history.c b/module/zfs/spa_history.c
index 9fb75f3..700f364 100644
--- a/module/zfs/spa_history.c
+++ b/module/zfs/spa_history.c
@@ -223,6 +223,13 @@ spa_history_log_sync(void *arg1, void *arg2, dmu_tx_t *tx)
         */
        VERIFY(0 == dmu_bonus_hold(mos, spa->spa_history, FTAG, &dbp));
        shpp = dbp->db_data;
+#ifdef _KERNEL
+       printk("sh_pool_create_len = %llu\n", shpp->sh_pool_create_len);
+       printk("sh_phys_max_off = %llu\n", shpp->sh_phys_max_off);
+       printk("sh_bof = %llu\n", shpp->sh_bof);
+       printk("sh_eof = %llu\n", shpp->sh_eof);
+       printk("sh_records_losts = %llu\n", shpp->sh_records_lost);
+#endif

        dmu_buf_will_dirty(dbp, tx);

[tdb]

@behlendorf It looks like either through fiddling or other updates that I've managed to move the error:

[  422.936633]  rbd1: unknown partition table
[  422.936705] rbd: rbd1: added with size 0x10000000000
[  441.362250] SPL: using hostid 0x007f0101
[  441.470098] SPLError: 1682:0:(zap_micro.c:301:mze_find()) VERIFY3(mze->mze_cd == (&(zn->zn_zap)->zap_u.zap_micro.zap_phys->mz_chunk[(mze)->mze_chunkid])->mze_cd) failed (0 == 1635019877)
[  441.470418] SPLError: 1682:0:(zap_micro.c:301:mze_find()) SPL PANIC
[  441.470544] SPL: Showing stack for process 1682
[  441.470552] Pid: 1682, comm: txg_sync Tainted: PF          O 3.8.0-25-generic #37~precise1-Ubuntu
[  441.470554] Call Trace:
[  441.470579]  [] spl_debug_dumpstack+0x27/0x40 [spl]
[  441.470589]  [] spl_debug_bug+0x82/0xe0 [spl]
[  441.470636]  [] mze_find+0x13a/0x270 [zfs]
[  441.470677]  [] zap_lookup_norm+0x9e/0x1c0 [zfs]
[  441.470685]  [] ? kmem_free_debug+0x4b/0x150 [spl]
[  441.470725]  [] zap_lookup+0x33/0x40 [zfs]
[  441.470765]  [] spa_feature_is_active+0x8a/0xf0 [zfs]
[  441.470799]  [] dsl_scan_active+0x76/0xc0 [zfs]
[  441.470833]  [] dsl_scan_sync+0x4f/0xe30 [zfs]
[  441.470873]  [] ? zio_wait+0x23d/0x480 [zfs]
[  441.470910]  [] ? bpobj_enqueue_cb+0x20/0x20 [zfs]
[  441.470947]  [] spa_sync+0x417/0xcd0 [zfs]
[  441.470968]  [] ? ktime_get_ts+0x4c/0xe0
[  441.471007]  [] txg_sync_thread+0x30a/0x640 [zfs]
[  441.471016]  [] ? kmem_free_debug+0x4b/0x150 [spl]
[  441.471054]  [] ? txg_quiesce_thread+0x540/0x540 [zfs]
[  441.471062]  [] thread_generic_wrapper+0x78/0x90 [spl]
[  441.471070]  [] ? __thread_create+0x310/0x310 [spl]
[  441.471080]  [] kthread+0xc0/0xd0
[  441.471084]  [] ? flush_kthread_worker+0xb0/0xb0
[  441.471096]  [] ret_from_fork+0x7c/0xb0
[  441.471100]  [] ? flush_kthread_worker+0xb0/0xb0

If that's of no use to you, let me know and I'll try to get the machine back how it was. I notice the kernel version has changed, and I'm fairly sure a ceph update got pulled in too.

[behlendorf]

@tdb This just looks like garbage data from disk as well. One thing which did catch my eye however from the above log was the size of the rbd device. 0x10000000000 is a surprisingly round number for the partition, is this expected? Also are you creating a partition table for zfs manually, or allowing it to partition the device?

[  422.936705] rbd: rbd1: added with size 0x10000000000

[tdb]

@behlendorf I noticed that size too. It's a 1GB partition, so it's actually correct.

# rbd ls -l
NAME     SIZE PARENT FMT PROT LOCK
cephzfs 1024G          1

I was giving the raw device to ZFS, rather than creating a partition.

If I use fdisk to but a partition table on the disk, but without adding any partitions, I get the following when creating a pool:

# zpool create pool1 /dev/rbd1
internal error: Invalid argument
Aborted (core dumped)

If I create a partition on it I get the same errors as I mentioned previously (mze_find) when creating a pool on /dev/rbd1p1.

Just for comparison, here's the output creating an ext4 filesystem on the same partition:

root@ubuntu:~# mkfs.ext4 /dev/rbd1p1
mke2fs 1.42 (29-Nov-2011)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=1024 blocks, Stripe width=1024 blocks
67108864 inodes, 268434432 blocks
13421721 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
8192 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
        102400000, 214990848
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@ubuntu:~# mount /dev/rbd1p1 /mnt
root@ubuntu:~# df -h /mnt
Filesystem      Size  Used Avail Use% Mounted on
/dev/rbd1p1    1008G   72M  957G   1% /mnt
root@ubuntu:~#

[behlendorf]

Strange. Well the only way these failures make sense is if something odd is happening at the block device layer. My next suggestion would be to use blktrace to grab a trace log for the rbd device. That would allow us to look for something unusual in the way the rbd or zfs is behaving.

http://www.cse.unsw.edu.au/~aaronc/iosched/doc/blktrace.html

[tdb]

@behlendorf Does this output help?

https://gist.github.com/tdb/2ae734e546be0c5e1d39

[behlendorf]

@tdb That's exactly the log I wanted to see, but unfortunately it doesn't really show anything strange. All the I/O looks reasonable and is doing what I'd expect a zpool create to do. It's the right size and it's all within the size of the device. However, what is interesting is that it doesn't show any reads before the crash.

