1. 26 5月, 2016 20 次提交
  2. 26 4月, 2016 1 次提交
    • I
      libceph: make authorizer destruction independent of ceph_auth_client · 6c1ea260
      Ilya Dryomov 提交于
      Starting the kernel client with cephx disabled and then enabling cephx
      and restarting userspace daemons can result in a crash:
      
          [262671.478162] BUG: unable to handle kernel paging request at ffffebe000000000
          [262671.531460] IP: [<ffffffff811cd04a>] kfree+0x5a/0x130
          [262671.584334] PGD 0
          [262671.635847] Oops: 0000 [#1] SMP
          [262672.055841] CPU: 22 PID: 2961272 Comm: kworker/22:2 Not tainted 4.2.0-34-generic #39~14.04.1-Ubuntu
          [262672.162338] Hardware name: Dell Inc. PowerEdge R720/068CDY, BIOS 2.4.3 07/09/2014
          [262672.268937] Workqueue: ceph-msgr con_work [libceph]
          [262672.322290] task: ffff88081c2d0dc0 ti: ffff880149ae8000 task.ti: ffff880149ae8000
          [262672.428330] RIP: 0010:[<ffffffff811cd04a>]  [<ffffffff811cd04a>] kfree+0x5a/0x130
          [262672.535880] RSP: 0018:ffff880149aeba58  EFLAGS: 00010286
          [262672.589486] RAX: 000001e000000000 RBX: 0000000000000012 RCX: ffff8807e7461018
          [262672.695980] RDX: 000077ff80000000 RSI: ffff88081af2be04 RDI: 0000000000000012
          [262672.803668] RBP: ffff880149aeba78 R08: 0000000000000000 R09: 0000000000000000
          [262672.912299] R10: ffffebe000000000 R11: ffff880819a60e78 R12: ffff8800aec8df40
          [262673.021769] R13: ffffffffc035f70f R14: ffff8807e5b138e0 R15: ffff880da9785840
          [262673.131722] FS:  0000000000000000(0000) GS:ffff88081fac0000(0000) knlGS:0000000000000000
          [262673.245377] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          [262673.303281] CR2: ffffebe000000000 CR3: 0000000001c0d000 CR4: 00000000001406e0
          [262673.417556] Stack:
          [262673.472943]  ffff880149aeba88 ffff88081af2be04 ffff8800aec8df40 ffff88081af2be04
          [262673.583767]  ffff880149aeba98 ffffffffc035f70f ffff880149aebac8 ffff8800aec8df00
          [262673.694546]  ffff880149aebac8 ffffffffc035c89e ffff8807e5b138e0 ffff8805b047f800
          [262673.805230] Call Trace:
          [262673.859116]  [<ffffffffc035f70f>] ceph_x_destroy_authorizer+0x1f/0x50 [libceph]
          [262673.968705]  [<ffffffffc035c89e>] ceph_auth_destroy_authorizer+0x3e/0x60 [libceph]
          [262674.078852]  [<ffffffffc0352805>] put_osd+0x45/0x80 [libceph]
          [262674.134249]  [<ffffffffc035290e>] remove_osd+0xae/0x140 [libceph]
          [262674.189124]  [<ffffffffc0352aa3>] __reset_osd+0x103/0x150 [libceph]
          [262674.243749]  [<ffffffffc0354703>] kick_requests+0x223/0x460 [libceph]
          [262674.297485]  [<ffffffffc03559e2>] ceph_osdc_handle_map+0x282/0x5e0 [libceph]
          [262674.350813]  [<ffffffffc035022e>] dispatch+0x4e/0x720 [libceph]
          [262674.403312]  [<ffffffffc034bd91>] try_read+0x3d1/0x1090 [libceph]
          [262674.454712]  [<ffffffff810ab7c2>] ? dequeue_entity+0x152/0x690
          [262674.505096]  [<ffffffffc034cb1b>] con_work+0xcb/0x1300 [libceph]
          [262674.555104]  [<ffffffff8108fb3e>] process_one_work+0x14e/0x3d0
          [262674.604072]  [<ffffffff810901ea>] worker_thread+0x11a/0x470
          [262674.652187]  [<ffffffff810900d0>] ? rescuer_thread+0x310/0x310
          [262674.699022]  [<ffffffff810957a2>] kthread+0xd2/0xf0
          [262674.744494]  [<ffffffff810956d0>] ? kthread_create_on_node+0x1c0/0x1c0
          [262674.789543]  [<ffffffff817bd81f>] ret_from_fork+0x3f/0x70
          [262674.834094]  [<ffffffff810956d0>] ? kthread_create_on_node+0x1c0/0x1c0
      
