<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ceph, branch linux-3.10.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>libceph: force GFP_NOIO for socket allocations</title>
<updated>2017-06-20T12:04:38+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2017-03-21T12:44:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=edaad97b7b66222e51a2462f60d06fe3ebb55bca'/>
<id>edaad97b7b66222e51a2462f60d06fe3ebb55bca</id>
<content type='text'>
commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [&lt;ffffffff816dd629&gt;] schedule+0x29/0x70
    [&lt;ffffffff816e066d&gt;] schedule_timeout+0x1bd/0x200
    [&lt;ffffffff81093ffc&gt;] ? ttwu_do_wakeup+0x2c/0x120
    [&lt;ffffffff81094266&gt;] ? ttwu_do_activate.constprop.135+0x66/0x70
    [&lt;ffffffff816deb5f&gt;] wait_for_completion+0xbf/0x180
    [&lt;ffffffff81097cd0&gt;] ? try_to_wake_up+0x390/0x390
    [&lt;ffffffff81086335&gt;] flush_work+0x165/0x250
    [&lt;ffffffff81082940&gt;] ? worker_detach_from_pool+0xd0/0xd0
    [&lt;ffffffffa03b65b1&gt;] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [&lt;ffffffff816d6b42&gt;] ? __slab_free+0xee/0x234
    [&lt;ffffffffa03b4b1d&gt;] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [&lt;ffffffff811adc1e&gt;] ? lookup_page_cgroup_used+0xe/0x30
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03b4dcf&gt;] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03a62c6&gt;] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [&lt;ffffffff810aa250&gt;] ? wake_atomic_t_function+0x40/0x40
    [&lt;ffffffffa039a723&gt;] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa039ac07&gt;] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [&lt;ffffffffa039bb13&gt;] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [&lt;ffffffffa03ab745&gt;] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [&lt;ffffffff811c0c18&gt;] super_cache_scan+0x178/0x180
    [&lt;ffffffff8115912e&gt;] shrink_slab_node+0x14e/0x340
    [&lt;ffffffff811afc3b&gt;] ? mem_cgroup_iter+0x16b/0x450
    [&lt;ffffffff8115af70&gt;] shrink_slab+0x100/0x140
    [&lt;ffffffff8115e425&gt;] do_try_to_free_pages+0x335/0x490
    [&lt;ffffffff8115e7f9&gt;] try_to_free_pages+0xb9/0x1f0
    [&lt;ffffffff816d56e4&gt;] ? __alloc_pages_direct_compact+0x69/0x1be
    [&lt;ffffffff81150cba&gt;] __alloc_pages_nodemask+0x69a/0xb40
    [&lt;ffffffff8119743e&gt;] alloc_pages_current+0x9e/0x110
    [&lt;ffffffff811a0ac5&gt;] new_slab+0x2c5/0x390
    [&lt;ffffffff816d71c4&gt;] __slab_alloc+0x33b/0x459
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff8164bda1&gt;] ? inet_sendmsg+0x71/0xc0
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811a21f2&gt;] kmem_cache_alloc+0x1a2/0x1b0
    [&lt;ffffffff815b906d&gt;] sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811d8566&gt;] alloc_inode+0x26/0xa0
    [&lt;ffffffff811da04a&gt;] new_inode_pseudo+0x1a/0x70
    [&lt;ffffffff815b933e&gt;] sock_alloc+0x1e/0x80
    [&lt;ffffffff815ba855&gt;] __sock_create+0x95/0x220
    [&lt;ffffffff815baa04&gt;] sock_create_kern+0x24/0x30
    [&lt;ffffffffa04794d9&gt;] con_work+0xef9/0x2050 [libceph]
    [&lt;ffffffffa04aa9ec&gt;] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [&lt;ffffffff81084c19&gt;] process_one_work+0x159/0x4f0
    [&lt;ffffffff8108561b&gt;] worker_thread+0x11b/0x530
    [&lt;ffffffff81085500&gt;] ? create_worker+0x1d0/0x1d0
    [&lt;ffffffff8108b6f9&gt;] kthread+0xc9/0xe0
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90
    [&lt;ffffffff816e1b98&gt;] ret_from_fork+0x58/0x90
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov &lt;wintchester@gmail.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [&lt;ffffffff816dd629&gt;] schedule+0x29/0x70