That's got me wondering if the rbd driver might be modifying parts of the pages in the bvecs during the write. That could explain this issue, but we'd need to put a debug patch together to see.

[chrisrd]

@TBD Based on little more than the mention of modifying bvecs, this commit which touches drivers/block/rbd.c might be relevant:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d74c6d514fe314b8bdab58b487b25992291577ec

block: Add bio_for_each_segment_all()

__bio_for_each_segment() iterates bvecs from the specified index
instead of bio->bv_idx.  Currently, the only usage is to walk all the
bvecs after the bio has been advanced by specifying 0 index.

For immutable bvecs, we need to split these apart;
bio_for_each_segment() is going to have a different implementation.
This will also help document the intent of code that's using it -
bio_for_each_segment_all() is only legal to use for code that owns the
bio.

If your kernel doesn't have that patch already it could be worthwhile trying a kernel including it. It looks to have been introduced some time between v3.9 and v3.10-rc1. Possibly even worth trying v3.10-rc6 which has pulled in a bunch of rbd.c changes

[tdb]

@chrisrd Using the Ubuntu mainline kernels I tried v3.9.7, but it behaved the same. I checked and it doesn't cotain the commit you mentioned above. So I tried v3.10-rc6 and I get the following build error in spl:

Making all in module
make[2]: Entering directory `/var/lib/dkms/spl/0.6.1/build/module'
make -C /lib/modules/3.10.0-031000rc6-generic/build SUBDIRS=`pwd`  CONFIG_SPL=m modules
make[3]: Entering directory `/usr/src/linux-headers-3.10.0-031000rc6-generic'
  CC [M]  /var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-debug.o
  CC [M]  /var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.o
In file included from /var/lib/dkms/spl/0.6.1/build/include/sys/kmem.h:38:0,
                 from /var/lib/dkms/spl/0.6.1/build/include/sys/kstat.h:32,
                 from /var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:28:
/var/lib/dkms/spl/0.6.1/build/include/sys/vmsystm.h:77:8: error: redefinition of ‘struct vmalloc_info’
include/linux/vmalloc.h:173:8: note: originally defined here
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c: In function ‘proc_dir_entry_match’:
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1126:15: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1129:32: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c: In function ‘proc_dir_entry_find’:
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1137:16: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1137:37: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c: In function ‘proc_dir_entries’:
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1150:16: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1150:37: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c: In function ‘spl_proc_init’:
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1177:2: error: implicit declaration of function ‘create_proc_entry’ [-Werror=implicit-function-declaration]
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1177:21: warning: assignment makes pointer from integer without a cast [enabled by default]
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1181:27: error: dereferencing pointer to incomplete type
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c: In function ‘proc_dir_entry_match’:
/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.c:1130:1: warning: control reaches end of non-void function [-Wreturn-type]
cc1: some warnings being treated as errors
make[5]: *** [/var/lib/dkms/spl/0.6.1/build/module/spl/../../module/spl/spl-proc.o] Error 1
make[4]: *** [/var/lib/dkms/spl/0.6.1/build/module/spl] Error 2
make[3]: *** [_module_/var/lib/dkms/spl/0.6.1/build/module] Error 2
make[3]: Leaving directory `/usr/src/linux-headers-3.10.0-031000rc6-generic'
make[2]: *** [modules] Error 2
make[2]: Leaving directory `/var/lib/dkms/spl/0.6.1/build/module'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/lib/dkms/spl/0.6.1/build'
make: *** [all] Error 2

Have spl/zfs been tested with v3.10 yet?

[behlendorf]

@tdb There are pull requests open for 3.10 support by they are still under going review before getting merged. They should be safe to use, the only real questions around them are do they accidentally break builds on older kernels and are they as clean as they can be.

@chrisrd I don't think the referenced commit will help, but it wouldn't hurt to try. We'll probably need to instrument the zfs vdev_disk.c code to see exactly what's happening to the bios.

[tdb]

Just a quick update on this. I've tried again with 0.6.2 and the following two kernels:

http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.10.9-saucy/
http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.11-rc6-saucy/

Same problem:

Aug 25 00:51:29 ubuntu-12042 kernel: [  142.393672] SPLError: 2851:0:(zap_micro.c:301:mze_find()) VERIFY3(mze->mze_cd == (&(zn->zn_zap)->zap_u.zap_micro.zap_phys->mz_chunk[(mze)->mze_chunkid])->mze_cd) failed (0 == 825307184)
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394034] SPLError: 2851:0:(zap_micro.c:301:mze_find()) SPL PANIC
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394160] SPL: Showing stack for process 2851
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394164] CPU: 0 PID: 2851 Comm: txg_sync Tainted: PF          O 3.11.0-031100rc6-generic #201308181835
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394166] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/22/2012
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394169]  ffff88003c59da00 ffff88003c4ab9c8 ffffffff81720b9b 0000000000000007
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394173]  0000000000000000 ffff88003c4ab9d8 ffffffffa018f4d7 ffff88003c4aba18
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394176]  ffffffffa01907a2 ffffffffa01a4b4d ffff880036998880 ffff88003c59da00
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394179] Call Trace:
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394203]  [] dump_stack+0x46/0x58
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394221]  [] spl_debug_dumpstack+0x27/0x40 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394246]  [] spl_debug_bug+0x82/0xe0 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394314]  [] mze_find+0x13a/0x270 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394359]  [] zap_lookup_norm+0x9e/0x1c0 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394368]  [] ? kmem_free_debug+0x4b/0x150 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394410]  [] zap_lookup+0x33/0x40 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394451]  [] spa_feature_is_active+0x8a/0xf0 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394485]  [] dsl_scan_active+0x76/0xc0 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394520]  [] dsl_scan_sync+0x4f/0xe30 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394559]  [] ? zio_wait+0x23d/0x4a0 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394596]  [] ? bpobj_enqueue_cb+0x20/0x20 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394633]  [] spa_sync+0x48a/0xd60 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394649]  [] ? ktime_get_ts+0x4c/0xe0
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394687]  [] txg_sync_thread+0x30a/0x640 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394696]  [] ? kmem_free_debug+0x4b/0x150 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394733]  [] ? txg_quiesce_thread+0x540/0x540 [zfs]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394742]  [] thread_generic_wrapper+0x78/0x90 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394750]  [] ? __thread_create+0x310/0x310 [spl]
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394759]  [] kthread+0xc0/0xd0
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394763]  [] ? flush_kthread_worker+0xb0/0xb0
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394771]  [] ret_from_fork+0x7c/0xb0
Aug 25 00:51:29 ubuntu-12042 kernel: [  142.394776]  [] ? flush_kthread_worker+0xb0/0xb0