      What happens is the following:
      
          (1) new MON session is established
          (2) old "none" ac is destroyed
          (3) new "cephx" ac is constructed
          ...
          (4) old OSD session (w/ "none" authorizer) is put
                ceph_auth_destroy_authorizer(ac, osd->o_auth.authorizer)
      
      osd->o_auth.authorizer in the "none" case is just a bare pointer into
      ac, which contains a single static copy for all services.  By the time
      we get to (4), "none" ac, freed in (2), is long gone.  On top of that,
      a new vtable installed in (3) points us at ceph_x_destroy_authorizer(),
      so we end up trying to destroy a "none" authorizer with a "cephx"
      destructor operating on invalid memory!
      
      To fix this, decouple authorizer destruction from ac and do away with
      a single static "none" authorizer by making a copy for each OSD or MDS
      session.  Authorizers themselves are independent of ac and so there is
      no reason for destroy_authorizer() to be an ac op.  Make it an op on
      the authorizer itself by turning ceph_authorizer into a real struct.
      
      Fixes: http://tracker.ceph.com/issues/15447Reported-by: NAlan Zhang <alan.zhang@linux.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NSage Weil <sage@redhat.com>
      6c1ea260
  3. 26 3月, 2016 7 次提交
  4. 25 2月, 2016 1 次提交
  5. 05 2月, 2016 1 次提交
  6. 03 11月, 2015 4 次提交
    • I
      libceph: clear msg->con in ceph_msg_release() only · 583d0fef
      Ilya Dryomov 提交于
      The following bit in ceph_msg_revoke_incoming() is unsafe:
      
          struct ceph_connection *con = msg->con;
          if (!con)
                  return;
          mutex_lock(&con->mutex);
          <more msg->con use>
      
      There is nothing preventing con from getting destroyed right after
      msg->con test.  One easy way to reproduce this is to disable message
      signing only on the server side and try to map an image.  The system
      will go into a
      
          libceph: read_partial_message ffff880073f0ab68 signature check failed
          libceph: osd0 192.168.255.155:6801 bad crc/signature
          libceph: read_partial_message ffff880073f0ab68 signature check failed
          libceph: osd0 192.168.255.155:6801 bad crc/signature
      
      loop which has to be interrupted with Ctrl-C.  Hit Ctrl-C and you are
      likely to end up with a random GP fault if the reset handler executes
      "within" ceph_msg_revoke_incoming():
      
                           <yet another reply w/o a signature>
                                         ...
                <Ctrl-C>
          rbd_obj_request_end
            ceph_osdc_cancel_request
              __unregister_request
                ceph_osdc_put_request
                  ceph_msg_revoke_incoming
                                         ...
                                      osd_reset
                                        __kick_osd_requests
                                          __reset_osd
                                            remove_osd
                                              ceph_con_close
                                                reset_connection
                                                  <clear con->in_msg->con>
                                                  <put con ref>
                                                    put_osd
                                                      <free osd/con>
                    <msg->con use> <-- !!!
      
      If ceph_msg_revoke_incoming() executes "before" the reset handler,
      osd/con will be leaked because ceph_msg_revoke_incoming() clears
      con->in_msg but doesn't put con ref, while reset_connection() only puts
      con ref if con->in_msg != NULL.
      
      The current msg->con scheme was introduced by commits 38941f80
      ("libceph: have messages point to their connection") and 92ce034b
      ("libceph: have messages take a connection reference"), which defined
      when messages get associated with a connection and when that
      association goes away.  Part of the problem is that this association is
      supposed to go away in much too many places; closing this race entirely
      requires either a rework of the existing or an addition of a new layer
      of synchronization.
      
