diff mbox series

[1/3] libmultipath: fix handling of pp->pgindex

Message ID 20241125143224.51934-2-mwilck@suse.com (mailing list archive)
State Not Applicable, archived
Delegated to: Benjamin Marzinski
Headers show
Series multipath-tools fixes | expand

Commit Message

Martin Wilck Nov. 25, 2024, 2:32 p.m. UTC
pp->pgindex is set in disassemble_map() when a map is parsed.
There are various possiblities for this index to become invalid.
pp->pgindex is only used in enable_group() and followover_should_fallback(),
and both callers take no action if it is 0, which is the right
thing to do if we don't know the path's pathgroup.

Make sure pp->pgindex is reset to 0 in various places:
- when it's orphaned,
- before (re)grouping paths,
- when we detect a bad mpp assignment in update_pathvec_from_dm().

The hunk in group_paths is mostly redundant with the hunk in free_pgvec(), but
because we're looping over pg->paths in the former and over pg->pgp in
the latter, I think it's better too play safe.

Fixes: 99db1bd ("[multipathd] re-enable disabled PG when at least one path is up")
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
 libmultipath/pgpolicies.c  |  6 ++++++
 libmultipath/structs.c     | 12 +++++++++++-
 libmultipath/structs_vec.c |  8 ++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

Comments

Benjamin Marzinski Nov. 25, 2024, 8:31 p.m. UTC | #1
On Mon, Nov 25, 2024 at 03:32:22PM +0100, Martin Wilck wrote:
> pp->pgindex is set in disassemble_map() when a map is parsed.
> There are various possiblities for this index to become invalid.
> pp->pgindex is only used in enable_group() and followover_should_fallback(),
> and both callers take no action if it is 0, which is the right
> thing to do if we don't know the path's pathgroup.
> 
> Make sure pp->pgindex is reset to 0 in various places:
> - when it's orphaned,
> - before (re)grouping paths,
> - when we detect a bad mpp assignment in update_pathvec_from_dm().
> 
> The hunk in group_paths is mostly redundant with the hunk in free_pgvec(), but
> because we're looping over pg->paths in the former and over pg->pgp in
> the latter, I think it's better too play safe.

I'm not sure this will always fix issue #105. Perhaps I'm overlooking
the connection in the code and this just needs a more explicit
explanation to aid clueless reviewers, but here's what I don't get.

As far as I can see, the only change here that would effect the reported
issue is the change to update_pathvec_from_dm(). While I totally agree
that if you have a path that appears to be two multipath devices, you
can't trust pp->pgindex, I believe there's also another problem.

Say you have a multipath device with two path groups (pgp1 and pgp2)
each with one path (pp1 in pgp1 and pp2 in pgp2). In this case,
pp1->pgindex == 1 and pp2->pgindex == 2. If update_pathvec_from_dm()
discovers that pp1 is part of another multipath device, and removes it,
that will mean that pgp1 is now empty, so update_pathvec_from_dm() will
also remove that (at the delete_pg label).  But pp2->pgindex will still
be set to 2 even though there's only one path group, so it will now
point off the end of the pgp list. Right?

At any rate, updating pgindex seems finicky and perhaps we should just
drop it. It's not that much work to scan the path groups for the path in
enable_group() and since we're already reading through the path groups
in followover_should_failback(), we can just refactor the code a little
bit to avoid needing pgindex at all.