[tdb]

Using 0.6.2 and the linux-image-generic-lts-saucy 3.11.0.13.12 kernel on Ubuntu precise I now get the following:

# zpool create pool2 /dev/rbd1
internal error: Invalid argument
Aborted (core dumped)

The core file contains:

#0  0x00007ffa1abad425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffa1abb0b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffa1b383782 in ?? () from /lib/libzfs.so.2
#3  0x00007ffa1b383b70 in zfs_standard_error_fmt () from /lib/libzfs.so.2
#4  0x00007ffa1b364a1e in zfs_open () from /lib/libzfs.so.2
#5  0x000000000040bc98 in zpool_do_create (argc=, argv=) at ../../cmd/zpool/zpool_main.c:1057
#6  0x0000000000404d26 in main (argc=4, argv=0x7fffecdc5178) at ../../cmd/zpool/zpool_main.c:5709

And this in the log:

Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240529] SPLError: 1688:0:(spa.c:6190:spa_sync()) VERIFY3(bpobj_iterate(defer_bpo, spa_free_sync_cb, zio, tx) == 0) failed (22 == 0)
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240786] SPLError: 1688:0:(spa.c:6190:spa_sync()) SPL PANIC
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240899] SPL: Showing stack for process 1688
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240910] CPU: 0 PID: 1688 Comm: txg_sync Tainted: PF          O 3.11.0-13-generic #20~precise2-Ubuntu
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240912] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/30/2013
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240915]  0000000000000005 ffff88003c6f9c48 ffffffff8173a05d 0000000000000007
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240919]  0000000000000000 ffff88003c6f9c58 ffffffffa01794d7 ffff88003c6f9c98
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240922]  ffffffffa017a7a2 ffffffffa018ebed ffff88003b804000 0000000000000005
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240925] Call Trace:
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240943]  [] dump_stack+0x46/0x58
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240971]  [] spl_debug_dumpstack+0x27/0x40 [spl]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.240979]  [] spl_debug_bug+0x82/0xe0 [spl]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241024]  [] spa_sync+0x9f7/0xdb0 [zfs]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241080]  [] txg_sync_thread+0x364/0x6a0 [zfs]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241122]  [] ? txg_quiesce_thread+0x520/0x520 [zfs]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241131]  [] thread_generic_wrapper+0x78/0x90 [spl]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241139]  [] ? __thread_create+0x310/0x310 [spl]
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241145]  [] kthread+0xc0/0xd0
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241149]  [] ? flush_kthread_worker+0xb0/0xb0
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241158]  [] ret_from_fork+0x7c/0xb0
Nov 21 23:08:22 ubuntu-12042 kernel: [  116.241162]  [] ? flush_kthread_worker+0xb0/0xb0
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.848936] INFO: task txg_sync:1688 blocked for more than 120 seconds.
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849079] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849220] txg_sync        D ffff880036a5ece0     0  1688      2 0x00000000
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849226]  ffff88003c6f9c48 0000000000000046 ffffffff81ae70b3 ffff88003fc14580
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849230]  ffff88003c6f9fd8 ffff88003c6f9fd8 ffff88003c6f9fd8 0000000000014580
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849233]  ffff88003cd69770 ffff88003cd6aee0 0000000000000000 0000000000000000
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849236] Call Trace:
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849252]  [] schedule+0x29/0x70
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849299]  [] spl_debug_bug+0xb5/0xe0 [spl]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849346]  [] spa_sync+0x9f7/0xdb0 [zfs]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849387]  [] txg_sync_thread+0x364/0x6a0 [zfs]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849427]  [] ? txg_quiesce_thread+0x520/0x520 [zfs]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849445]  [] thread_generic_wrapper+0x78/0x90 [spl]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849454]  [] ? __thread_create+0x310/0x310 [spl]
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849460]  [] kthread+0xc0/0xd0
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849464]  [] ? flush_kthread_worker+0xb0/0xb0
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849468]  [] ret_from_fork+0x7c/0xb0
Nov 21 23:10:27 ubuntu-12042 kernel: [  240.849471]  [] ? flush_kthread_worker+0xb0/0xb0

Further zpool commands generate the following:

Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182141] SPLError: 2064:0:(zap_micro.c:1292:zap_cursor_retrieve()) VERIFY3(mze->mze_cd == mzep->mze_cd) failed (0 == 1635019877)
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182264] SPLError: 2064:0:(zap_micro.c:1292:zap_cursor_retrieve()) SPL PANIC
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182329] SPL: Showing stack for process 2064
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182335] CPU: 0 PID: 2064 Comm: zpool Tainted: PF          O 3.11.0-13-generic #20~precise2-Ubuntu
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182337] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/30/2013
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182338]  ffff88003c25b640 ffff88003bdebac8 ffffffff8173a05d 0000000000000007
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182341]  0000000000000000 ffff88003bdebad8 ffffffffa01794d7 ffff88003bdebb18
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182343]  ffffffffa017a7a2 ffffffffa018ebed ffff88003bdebbf8 ffff88003c25b640
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182345] Call Trace:
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182352]  [] dump_stack+0x46/0x58
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182363]  [] spl_debug_dumpstack+0x27/0x40 [spl]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182367]  [] spl_debug_bug+0x82/0xe0 [spl]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182400]  [] zap_cursor_retrieve+0x24a/0x480 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182414]  [] ? default_spin_lock_flags+0x9/0x10
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182441]  [] ? zap_unlockdir+0x108/0x1a0 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182466]  [] spa_add_feature_stats+0x213/0x440 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182471]  [] ? kmem_alloc_debug+0x138/0x3b0 [spl]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182476]  [] ? kmem_alloc_debug+0x138/0x3b0 [spl]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182482]  [] ? nvlist_remove_all+0x8f/0xd0 [znvpair]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182506]  [] ? spa_config_held+0xb9/0xd0 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182531]  [] ? spa_add_l2cache+0x29/0x3f0 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182555]  [] ? spa_add_spares+0x25/0x360 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182579]  [] spa_get_stats+0x10f/0x330 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182584]  [] ? kmem_alloc_debug+0x138/0x3b0 [spl]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182610]  [] zfs_ioc_pool_stats+0x31/0x70 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182636]  [] zfsdev_ioctl+0x53b/0x5b0 [zfs]
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182646]  [] ? ftrace_raw_event_do_sys_open+0x100/0x110
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182651]  [] do_vfs_ioctl+0x7c/0x2f0
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182653]  [] SyS_ioctl+0x91/0xb0
Nov 21 23:17:44 ubuntu-12042 kernel: [  678.182657]  [] system_call_fastpath+0x1a/0x1f

[behlendorf]

@tdb This was due to an ABI change between the user utilities and kmods. It is unrelated to your original issue. Make sure you rebuild everything such that the utilities exactly match the kmods.

[tdb]

@behlendorf Ah, ok, sorry for the noise. I actually just installed the binary packages from launchpad, which built the kmods with dkms. So I would have expected that to stay in sync. Anyway - as you say, not related to this issue.

[rbraddy]

Is this still an issue or has a resolution been found?

[tdb]

@rbraddy I'm not aware of a resolution yet, but @behlendorf can confirm. Are you seeing the same problem? It'd be good to know it's not just me!

[rbraddy]

Yes, we are seeing the same issue with creating ZFS storage pool atop of Ceph RDB block device - zpool create failure and kernel panic.

Creating ext4 filesystem on RDB works perfectly. RBD is used extensively today by various cloud stacks (e.g., Open Stack, Cloud Stack and others), so there seems to be no issue with how it presents itself as a block device for those file systems.

Having RDB work well with ZFS is very important, as it addresses one of the major drawbacks to ZFS - a single point of failure on direct-attached storage, plus the ability to scale out. RADOS is very impressive technology, and combined with ZFS promises to be the most powerful filesystem around. Ceph's filesystem is not ready for prime time, so it just makes sense for these two technologies to work well together and be supported (the way ZFS is supported underneath Ceph OSD's today).

I agree that it's odd that: a) ZFS is the only major file system that is not working atop of RDB today, and b) ZFS panics instead of failing gracefully in the face of whatever incompatibility exists.

Having said that, from what I have seen, ZFS does work a bit differently than many other file systems. In our testing, we also encountered strange behavior by PARTED when trying to delete an existing ext4 partition that we initially configured atop of RDB, in an attempt to create an empty GPT partition in preparation for use with ZFS. ZFS creates its own partitioning scheme from what I have seen, so this may be a clue. We are still investigating, but at this point lack the deep kernel expertise required to reconcile the issue between these two complex systems.

In reading through this thread, about six months ago, I see Brian proposed something as a next step that does not appear to have occurred yet, to gather more information as a next step. I'm wondering if it makes sense to pursue that line of analysis next:

From @behlendorf : It seems likely that we're somehow reading bogus data from the ceph rbd. It would be useful to see what those values are. If you're still interested in chasing this can you try the following patch. It will log the offending value to the console before the crash. It would be useful to run it several times to see if the values remain constant or change.

diff --git a/module/zfs/spa_history.c b/module/zfs/spa_history.c
index 9fb75f3..700f364 100644
--- a/module/zfs/spa_history.c
+++ b/module/zfs/spa_history.c
@@ -223,6 +223,13 @@ spa_history_log_sync(void *arg1, void *arg2, dmu_tx_t *tx)
         */
        VERIFY(0 == dmu_bonus_hold(mos, spa->spa_history, FTAG, &dbp));
        shpp = dbp->db_data;
+#ifdef _KERNEL
+       printk("sh_pool_create_len = %llu\n", shpp->sh_pool_create_len);
+       printk("sh_phys_max_off = %llu\n", shpp->sh_phys_max_off);
+       printk("sh_bof = %llu\n", shpp->sh_bof);
+       printk("sh_eof = %llu\n", shpp->sh_eof);
+       printk("sh_records_losts = %llu\n", shpp->sh_records_lost);
+#endif

        dmu_buf_will_dirty(dbp, tx);

[dweeezil]

I just wanted to post a note here to say that I've started actively looking into this problem. I'm occasionally able to reproduce similar problems as the original report but my general observation is that any other forms of chaos can seem to result from running ZFS atop RDB. Unfortunately, I got sidetracked while looking into this and burned a ton of time tracking down the problem described in zfsonlinux/zfs#2010. With that out of the way, hopefully I'm back on track now.

Also, I should mention that this should likely be a ZFS issue rather than an SPL issue.