    [&lt;ffffffff816e066d&gt;] schedule_timeout+0x1bd/0x200
    [&lt;ffffffff81093ffc&gt;] ? ttwu_do_wakeup+0x2c/0x120
    [&lt;ffffffff81094266&gt;] ? ttwu_do_activate.constprop.135+0x66/0x70
    [&lt;ffffffff816deb5f&gt;] wait_for_completion+0xbf/0x180
    [&lt;ffffffff81097cd0&gt;] ? try_to_wake_up+0x390/0x390
    [&lt;ffffffff81086335&gt;] flush_work+0x165/0x250
    [&lt;ffffffff81082940&gt;] ? worker_detach_from_pool+0xd0/0xd0
    [&lt;ffffffffa03b65b1&gt;] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [&lt;ffffffff816d6b42&gt;] ? __slab_free+0xee/0x234
    [&lt;ffffffffa03b4b1d&gt;] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [&lt;ffffffff811adc1e&gt;] ? lookup_page_cgroup_used+0xe/0x30
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03b4dcf&gt;] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [&lt;ffffffffa039a723&gt;] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa03a62c6&gt;] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [&lt;ffffffff810aa250&gt;] ? wake_atomic_t_function+0x40/0x40
    [&lt;ffffffffa039a723&gt;] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [&lt;ffffffffa039ac07&gt;] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [&lt;ffffffffa039bb13&gt;] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [&lt;ffffffffa03ab745&gt;] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [&lt;ffffffff811c0c18&gt;] super_cache_scan+0x178/0x180
    [&lt;ffffffff8115912e&gt;] shrink_slab_node+0x14e/0x340
    [&lt;ffffffff811afc3b&gt;] ? mem_cgroup_iter+0x16b/0x450
    [&lt;ffffffff8115af70&gt;] shrink_slab+0x100/0x140
    [&lt;ffffffff8115e425&gt;] do_try_to_free_pages+0x335/0x490
    [&lt;ffffffff8115e7f9&gt;] try_to_free_pages+0xb9/0x1f0
    [&lt;ffffffff816d56e4&gt;] ? __alloc_pages_direct_compact+0x69/0x1be
    [&lt;ffffffff81150cba&gt;] __alloc_pages_nodemask+0x69a/0xb40
    [&lt;ffffffff8119743e&gt;] alloc_pages_current+0x9e/0x110
    [&lt;ffffffff811a0ac5&gt;] new_slab+0x2c5/0x390
    [&lt;ffffffff816d71c4&gt;] __slab_alloc+0x33b/0x459
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff8164bda1&gt;] ? inet_sendmsg+0x71/0xc0
    [&lt;ffffffff815b906d&gt;] ? sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811a21f2&gt;] kmem_cache_alloc+0x1a2/0x1b0
    [&lt;ffffffff815b906d&gt;] sock_alloc_inode+0x2d/0xd0
    [&lt;ffffffff811d8566&gt;] alloc_inode+0x26/0xa0
    [&lt;ffffffff811da04a&gt;] new_inode_pseudo+0x1a/0x70
    [&lt;ffffffff815b933e&gt;] sock_alloc+0x1e/0x80
    [&lt;ffffffff815ba855&gt;] __sock_create+0x95/0x220
    [&lt;ffffffff815baa04&gt;] sock_create_kern+0x24/0x30
    [&lt;ffffffffa04794d9&gt;] con_work+0xef9/0x2050 [libceph]
    [&lt;ffffffffa04aa9ec&gt;] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [&lt;ffffffff81084c19&gt;] process_one_work+0x159/0x4f0
    [&lt;ffffffff8108561b&gt;] worker_thread+0x11b/0x530
    [&lt;ffffffff81085500&gt;] ? create_worker+0x1d0/0x1d0
    [&lt;ffffffff8108b6f9&gt;] kthread+0xc9/0xe0
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90
    [&lt;ffffffff816e1b98&gt;] ret_from_fork+0x58/0x90
    [&lt;ffffffff8108b630&gt;] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov &lt;wintchester@gmail.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: verify authorize reply on connect</title>
<updated>2017-06-20T12:03:24+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2016-12-02T15:35:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93c83e37a5790c86626ef00ade1350770a904c9d'/>
<id>93c83e37a5790c86626ef00ade1350770a904c9d</id>
<content type='text'>
commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream.