      In lieu of that, we can make it *much* less likely to hit by
      disassociating messages only on their destruction and resend through
      a different connection.  This makes the code simpler and is probably
      a good thing to do regardless - this patch adds a msg_con_set() helper
      which is is called from only three places: ceph_con_send() and
      ceph_con_in_msg_alloc() to set msg->con and ceph_msg_release() to clear
      it.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      583d0fef
    • I
      libceph: msg signing callouts don't need con argument · 79dbd1ba
      Ilya Dryomov 提交于
      We can use msg->con instead - at the point we sign an outgoing message
      or check the signature on the incoming one, msg->con is always set.  We
      wouldn't know how to sign a message without an associated session (i.e.
      msg->con == NULL) and being able to sign a message using an explicitly
      provided authorizer is of no use.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      79dbd1ba
    • I
      libceph: evaluate osd_req_op_data() arguments only once · 8a703a38
      Ioana Ciornei 提交于
      This patch changes the osd_req_op_data() macro to not evaluate
      arguments more than once in order to follow the kernel coding style.
      Signed-off-by: NIoana Ciornei <ciorneiioana@gmail.com>
      Reviewed-by: NAlex Elder <elder@linaro.org>
      [idryomov@gmail.com: changelog, formatting]
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      8a703a38
    • S
      libceph: remove con argument in handle_reply() · 70cf052d
      Shraddha Barke 提交于
      Since handle_reply() does not use its con argument, remove it.
      Signed-off-by: NShraddha Barke <shraddha.6596@gmail.com>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      70cf052d
  7. 16 10月, 2015 1 次提交
    • I
      rbd: use writefull op for object size writes · e30b7577
      Ilya Dryomov 提交于
      This covers only the simplest case - an object size sized write, but
      it's still useful in tiering setups when EC is used for the base tier
      as writefull op can be proxied, saving an object promotion.
      
      Even though updating ceph_osdc_new_request() to allow writefull should
      just be a matter of fixing an assert, I didn't do it because its only
      user is cephfs.  All other sites were updated.
      
      Reflects ceph.git commit 7bfb7f9025a8ee0d2305f49bf0336d2424da5b5b.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NAlex Elder <elder@linaro.org>
      e30b7577
  8. 09 9月, 2015 1 次提交
    • I
      libceph: check data_len in ->alloc_msg() · d15f9d69
      Ilya Dryomov 提交于
      Only ->alloc_msg() should check data_len of the incoming message
      against the preallocated ceph_msg, doing it in the messenger is not
      right.  The contract is that either ->alloc_msg() returns a ceph_msg
      which will fit all of the portions of the incoming message, or it
      returns NULL and possibly sets skip, signaling whether NULL is due to
      an -ENOMEM.  ->alloc_msg() should be the only place where we make the
      skip/no-skip decision.
      
      I stumbled upon this while looking at con/osd ref counting.  Right now,
      if we get a non-extent message with a larger data portion than we are
      prepared for, ->alloc_msg() returns a ceph_msg, and then, when we skip
      it in the messenger, we don't put the con/osd ref acquired in
      ceph_con_in_msg_alloc() (which is normally put in process_message()),
      so this also fixes a memory leak.
      
      An existing BUG_ON in ceph_msg_data_cursor_init() ensures we don't
      corrupt random memory should a buggy ->alloc_msg() return an unfit
      ceph_msg.
      
      While at it, I changed the "unknown tid" dout() to a pr_warn() to make
      sure all skips are seen and unified format strings.
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NAlex Elder <elder@linaro.org>
      d15f9d69
  9. 25 6月, 2015 3 次提交
  10. 21 5月, 2015 1 次提交
    • I
      Revert "libceph: clear r_req_lru_item in __unregister_linger_request()" · 521a04d0
      Ilya Dryomov 提交于
      This reverts commit ba9d114e.
      
      .. which introduced a regression that prevented all lingering requests
      requeued in kick_requests() from ever being sent to the OSDs, resulting
      in a lot of missed notifies.  In retrospect it's pretty obvious that
      r_req_lru_item item in the case of lingering requests can be used not
      only for notarget, but also for unsent linkage due to how tightly
      actual map and enqueue operations are coupled in __map_request().
      
      The assertion that was being silenced is taken care of in the previous
      ("libceph: request a new osdmap if lingering request maps to no osd")
      commit: by always kicking homeless lingering requests we ensure that
      none of them ends up on the notarget list outside of the critical
      section guarded by request_mutex.
      
      Cc: stable@vger.kernel.org # 3.18+, needs b0494532 "libceph: request a new osdmap if lingering request maps to no osd"
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NSage Weil <sage@redhat.com>
      521a04d0