[hvenzke]

@dweeezil Tim , some of the logs i have read about this with zfs+ Ceph RDB said that the ZFS ´s used partion table not supported by PARTED ?!??

1. What exactly Partion type been set BEVOR you try to make an zpool on the Ceph RDB ?
2. did you tried sliced `(diskP2 )setup instead of wholedisk(disk) ?

3 . did you tried fdisk on the Ceph RDB disk , type "bf" usage ?

uppon my ZFS skills BF are the default , someone may allowed to correct me .-)

[dweeezil]

I'm still trying to get a grip on the actual problem. So far, I'm fairly certain the problem is not simply that the rbd block device behaves differently than do block devices.

@remsnet For my current testbed, I'm generally creating my ZFS pool on a single pre-created partition on the rbd device (actually, my preferred testbed is to dd a known good pool on to my rbd and test from there). I'm hoping to narrow down the problem a bit more within the next day or so once I get more time to look at it.

The failures I'm seeing when performing normal filesystem operations are many and varied. I'm concerned that zfs+rbd is exceeding Linux's kernel stack limit but I've not been able to prove it. I do plan on building a 16K stack kernel as part of my further testing to try to rule it out. Using debugfs' stack_trace feature has been very iffy with wild pointer (NULL or close-to-null) dereferences typically occurring in the ftrace_call() function, itself. I also plan on doing some instrumenting of rbd by itself to get a handle on its "base" stack utilization. The failures I'm seeing are typical of those you'd see when memory (the stack in particular) is overwritten.

I'll post more information as I get it it.

[behlendorf]

@dweeezil It's great to see you looking in to this. Stack overun is certainly one possible explanation for this, I could easily believe that the ceph rbd is more stack heavy that other block devices in the kernel. As you said rebuilding your kernel with 16k stacks would be the easiest way to check for this.

[dweeezil]

I realize a quick update on this may be in order since my last communication has been directly to @rbraddy off-list.

I've pretty much ruled out stack overflow and, in fact, the stack usage seems to be very well controlled with my zpool commands being the greatest consumer but still having over 11K free when using a kernel with 16K stacks.

What I'm seeing when trying simple ZPL operations on a known-good pool (dd'ed to a Ceph RBD and md5-checksumed for verification) is that somewhat random memory corruption. I briefly experimented with kmemcheck but I don't think it's going to be too helpful; the kernel runs too slowly and it has a bad habit of finding false positives. Instead, I'm trying to find a way to reliably trip specific types of assertions. My best success has been that it's very easy to corrupt the microZAPs when creating small files. In my last bit of detective work, it looks like they're being clobbered by, of call things, the in-memory debugging output from the various dprintf...() debugging functions.

I've taken a few days off of looking at this mainly due to my discovery of the zfsonlinux/zfs#2010. I'll post more information on this issue as it becomes available.

[hvenzke]

last real kernel stackoverrun i heard was when Linus left the kernel serries 1.x alone
from < 3k to 8k soome years go .
Good to hear that its not required to have an 16K base as default as it whuold cause some issues on several systems with smal ram .

[chrisrd]

@dweeezil What version of kernel rbd are you using? A whole bunch of rbd changes, some of which could conceivably cause corruptions, hit master in v3.12-rc2 and are slated for the next round of stable updates (v3.10.26 etc).

[dweeezil]

@chrisrd Since I'm doing my testing under Ubuntu 13.10 I'm running their stock 3.11.0-14-generic kernel compiled by myself and fetched from their git repo. The last commit in the fs/ceph directory is 494ddd1 from the upstream. I did think about running a new kernel (even a stock upstream) but decided to try to stay as standard as possible for the time being. I did also checkout the commit logs going forward until the latest master code in Linus' tree and none of them looked like total show-stoppers to me, but that was just after a cursory inspection. Should I be running something newer?

[chrisrd]

@dweeezil Given you're using rbd, the relevant kernel parts would be drivers/block/rbd* net/ceph include/linux/ceph rather than fs/ceph (that's for the ceph file system, not directly related to rbd, except they both use the ceph underpinnings).

But I agree, looking at the logs from torvalds/linux@494ddd1 onwards doesn't show anything that looks particularly suspicious, except perhaps if you're using rbd snapshots:

cd src/linux
git checkout master
git pull
git log 494ddd1..HEAD drivers/block/rbd* net/ceph include/linux/ceph

[dweeezil]

@chrisrd Thanks for the confirmation. Yes, that was a booboo for me to refer to fs/ceph rather than drivers/block/rbd* (which is actually what I was looking at the first time I scanned the commits a week ago). In any case, it seems that I should be safe staying with the kernel I'm working with.

[dweeezil]

It seems the rbd driver will overwrite memory in some cases when passed odd-sized bio requests from ZFS. I gave up trying to track down the memory corruption because I couldn't get anything reproducible so I compared ZFS' block I/O to that of other file systems (ext4 and xfs) and discovered that the others only presented nice evenly-sized requests (usually 8 sectors or multiples of 8) but that ZFS presents "unusual" sizes such as 5, 13 and 15 sectors. Apparently the rbd driver doesn't like some aspect of these requests and the result is memory corruption. I've not yet determined whether the transfer size or the buffer alignment is the problem.

In any case, a trivial workaround is to use an ashift 12 pool. They appear to work just fine on rbd and present it with nice evenly-sized bios. I've asked @rbraddy to do some testing on his Ceph rigs.

[chrisrd]

I'm sure the Ceph people would like to know about this: would you like to enter whatever details you have into the ceph bug tracker?

[behlendorf]

@dweeezil That makes good sense since most, maybe all, Linux filesystems will always submit IO in 4k page sized chunks from the page cache. I could easily see an alignment issue like in the ceph rbd not being caught.