After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b),
the client gets back a ceph_x_authorize_reply, which it is supposed to
verify to ensure the authenticity and protect against replay attacks.
The code for doing this is there (ceph_x_verify_authorizer_reply(),
ceph_auth_verify_authorizer_reply() + plumbing), but it is never
invoked by the the messenger.

AFAICT this goes back to 2009, when ceph authentication protocols
support was added to the kernel client in 4e7a5dcd1bba ("ceph:
negotiate authentication protocol; implement AUTH_NONE protocol").

The second param of ceph_connection_operations::verify_authorizer_reply
is unused all the way down.  Pass 0 to facilitate backporting, and kill
it in the next commit.

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream.

After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b),
the client gets back a ceph_x_authorize_reply, which it is supposed to
verify to ensure the authenticity and protect against replay attacks.
The code for doing this is there (ceph_x_verify_authorizer_reply(),
ceph_auth_verify_authorizer_reply() + plumbing), but it is never
invoked by the the messenger.

AFAICT this goes back to 2009, when ceph authentication protocols
support was added to the kernel client in 4e7a5dcd1bba ("ceph:
negotiate authentication protocol; implement AUTH_NONE protocol").

The second param of ceph_connection_operations::verify_authorizer_reply
is unused all the way down.  Pass 0 to facilitate backporting, and kill
it in the next commit.

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: don't set weight to IN when OSD is destroyed</title>
<updated>2017-06-07T22:46:46+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2017-03-01T16:33:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dd7d4be1c6a153eca651da013914e3fa54ef93d9'/>
<id>dd7d4be1c6a153eca651da013914e3fa54ef93d9</id>
<content type='text'>
commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.

Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
This changes the result of applying an incremental for clients, not
just OSDs.  Because CRUSH computations are obviously affected,
pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
object placement, resulting in misdirected requests.

Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Link: http://tracker.ceph.com/issues/19122
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.

Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
This changes the result of applying an incremental for clients, not
just OSDs.  Because CRUSH computations are obviously affected,
pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
object placement, resulting in misdirected requests.

Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Link: http://tracker.ceph.com/issues/19122
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: apply new_state before new_up_client on incrementals</title>
<updated>2016-08-21T21:22:37+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2016-07-24T16:32:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1196c36fd53c3b1615eb02f986cb727b1dfc1047'/>
<id>1196c36fd53c3b1615eb02f986cb727b1dfc1047</id>
<content type='text'>
commit 930c532869774ebf8af9efe9484c597f896a7d46 upstream.

Currently, osd_weight and osd_state fields are updated in the encoding
order.  This is wrong, because an incremental map may look like e.g.

    new_up_client: { osd=6, addr=... } # set osd_state and addr
    new_state: { osd=6, xorstate=EXISTS } # clear osd_state

Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
on with the new_state update, we flip EXISTS and leave osd6 in a weird
"!EXISTS but UP" state.  A non-existent OSD is considered down by the
mapping code

2087    for (i = 0; i &lt; pg-&gt;pg_temp.len; i++) {
2088            if (ceph_osd_is_down(osdmap, pg-&gt;pg_temp.osds[i])) {
2089                    if (ceph_can_shift_osds(pi))
2090                            continue;
2091
2092                    temp-&gt;osds[temp-&gt;size++] = CRUSH_ITEM_NONE;

and so requests get directed to the second OSD in the set instead of
the first, resulting in OSD-side errors like:

[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680

and hung rbds on the client:

[  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
[  493.566805] rbd: rbd0:   result -6 xferred 400000
[  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688

The fix is to decouple application from the decoding and:
- apply new_weight first
- apply new_state before new_up_client
- twiddle osd_state flags if marking in
- clear out some of the state if osd is destroyed

Fixes: http://tracker.ceph.com/issues/14901

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
[idryomov@gmail.com: backport to 3.10-3.14: strip primary-affinity]
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 930c532869774ebf8af9efe9484c597f896a7d46 upstream.