-Ben
 
> Fixes: 99db1bd ("[multipathd] re-enable disabled PG when at least one path is up")
> Signed-off-by: Martin Wilck <mwilck@suse.com>
> ---
>  libmultipath/pgpolicies.c  |  6 ++++++
>  libmultipath/structs.c     | 12 +++++++++++-
>  libmultipath/structs_vec.c |  8 ++++++++
>  3 files changed, 25 insertions(+), 1 deletion(-)
> 
> diff --git a/libmultipath/pgpolicies.c b/libmultipath/pgpolicies.c
> index edc3c61..23ef2bd 100644
> --- a/libmultipath/pgpolicies.c
> +++ b/libmultipath/pgpolicies.c
> @@ -127,6 +127,8 @@ fail:
>  int group_paths(struct multipath *mp, int marginal_pathgroups)
>  {
>  	vector normal, marginal;
> +	struct path *pp;
> +	int i;
>  
>  	if (!mp->pg)
>  		mp->pg = vector_alloc();
> @@ -138,6 +140,10 @@ int group_paths(struct multipath *mp, int marginal_pathgroups)
>  	if (!mp->pgpolicyfn)
>  		goto fail;
>  
> +	/* Reset pgindex, we're going to invalidate it */
> +	vector_foreach_slot(mp->paths, pp, i)
> +		pp->pgindex = 0;
> +
>  	if (!marginal_pathgroups ||
>  	    split_marginal_paths(mp->paths, &normal, &marginal) != 0) {
>  		if (mp->pgpolicyfn(mp, mp->paths) != 0)
> diff --git a/libmultipath/structs.c b/libmultipath/structs.c
> index 61c8f32..4851725 100644
> --- a/libmultipath/structs.c
> +++ b/libmultipath/structs.c
> @@ -239,8 +239,18 @@ free_pgvec (vector pgvec, enum free_path_mode free_paths)
>  	if (!pgvec)
>  		return;
>  
> -	vector_foreach_slot(pgvec, pgp, i)
> +	vector_foreach_slot(pgvec, pgp, i) {
> +
> +		/* paths are going to be re-grouped, reset pgindex */
> +		if (free_paths != FREE_PATHS) {
> +			struct path *pp;
> +			int j;
> +
> +			vector_foreach_slot(pgp->paths, pp, j)
> +				pp->pgindex = 0;
> +		}
>  		free_pathgroup(pgp, free_paths);
> +	}
>  
>  	vector_free(pgvec);
>  }
> diff --git a/libmultipath/structs_vec.c b/libmultipath/structs_vec.c
> index d22056c..64c5ad5 100644
> --- a/libmultipath/structs_vec.c
> +++ b/libmultipath/structs_vec.c
> @@ -139,6 +139,13 @@ static bool update_pathvec_from_dm(vector pathvec, struct multipath *mpp,
>  				must_reload = true;
>  				dm_fail_path(mpp->alias, pp->dev_t);
>  				vector_del_slot(pgp->paths, j--);
> +				/*
> +				 * pp->pgindex has been set in disassemble_map(),
> +				 * which has probably been called just before for
> +				 * mpp. So he pgindex relates to mpp and may be
> +				 * wrong for pp->mpp. Invalidate it.
> +				 */
> +				pp->pgindex = 0;
>  				continue;
>  			}
>  			pp->mpp = mpp;
> @@ -354,6 +361,7 @@ void orphan_path(struct path *pp, const char *reason)
>  {
>  	condlog(3, "%s: orphan path, %s", pp->dev, reason);
>  	pp->mpp = NULL;
> +	pp->pgindex = 0;
>  	uninitialize_path(pp);
>  }
>  
> -- 
> 2.47.0
Martin Wilck Nov. 26, 2024, 11:12 a.m. UTC | #2
On Mon, 2024-11-25 at 15:31 -0500, Benjamin Marzinski wrote:
> On Mon, Nov 25, 2024 at 03:32:22PM +0100, Martin Wilck wrote:
> > pp->pgindex is set in disassemble_map() when a map is parsed.
> > There are various possiblities for this index to become invalid.
> > pp->pgindex is only used in enable_group() and
> > followover_should_fallback(),
> > and both callers take no action if it is 0, which is the right
> > thing to do if we don't know the path's pathgroup.
> > 
> > Make sure pp->pgindex is reset to 0 in various places:
> > - when it's orphaned,
> > - before (re)grouping paths,
> > - when we detect a bad mpp assignment in update_pathvec_from_dm().
> > 
> > The hunk in group_paths is mostly redundant with the hunk in
> > free_pgvec(), but
> > because we're looping over pg->paths in the former and over pg->pgp
> > in
> > the latter, I think it's better too play safe.
> 
> I'm not sure this will always fix issue #105. Perhaps I'm overlooking
> the connection in the code and this just needs a more explicit
> explanation to aid clueless reviewers, but here's what I don't get.
> 
> As far as I can see, the only change here that would effect the
> reported
> issue is the change to update_pathvec_from_dm(). While I totally
> agree
> that if you have a path that appears to be two multipath devices, you
> can't trust pp->pgindex, I believe there's also another problem.
> 
> Say you have a multipath device with two path groups (pgp1 and pgp2)
> each with one path (pp1 in pgp1 and pp2 in pgp2). In this case,
> pp1->pgindex == 1 and pp2->pgindex == 2. If update_pathvec_from_dm()
> discovers that pp1 is part of another multipath device, and removes
> it,
> that will mean that pgp1 is now empty, so update_pathvec_from_dm()
> will
> also remove that (at the delete_pg label).  But pp2->pgindex will
> still
> be set to 2 even though there's only one path group, so it will now
> point off the end of the pgp list. Right?