[aieri]

@dweeezil if anybody who has a fair understanding about what's going on could submit a bug on the CEPH tracker I would be happy to help push things along. We have a support contract with Inktank and could bring this issue to their attention.

[chrisrd]

Issue opened on ceph bug tracker: http://tracker.ceph.com/issues/7790

[aieri]

Unfortunately the word from Inktank is that since ZFS on RBD is not supported, they will not handle the bug as part of our support contract, but it will simply be a community effort.
I have tried to reproduce the bug with misaligned partitions and "standard" filesystems but without success. If this bug resurfaced with, say, ext or xfs, then they might reconsider.

[dweeezil]

@aieri I don't think that simply misaligning standard filesystems will make a difference. With ext4, maybe try mkfs.ext4 -b 1024 or with xfs try mkfs.xfs -b 512 (supposedly it supports 512 byte block size). You can then use blktrace to watch the IO requests. You'll find that with ashift=9, ZFS will frequently make small odd-sized (5KiB for example) transfers. When I was doing my testing, I was not able to get either xfs or ext4 to do the same but I never tried creating those filesystems with "-b".

[behlendorf]

You shouldn't be able to cause this with filesystem like ext or xfs since they will be strictly page aligned (4k).

We could probably work around it fairly easily on the ZFS side by detecting the it's a ceph rbd and automatically setting the ashift to 12. That said it would be better to fix this on the ceph side of course.

[dweeezil]

I never did determine whether it was the alignment or the transfer size that caused the problem.

It would be nice to detect Ceph RBD under ZFS and set ashift=12 as a workaround.

[tuxoko]

Hi all:
I tried this issue today and got an interesting result.

At first with spl-master, zfs-master and linux-3.14.1
# zpool create -o ashift=12 p1 /dev/rbd0 -R /mnt
Success
# zpool create -o ashift=9 p1 /dev/rbd0 -R /mnt
Kernel oops

Then I tried again with the following patch:
https://gist.github.com/tuxoko/10832862
# zpool create -o ashift=12 p1 /dev/rbd0 -R /mnt
Success
# zpool create -o ashift=9 p1 /dev/rbd0 -R /mnt
Success!! And I can run bonnie++ without crashing it.

I still haven't figure out why, but it seems that rbd cannot handle vmalloc'd buffer properly.

[dweeezil]

@tuxoko Very interesting! Have you tried setting "c" to 16 if it were less and continue to let it use kmem_cache_alloc()? How about rounding it up to the next even value? Rounding up to a multiple of 8?

[tuxoko]

Hi @dweeezil
I continued using the above patch with kmalloc size going from 8192 to 512 for every 2^n.
The results are all successful. So it seems the problem only show up with 512.

Then, I tried with the below one:
https://gist.github.com/tuxoko/10954458
The idea is that I vmalloc one page and put the buffer randomly into 512 aligned position in the page.
The result is also sucessful.

So I'm now more inclined to believe that there's a subtle bug in spl slab that happen to show up 100% when using 512 byte slab with ashift=9 on rbd.

By the way, I get SPL: kmem leaked 39/75659481 bytes (number varies from 1x to 3x) every time when I rmmod.

[tuxoko]

So I noticed this in zio.c:

                        /*
                         * The smallest buffers (512b) are heavily used and
                         * experience a lot of churn.  The slabs allocated
                         * for them are also relatively small (32K).  Thus
                         * in over to avoid expensive calls to vmalloc() we
                         * make an exception to the usual slab allocation
                         * policy and force these buffers to be kmem backed.
                         */
                        if (size == (1 << SPA_MINBLOCKSHIFT))
                                flags |= KMC_KMEM;

I commented out this part, and the result is also successful.
This explains why only 512 byte slab is causing trouble.

There's definitely a bug in spl slab especially with KMC_KMEM
@behlendorf Would you happen to know what might have caused this?

Update:
I forced smaller buffer to use 8K slab with KMC_KMEM and result in failure
More update:
So I use ashift=12 with the above setting and the result is also failure.
It seems the problem shows up when KMC_KMEM buffer size >= ashift size.

[dweeezil]

@tuxoko Wondering if there could be a tie-in to this code in bio_map():

                if (kmem_virt(bio_ptr))
                        page = vmalloc_to_page(bio_ptr);
                else
                        page = virt_to_page(bio_ptr);

When I was trying to track this down, I did all sorts of hackery to __vdev_disk_physio() and friends to try to force them to do "nice" alignments, sizes, etc. but it was to no avail. I wasn't aware of the KMC_KMEM override you pointed out above.

[tuxoko]

I'm a bit confused.
I've looked into spl-kmem.c but I didn't see anything suspicious between KMC_KMEM or KMC_VMEM.
The bio_map() doesn't seem wrong either, but I could be wrong.

The real mystery is that at first I thought there's a problem with vmalloc, so I use kmalloc and it worked. But it turned out that the it wasn't using vmalloc in the beginning and change it to vmalloc also "fixed" it.

[tuxoko]

@dweeezil
I've come up with another theory.
I think there could be some possibility that this problem is caused by other KMC_KMEM slabs.
If you could, could you try to change all other slabs to KMC_VMEM?
My week is over so I have to wait til next Monday to test this idea.
It would be great if you could test it now.

[dweeezil]

@tuxoko I should be able to get to this later this evening. The most interesting clue I can remember from my previous research into the problem is that the data being overwritten is frequently the in-memory SPL log (the one you can view after triggering the /proc/sys/kernel/spl/debug flag) which I'll note are allocated as a bunch of 1024 byte kmalloc() allocations.

[behlendorf]

@tuxoko @dweeezil Sorry I've been slow to comment on this but I think I can shed some light on the code referenced above.