Currently, osd_weight and osd_state fields are updated in the encoding
order.  This is wrong, because an incremental map may look like e.g.

    new_up_client: { osd=6, addr=... } # set osd_state and addr
    new_state: { osd=6, xorstate=EXISTS } # clear osd_state

Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
on with the new_state update, we flip EXISTS and leave osd6 in a weird
"!EXISTS but UP" state.  A non-existent OSD is considered down by the
mapping code

2087    for (i = 0; i &lt; pg-&gt;pg_temp.len; i++) {
2088            if (ceph_osd_is_down(osdmap, pg-&gt;pg_temp.osds[i])) {
2089                    if (ceph_can_shift_osds(pi))
2090                            continue;
2091
2092                    temp-&gt;osds[temp-&gt;size++] = CRUSH_ITEM_NONE;

and so requests get directed to the second OSD in the set instead of
the first, resulting in OSD-side errors like:

[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680

and hung rbds on the client:

[  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
[  493.566805] rbd: rbd0:   result -6 xferred 400000
[  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688

The fix is to decouple application from the decoding and:
- apply new_weight first
- apply new_state before new_up_client
- twiddle osd_state flags if marking in
- clear out some of the state if osd is destroyed

Fixes: http://tracker.ceph.com/issues/14901

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
[idryomov@gmail.com: backport to 3.10-3.14: strip primary-affinity]
Signed-off-by: Willy Tarreau &lt;w@1wt.eu&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: don't bail early from try_read() when skipping a message</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2016-02-17T19:04:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=636a9c8a87da5056b4254ff9eaf67cf52c8c2d1d'/>
<id>636a9c8a87da5056b4254ff9eaf67cf52c8c2d1d</id>
<content type='text'>
commit e7a88e82fe380459b864e05b372638aeacb0f52d upstream.

The contract between try_read() and try_write() is that when called
each processes as much data as possible.  When instructed by osd_client
to skip a message, try_read() is violating this contract by returning
after receiving and discarding a single message instead of checking for
more.  try_write() then gets a chance to write out more requests,
generating more replies/skips for try_read() to handle, forcing the
messenger into a starvation loop.

Reported-by: Varada Kari &lt;Varada.Kari@sandisk.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Tested-by: Varada Kari &lt;Varada.Kari@sandisk.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e7a88e82fe380459b864e05b372638aeacb0f52d upstream.

The contract between try_read() and try_write() is that when called
each processes as much data as possible.  When instructed by osd_client
to skip a message, try_read() is violating this contract by returning
after receiving and discarding a single message instead of checking for
more.  try_write() then gets a chance to write out more requests,
generating more replies/skips for try_read() to handle, forcing the
messenger into a starvation loop.

Reported-by: Varada Kari &lt;Varada.Kari@sandisk.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Tested-by: Varada Kari &lt;Varada.Kari@sandisk.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>crush: fix a bug in tree bucket decode</title>
<updated>2015-08-03T16:29:46+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2015-06-29T16:30:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7546f8cb2dff62ad20c50bf3d6170ad8dadb9cc8'/>
<id>7546f8cb2dff62ad20c50bf3d6170ad8dadb9cc8</id>
<content type='text'>
commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream.

struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe()
should be used.  -Wconversion catches this, but I guess it went
unnoticed in all the noise it spews.  The actual problem (at least for
common crushmaps) isn't the u32 -&gt; u8 truncation though - it's the
advancement by 4 bytes instead of 1 in the crushmap buffer.