Right, thanks for pointing this out. If we delete a pg, we need to
invalidate all pgindex values for all paths in the map. We can't
decrement them, because they must match kernel indices (see below).

> At any rate, updating pgindex seems finicky and perhaps we should
> just
> drop it. It's not that much work to scan the path groups for the path
> in
> enable_group() and since we're already reading through the path
> groups
> in followover_should_failback(), we can just refactor the code a
> little
> bit to avoid needing pgindex at all.

I had similar thoughts, but I was looking for a minimal fix for the
0.11.0 release. Probably dropping pgindex for good is the right thing
to do, but is it 0.11.0 material?

We'd still have the problem that enable_group() et al. need a pgindex
value that matches the kernel configuration. We can only be sure that
this index is correct if disassemble_map() has just set it. Any change
we apply in multipathd's data structures won't match the kernel's view
of the map.

This problem is subtle, AFAICS. It's related to the fact that if
update_pathvec_from_dm() finds any inconsistencies, we *should* reload
the map, possibly multiple times, until these inconsistencies have been
resolved. But we can't do that in all code paths in which this function
is called (or at least, we haven't been able to prove that we can
without risking breakage).

I have vague ideas how this could be solved, but they would require a
major code restructuring.

Regards,
Martin
Benjamin Marzinski Nov. 26, 2024, 5:41 p.m. UTC | #3
On Tue, Nov 26, 2024 at 12:12:16PM +0100, Martin Wilck wrote:
> On Mon, 2024-11-25 at 15:31 -0500, Benjamin Marzinski wrote:
> > On Mon, Nov 25, 2024 at 03:32:22PM +0100, Martin Wilck wrote:
> > > pp->pgindex is set in disassemble_map() when a map is parsed.
> > > There are various possiblities for this index to become invalid.
> > > pp->pgindex is only used in enable_group() and
> > > followover_should_fallback(),
> > > and both callers take no action if it is 0, which is the right
> > > thing to do if we don't know the path's pathgroup.
> > > 
> > > Make sure pp->pgindex is reset to 0 in various places:
> > > - when it's orphaned,
> > > - before (re)grouping paths,
> > > - when we detect a bad mpp assignment in update_pathvec_from_dm().
> > > 
> > > The hunk in group_paths is mostly redundant with the hunk in
> > > free_pgvec(), but
> > > because we're looping over pg->paths in the former and over pg->pgp
> > > in
> > > the latter, I think it's better too play safe.
> > 
> > I'm not sure this will always fix issue #105. Perhaps I'm overlooking
> > the connection in the code and this just needs a more explicit
> > explanation to aid clueless reviewers, but here's what I don't get.
> > 
> > As far as I can see, the only change here that would effect the
> > reported
> > issue is the change to update_pathvec_from_dm(). While I totally
> > agree
> > that if you have a path that appears to be two multipath devices, you
> > can't trust pp->pgindex, I believe there's also another problem.
> > 
> > Say you have a multipath device with two path groups (pgp1 and pgp2)
> > each with one path (pp1 in pgp1 and pp2 in pgp2). In this case,
> > pp1->pgindex == 1 and pp2->pgindex == 2. If update_pathvec_from_dm()
> > discovers that pp1 is part of another multipath device, and removes
> > it,
> > that will mean that pgp1 is now empty, so update_pathvec_from_dm()
> > will
> > also remove that (at the delete_pg label).  But pp2->pgindex will
> > still
> > be set to 2 even though there's only one path group, so it will now
> > point off the end of the pgp list. Right?
> 
> Right, thanks for pointing this out. If we delete a pg, we need to
> invalidate all pgindex values for all paths in the map. We can't
> decrement them, because they must match kernel indices (see below).
> 
> > At any rate, updating pgindex seems finicky and perhaps we should
> > just
> > drop it. It's not that much work to scan the path groups for the path
> > in
> > enable_group() and since we're already reading through the path
> > groups
> > in followover_should_failback(), we can just refactor the code a
> > little
> > bit to avoid needing pgindex at all.
> 
> I had similar thoughts, but I was looking for a minimal fix for the
> 0.11.0 release. Probably dropping pgindex for good is the right thing
> to do, but is it 0.11.0 material?