The zio buffers will be a mix of kmem and vmem backed memory depending on the size of the object. We want to minimize the overhead of an allocation so we avoid vmem backed buffers if possible. Ideally they should all be backed by individual pages which would make them simpler to hand off to the block layer which expects individual pages. That's why we need the bio_map() function in the vdev_disk code to determine what type of memory backs this block so we can get the right page. But as you know using pages at the higher ZFS layers is problematic. But if we could use pages all the way through (like other Linux FSs) this code can all be removed.

Now exactly why small slab objects would cause a problem isn't clear to me. The only thing which immediately occurs to me is that they are likely to share pages in the slab. These pages will be mapped in to the bio and perhaps that leading to an issue.

[dweeezil]

Unfortunately, I've let my ceph testing rig go stale and it's not working right now so I can't easily do any more testing on this issue for the moment.

[tuxoko]

Hi @dweeezil @behlendorf

I built a DEBUG_PAGEALLOC kernel and got the following result with ashift=9 on unpatched master

[ 1256.830668] BUG: unable to handle kernel paging request at ffff88003bdaf600
[ 1256.830971] IP: [<ffffffff8137d827>] memmove+0x37/0x1a0
[ 1256.831210] PGD 1fd0067 PUD 1fd1067 PMD 3fc06067 PTE 800000003bdaf060
[ 1256.831492] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 1256.831691] Modules linked in: zfs(POF) zcommon(POF) zunicode(POF) znvpair(POF) zavl(POF) spl(OF) rbd(F) libceph(F) libcrc32c(F) vboxsf(OF) rfcomm(F) bnep(F) bluetooth(F) 6lowpan_iphc(F) snd_intel8x0(F) snd_ac97_codec(F) ac97_bus(F) snd_pcm(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) snd_seq(F) snd_timer(F) joydev(F) ppdev(F) snd_seq_device(F) snd(F) microcode(F) vboxvideo(OF) soundcore(F) drm(F) psmouse(F) lp(F) parport_pc(F) i2c_piix4(F) serio_raw(F) vboxguest(OF) parport(F) mac_hid(F) hid_generic(F) usbhid(F) hid(F) ahci(F) libahci(F) e1000(F) [last unloaded: spl]
[ 1256.833755] CPU: 1 PID: 5282 Comm: z_wr_int/3 Tainted: PF          O 3.14.1-debug-pagealloc #1
[ 1256.834086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 1256.834400] task: ffff880016064aa0 ti: ffff88003bb20000 task.ti: ffff88003bb20000
[ 1256.834622] RIP: 0010:[<ffffffff8137d827>]  [<ffffffff8137d827>] memmove+0x37/0x1a0
[ 1256.834622] RSP: 0018:ffff88003bb21c80  EFLAGS: 00010206
[ 1256.834622] RAX: ffffc90002091000 RBX: ffffc90000258ac0 RCX: 0000000000000000
[ 1256.834622] RDX: 00000000000001c0 RSI: ffff88003bdaf600 RDI: ffffc90002091000
[ 1256.834622] RBP: ffff88003bb21d30 R08: ffff88003bdaf800 R09: 0000000000000400
[ 1256.834622] R10: 0000000000000000 R11: ffffc90002091000 R12: ffffc900002314a0
[ 1256.834622] R13: ffffc900002314a0 R14: ffffc90000235aa0 R15: ffff880033399708
[ 1256.834622] FS:  0000000000000000(0000) GS:ffff88003fb00000(0000) knlGS:0000000000000000
[ 1256.834622] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1256.834622] CR2: ffff88003bdaf600 CR3: 0000000021993000 CR4: 00000000000006e0
[ 1256.834622] Stack:
[ 1256.834622]  ffffffffa0404b9a ffffffff00020400 ffffffffa04040d0 0000000000000000
[ 1256.834622]  ffff880033399678 ffff880016064aa0 ffff880016064aa0 ffffc90000258ac0
[ 1256.834622]  ffffc90000258ac0 ffff880033399760 ffff8800333997b0 ffffc90002091000
[ 1256.834622] Call Trace:
[ 1256.834622]  [<ffffffffa0404b9a>] ? vdev_queue_io_to_issue+0x84a/0xeb0 [zfs]
[ 1256.834622]  [<ffffffffa04040d0>] ? vdev_queue_timestamp_compare+0x40/0x40 [zfs]
[ 1256.834622]  [<ffffffffa04059f6>] vdev_queue_io_done+0x176/0x3d0 [zfs]
[ 1256.834622]  [<ffffffffa045119a>] ? zio_wait_for_children+0x7a/0x130 [zfs]
[ 1256.834622]  [<ffffffffa0452318>] zio_vdev_io_done+0x88/0x1e0 [zfs]
[ 1256.834622]  [<ffffffffa04530f0>] zio_execute+0xf0/0x310 [zfs]
[ 1256.834622]  [<ffffffffa0297ae7>] taskq_thread+0x267/0x660 [spl]
[ 1256.834622]  [<ffffffff81099498>] ? finish_task_switch+0xf8/0x150
[ 1256.834622]  [<ffffffff8109ee50>] ? try_to_wake_up+0x2c0/0x2c0
[ 1256.834622]  [<ffffffffa0297880>] ? taskq_dispatch_delay+0x390/0x390 [spl]
[ 1256.834622]  [<ffffffff8108dc29>] kthread+0xc9/0xe0
[ 1256.834622]  [<ffffffff8108db60>] ? flush_kthread_worker+0x80/0x80
[ 1256.834622]  [<ffffffff817305bc>] ret_from_fork+0x7c/0xb0
[ 1256.834622]  [<ffffffff8108db60>] ? flush_kthread_worker+0x80/0x80
[ 1256.834622] Code: 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 81 fa a8 02 00 00 72 05 40 38 fe 74 41 48 83 ea 20 48 83 ea 20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 
[ 1256.834622] RIP  [<ffffffff8137d827>] memmove+0x37/0x1a0
[ 1256.834622]  RSP <ffff88003bb21c80>
[ 1256.834622] CR2: ffff88003bdaf600
[ 1256.834622] ---[ end trace 9235dc3b3757c5f7 ]---

This oops can be reproduced very reliably, which is a bit of a surprise since the buffer is slab backed.
And if I changed 512 buffer to use __get_free_page, the oops disappears.