Fixes: http://tracker.ceph.com/issues/2759

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream.

struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe()
should be used.  -Wconversion catches this, but I guess it went
unnoticed in all the noise it spews.  The actual problem (at least for
common crushmaps) isn't the u32 -&gt; u8 truncation though - it's the
advancement by 4 bytes instead of 1 in the crushmap buffer.

Fixes: http://tracker.ceph.com/issues/2759

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Josh Durgin &lt;jdurgin@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: request a new osdmap if lingering request maps to no osd</title>
<updated>2015-06-06T06:19:54+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2015-05-11T14:53:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d2e3dbf9c3449c208b962dff4d68bab013a16b61'/>
<id>d2e3dbf9c3449c208b962dff4d68bab013a16b61</id>
<content type='text'>
commit b0494532214bdfbf241e94fabab5dd46f7b82631 upstream.

This commit does two things.  First, if there are any homeless
lingering requests, we now request a new osdmap even if the osdmap that
is being processed brought no changes, i.e. if a given lingering
request turned homeless in one of the previous epochs and remained
homeless in the current epoch.  Not doing so leaves us with a stale
osdmap and as a result we may miss our window for reestablishing the
watch and lose notifies.

MON=1 OSD=1:

    # cat linger-needmap.sh
    #!/bin/bash
    rbd create --size 1 test
    DEV=$(rbd map test)
    ceph osd out 0
    rbd map dne/dne # obtain a new osdmap as a side effect (!)
    sleep 1
    ceph osd in 0
    rbd resize --size 2 test
    # rbd info test | grep size -&gt; 2M
    # blockdev --getsize $DEV -&gt; 1M

N.B.: Not obtaining a new osdmap in between "osd out" and "osd in"
above is enough to make it miss that resize notify, but that is a
bug^Wlimitation of ceph watch/notify v1.

Second, homeless lingering requests are now kicked just like those
lingering requests whose mapping has changed.  This is mainly to
recognize that a homeless lingering request makes no sense and to
preserve the invariant that a registered lingering request is not
sitting on any of r_req_lru_item lists.  This spares us a WARN_ON,
which commit ba9d114ec557 ("libceph: clear r_req_lru_item in
__unregister_linger_request()") tried to fix the _wrong_ way.

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b0494532214bdfbf241e94fabab5dd46f7b82631 upstream.

This commit does two things.  First, if there are any homeless
lingering requests, we now request a new osdmap even if the osdmap that
is being processed brought no changes, i.e. if a given lingering
request turned homeless in one of the previous epochs and remained
homeless in the current epoch.  Not doing so leaves us with a stale
osdmap and as a result we may miss our window for reestablishing the
watch and lose notifies.

MON=1 OSD=1:

    # cat linger-needmap.sh
    #!/bin/bash
    rbd create --size 1 test
    DEV=$(rbd map test)
    ceph osd out 0
    rbd map dne/dne # obtain a new osdmap as a side effect (!)
    sleep 1
    ceph osd in 0
    rbd resize --size 2 test
    # rbd info test | grep size -&gt; 2M
    # blockdev --getsize $DEV -&gt; 1M

N.B.: Not obtaining a new osdmap in between "osd out" and "osd in"
above is enough to make it miss that resize notify, but that is a
bug^Wlimitation of ceph watch/notify v1.

Second, homeless lingering requests are now kicked just like those
lingering requests whose mapping has changed.  This is mainly to
recognize that a homeless lingering request makes no sense and to
preserve the invariant that a registered lingering request is not
sitting on any of r_req_lru_item lists.  This spares us a WARN_ON,
which commit ba9d114ec557 ("libceph: clear r_req_lru_item in
__unregister_linger_request()") tried to fix the _wrong_ way.

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: fix double __remove_osd() problem</title>
<updated>2015-03-06T22:40:54+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2015-02-17T16:37:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6af167fbe6c42fda5203b8095b92669dd0a687d4'/>
<id>6af167fbe6c42fda5203b8095b92669dd0a687d4</id>
<content type='text'>
commit 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 upstream.