I'd be fine with removing it, but it's your call. I have nothing against
your approach for 0.11.0 and then a more involved fix afterwards. 
 
> We'd still have the problem that enable_group() et al. need a pgindex
> value that matches the kernel configuration. We can only be sure that
> this index is correct if disassemble_map() has just set it. Any change
> we apply in multipathd's data structures won't match the kernel's view
> of the map.
> 
> This problem is subtle, AFAICS. It's related to the fact that if
> update_pathvec_from_dm() finds any inconsistencies, we *should* reload
> the map, possibly multiple times, until these inconsistencies have been
> resolved. But we can't do that in all code paths in which this function
> is called (or at least, we haven't been able to prove that we can
> without risking breakage).
> 
> I have vague ideas how this could be solved, but they would require a
> major code restructuring.

We could use mpp->need_reload to signal that pgindex was invalid. It
might still make sense to drop pgindex so we don't have to unset it
in cases like when a path is in two multipath devices. But if the
map needed reloading, we could just let the reload deal with adjusting
the path groups. The only problem is that we can set need_reload, but
not actually trigger that reload for a while. 

-Ben

> Regards,
> Martin
diff mbox series

Patch

diff --git a/libmultipath/pgpolicies.c b/libmultipath/pgpolicies.c
index edc3c61..23ef2bd 100644
--- a/libmultipath/pgpolicies.c
+++ b/libmultipath/pgpolicies.c
@@ -127,6 +127,8 @@  fail:
 int group_paths(struct multipath *mp, int marginal_pathgroups)
 {
 	vector normal, marginal;
+	struct path *pp;
+	int i;
 
 	if (!mp->pg)
 		mp->pg = vector_alloc();
@@ -138,6 +140,10 @@  int group_paths(struct multipath *mp, int marginal_pathgroups)
 	if (!mp->pgpolicyfn)
 		goto fail;
 
+	/* Reset pgindex, we're going to invalidate it */
+	vector_foreach_slot(mp->paths, pp, i)
+		pp->pgindex = 0;
+
 	if (!marginal_pathgroups ||
 	    split_marginal_paths(mp->paths, &normal, &marginal) != 0) {
 		if (mp->pgpolicyfn(mp, mp->paths) != 0)
diff --git a/libmultipath/structs.c b/libmultipath/structs.c
index 61c8f32..4851725 100644
--- a/libmultipath/structs.c
+++ b/libmultipath/structs.c
@@ -239,8 +239,18 @@  free_pgvec (vector pgvec, enum free_path_mode free_paths)
 	if (!pgvec)
 		return;
 
-	vector_foreach_slot(pgvec, pgp, i)
+	vector_foreach_slot(pgvec, pgp, i) {
+
+		/* paths are going to be re-grouped, reset pgindex */
+		if (free_paths != FREE_PATHS) {
+			struct path *pp;
+			int j;
+
+			vector_foreach_slot(pgp->paths, pp, j)
+				pp->pgindex = 0;
+		}
 		free_pathgroup(pgp, free_paths);
+	}
 
 	vector_free(pgvec);
 }
diff --git a/libmultipath/structs_vec.c b/libmultipath/structs_vec.c
index d22056c..64c5ad5 100644
--- a/libmultipath/structs_vec.c
+++ b/libmultipath/structs_vec.c
@@ -139,6 +139,13 @@  static bool update_pathvec_from_dm(vector pathvec, struct multipath *mpp,
 				must_reload = true;
 				dm_fail_path(mpp->alias, pp->dev_t);
 				vector_del_slot(pgp->paths, j--);
+				/*
+				 * pp->pgindex has been set in disassemble_map(),
+				 * which has probably been called just before for
+				 * mpp. So he pgindex relates to mpp and may be
+				 * wrong for pp->mpp. Invalidate it.
+				 */
+				pp->pgindex = 0;
 				continue;
 			}
 			pp->mpp = mpp;
@@ -354,6 +361,7 @@  void orphan_path(struct path *pp, const char *reason)
 {
 	condlog(3, "%s: orphan path, %s", pp->dev, reason);
 	pp->mpp = NULL;
+	pp->pgindex = 0;
 	uninitialize_path(pp);
 }