[tuxoko]

This is the dump_stack where the page is freed.

[  667.875292] CPU: 0 PID: 0 Comm: swapper/0 Tainted: PF          O 3.14.1-debug-pagealloc+ #4
[  667.875614] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  667.875936]  0000000000000000 ffff88003fa03778 ffffffff8171f389 01ffff0000000000
[  667.876251]  ffffea0000f6e180 ffff88003fa037e8 ffffffff81160fb0 ffff88003fa1c200
[  667.876564]  ffff88003fa13d00 ff0000fffe000000 ff0000ffffffffff ffffea0000f6e180
[  667.876877] Call Trace:
[  667.876978]  <IRQ>  [<ffffffff8171f389>] dump_stack+0x46/0x58
[  667.877223]  [<ffffffff81160fb0>] free_pages_prepare+0x220/0x230
[  667.877461]  [<ffffffff81161000>] free_hot_cold_page+0x40/0x170
[  667.877695]  [<ffffffff81166647>] __put_single_page+0x27/0x30
[  667.877922]  [<ffffffff811671b5>] put_page+0x25/0x40
[  667.878121]  [<ffffffff81627c78>] skb_release_data+0x98/0x130
[  667.878349]  [<ffffffff81627d38>] skb_release_all+0x28/0x30
[  667.878569]  [<ffffffff81627d96>] __kfree_skb+0x16/0xc0
[  667.878778]  [<ffffffff816836db>] tcp_ack+0x60b/0x1050
[  667.878982]  [<ffffffff81684655>] tcp_rcv_established+0x195/0x6c0
[  667.879025]  [<ffffffff8168e655>] tcp_v4_do_rcv+0x1d5/0x4e0
[  667.879025]  [<ffffffff81690853>] tcp_v4_rcv+0x553/0x670
[  667.879025]  [<ffffffff8166b536>] ip_local_deliver_finish+0x66/0x100
[  667.879025]  [<ffffffff8166b768>] ip_local_deliver+0x48/0x80
[  667.879025]  [<ffffffff8166b231>] ip_rcv_finish+0x81/0x320
[  667.879025]  [<ffffffff8166ba42>] ip_rcv+0x2a2/0x3e0
[  667.879025]  [<ffffffff81694721>] ? tcp4_gro_receive+0xe1/0x130
[  667.879025]  [<ffffffff81637002>] __netif_receive_skb_core+0x542/0x730
[  667.879025]  [<ffffffff81637211>] __netif_receive_skb+0x21/0x70
[  667.879025]  [<ffffffff81637413>] netif_receive_skb_internal+0x23/0x90
[  667.879025]  [<ffffffff81637e8d>] napi_gro_receive+0x8d/0x100
[  667.879025]  [<ffffffffa0002496>] e1000_clean_rx_irq+0x2b6/0x570 [e1000]
[  667.879025]  [<ffffffffa0003b82>] e1000_clean+0x282/0x8e0 [e1000]
[  667.879025]  [<ffffffff8109132e>] ? hrtimer_get_next_event+0xce/0xd0
[  667.879025]  [<ffffffff8163777f>] net_rx_action+0xbf/0x1d0
[  667.879025]  [<ffffffff8106e07f>] __do_softirq+0xef/0x2d0
[  667.879025]  [<ffffffff8106e57d>] irq_exit+0x12d/0x140
[  667.879025]  [<ffffffff817329a7>] do_IRQ+0x67/0x110
[  667.879025]  [<ffffffff817277ed>] common_interrupt+0x6d/0x6d
[  667.879025]  <EOI>  [<ffffffff81091238>] ? hrtimer_start+0x18/0x20
[  667.879025]  [<ffffffff81052696>] ? native_safe_halt+0x6/0x10
[  667.879025]  [<ffffffff8101e1df>] default_idle+0x1f/0xc0
[  667.879025]  [<ffffffff8101ea56>] arch_cpu_idle+0x26/0x30
[  667.879025]  [<ffffffff810c6991>] cpu_startup_entry+0xe1/0x280
[  667.879025]  [<ffffffff8170f2f7>] rest_init+0x77/0x80
[  667.879025]  [<ffffffff81d2af96>] start_kernel+0x44e/0x45b
[  667.879025]  [<ffffffff81d2a947>] ? repair_env_string+0x5e/0x5e
[  667.879025]  [<ffffffff81d2a117>] ? early_idt_handlers+0x117/0x120
[  667.879025]  [<ffffffff81d2a5f0>] x86_64_start_reservations+0x2a/0x2c
[  667.879025]  [<ffffffff81d2a733>] x86_64_start_kernel+0x141/0x150

So rbd/network call put_page on zfs buffer and result in this bug.
I'm not familiar with rbd and net code, so I'm not sure how to fix it.

[tuxoko]

@aieri @tdb
Could you try the following patch.
I haven't figure out exactly why, but this seems to work for me.

diff --git a/module/spl/spl-kmem.c b/module/spl/spl-kmem.c
index 55c467b..b673c29 100644
--- a/module/spl/spl-kmem.c
+++ b/module/spl/spl-kmem.c
@@ -864,7 +864,8 @@ kv_alloc(spl_kmem_cache_t *skc, int size, int flags)
    ASSERT(ISP2(size));

    if (skc->skc_flags & KMC_KMEM)
-       ptr = (void *)__get_free_pages(flags, get_order(size));
+       ptr = (void *)__get_free_pages(flags | __GFP_COMP,
+           get_order(size));
    else
        ptr = __vmalloc(size, flags | __GFP_HIGHMEM, PAGE_KERNEL);