It turns out it's possible to get __remove_osd() called twice on the
same OSD.  That doesn't sit well with rb_erase() - depending on the
shape of the tree we can get a NULL dereference, a soft lockup or
a random crash at some point in the future as we end up touching freed
memory.  One scenario that I was able to reproduce is as follows:

            &lt;osd3 is idle, on the osd lru list&gt;
&lt;con reset - osd3&gt;
con_fault_finish()
  osd_reset()
                              &lt;osdmap - osd3 down&gt;
                              ceph_osdc_handle_map()
                                &lt;takes map_sem&gt;
                                kick_requests()
                                  &lt;takes request_mutex&gt;
                                  reset_changed_osds()
                                    __reset_osd()
                                      __remove_osd()
                                  &lt;releases request_mutex&gt;
                                &lt;releases map_sem&gt;
    &lt;takes map_sem&gt;
    &lt;takes request_mutex&gt;
    __kick_osd_requests()
      __reset_osd()
        __remove_osd() &lt;-- !!!

A case can be made that osd refcounting is imperfect and reworking it
would be a proper resolution, but for now Sage and I decided to fix
this by adding a safe guard around __remove_osd().

Fixes: http://tracker.ceph.com/issues/8087

Cc: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 upstream.

It turns out it's possible to get __remove_osd() called twice on the
same OSD.  That doesn't sit well with rb_erase() - depending on the
shape of the tree we can get a NULL dereference, a soft lockup or
a random crash at some point in the future as we end up touching freed
memory.  One scenario that I was able to reproduce is as follows:

            &lt;osd3 is idle, on the osd lru list&gt;
&lt;con reset - osd3&gt;
con_fault_finish()
  osd_reset()
                              &lt;osdmap - osd3 down&gt;
                              ceph_osdc_handle_map()
                                &lt;takes map_sem&gt;
                                kick_requests()
                                  &lt;takes request_mutex&gt;
                                  reset_changed_osds()
                                    __reset_osd()
                                      __remove_osd()
                                  &lt;releases request_mutex&gt;
                                &lt;releases map_sem&gt;
    &lt;takes map_sem&gt;
    &lt;takes request_mutex&gt;
    __kick_osd_requests()
      __reset_osd()
        __remove_osd() &lt;-- !!!

A case can be made that osd refcounting is imperfect and reworking it
would be a proper resolution, but for now Sage and I decided to fix
this by adding a safe guard around __remove_osd().

Fixes: http://tracker.ceph.com/issues/8087

Cc: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: change from BUG to WARN for __remove_osd() asserts</title>
<updated>2015-03-06T22:40:54+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@redhat.com</email>
</author>
<published>2014-11-05T16:33:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=54ff4c89a5445fa8f313a338c1cf5478317df154'/>
<id>54ff4c89a5445fa8f313a338c1cf5478317df154</id>
<content type='text'>
commit cc9f1f518cec079289d11d732efa490306b1ddad upstream.

No reason to use BUG_ON for osd request list assertions.

Signed-off-by: Ilya Dryomov &lt;idryomov@redhat.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cc9f1f518cec079289d11d732efa490306b1ddad upstream.

No reason to use BUG_ON for osd request list assertions.

Signed-off-by: Ilya Dryomov &lt;idryomov@redhat.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: assert both regular and lingering lists in __remove_osd()</title>
<updated>2015-03-06T22:40:54+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>ilya.dryomov@inktank.com</email>
</author>
<published>2014-06-18T09:02:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d3c6d27f48ce3b501c988bd0ab2232a0d4612c6'/>
<id>5d3c6d27f48ce3b501c988bd0ab2232a0d4612c6</id>
<content type='text'>
commit 7c6e6fc53e7335570ed82f77656cedce1502744e upstream.

It is important that both regular and lingering requests lists are
empty when the OSD is removed.

Signed-off-by: Ilya Dryomov &lt;ilya.dryomov@inktank.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7c6e6fc53e7335570ed82f77656cedce1502744e upstream.

It is important that both regular and lingering requests lists are
empty when the OSD is removed.

Signed-off-by: Ilya Dryomov &lt;ilya.dryomov@inktank.com&gt;
Reviewed-by: Alex Elder &lt;elder@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
