2fe61a7ecc
Authored by: Prakash Surya <prakash.surya@delphix.com> Reviewed by: John Kennedy <jwk404@gmail.com> Reviewed by: Matthew Ahrens <mahrens@delphix.com> Reviewed by: George Wilson <george.wilson@delphix.com> Reviewed by: Brad Lewis <brad.lewis@delphix.com> Reviewed by: Igor Kozhukhov <igor@dilos.org> Reviewed by: Brian Behlendorf <behlendorf1@llnl.gov> Approved by: Robert Mustacchi <rm@joyent.com> Ported-by: Prakash Surya <prakash.surya@delphix.com> PROBLEM ======= There's a race condition that exists if `zil_free_lwb` races with either `zil_commit_waiter_timeout` and/or `zil_lwb_flush_vdevs_done`. Here's an example panic due to this bug: > ::status debugging crash dump vmcore.0 (64-bit) from ip-10-110-205-40 operating system: 5.11 dlpx-5.2.2.0_2017-12-04-17-28-32b6ba51fb (i86pc) image uuid: 4af0edfb-e58e-6ed8-cafc-d3e9167c7513 panic message: BAD TRAP: type=e (#pf Page fault) rp=ffffff0010555970 addr=60 occurred in module "zfs" due to a NULL pointer dereference dump content: kernel pages only > $c zio_shrink+0x12() zil_lwb_write_issue+0x30d(ffffff03dcd15cc0, ffffff03e0730e20) zil_commit_waiter_timeout+0xa2(ffffff03dcd15cc0, ffffff03d97ffcf8) zil_commit_waiter+0xf3(ffffff03dcd15cc0, ffffff03d97ffcf8) zil_commit+0x80(ffffff03dcd15cc0, 9a9) zfs_write+0xc34(ffffff03dc38b140, ffffff0010555e60, 40, ffffff03e00fb758, 0) fop_write+0x5b(ffffff03dc38b140, ffffff0010555e60, 40, ffffff03e00fb758, 0) write+0x250(42, fffffd7ff4832000, 2000) sys_syscall+0x177() If there's an outstanding lwb that's in `zil_commit_waiter_timeout` waiting to timeout, waiting on it's waiter's CV, we must be sure not to call `zil_free_lwb`. If we end up calling `zil_free_lwb`, then that LWB may be freed and can result in a use-after-free situation where the stale lwb pointer stored in the `zil_commit_waiter_t` structure of the thread waiting on the waiter's CV is used. A similar situation can occur if an lwb is issued to disk, and thus in the `LWB_STATE_ISSUED` state, and `zil_free_lwb` is called while the disk is servicing that lwb. In this situation, the lwb will be freed by `zil_free_lwb`, which will result in a use-after-free situation when the lwb's zio completes, and `zil_lwb_flush_vdevs_done` is called. This race condition is prevented in `zil_close` by calling `zil_commit` before `zil_free_lwb` is called, which will ensure all outstanding (i.e. all lwb's in the `LWB_STATE_OPEN` and/or `LWB_STATE_ISSUED` states) reach the `LWB_STATE_DONE` state before the lwb's are freed (`zil_commit` will not return untill all the lwb's are `LWB_STATE_DONE`). Further, this race condition is prevented in `zil_sync` by only calling `zil_free_lwb` for lwb's that do not have their `lwb_buf` pointer set. All lwb's not in the `LWB_STATE_DONE` state will have a non-null value for this pointer; the pointer is only cleared in `zil_lwb_flush_vdevs_done`, at which point the lwb's state will be changed to `LWB_STATE_DONE`. This race *is* present in `zil_suspend`, leading to this bug. At first glance, it would appear as though this would not be true because `zil_suspend` will call `zil_commit`, just like `zil_close`, but the problem is that `zil_suspend` will set the zilog's `zl_suspend` field prior to calling `zil_commit`. Further, in `zil_commit`, if `zl_suspend` is set, `zil_commit` will take a special branch of logic and use `txg_wait_synced` instead of performing the normal `zil_commit` logic. This call to `txg_wait_synced` might be good enough for the data to reach disk safely before it returns, but it does not ensure that all outstanding lwb's reach the `LWB_STATE_DONE` state before it returns. This is because, if there's an lwb "stuck" in `zil_commit_waiter_timeout`, waiting for it's lwb to timeout, it will maintain a non-null value for it's `lwb_buf` field and thus `zil_sync` will not free that lwb. Thus, even though the lwb's data is already on disk, the lwb will be left lingering, waiting on the CV, and will eventually timeout and be issued to disk even though the write is unnecessary. So, after `zil_commit` is called from `zil_suspend`, we incorrectly assume that there are not outstanding lwb's, and proceed to free all lwb's found on the zilog's lwb list. As a result, we free the lwb that will later be used `zil_commit_waiter_timeout`. SOLUTION ======== The solution to this, is to ensure all outstanding lwb's complete before calling `zil_free_lwb` via `zil_destroy` in `zil_suspend`. This patch accomplishes this goal by forcing the normal `zil_commit` logic when called from `zil_sync`. Now, `zil_suspend` will call `zil_commit_impl` which will always use the normal logic of waiting/issuing lwb's to disk before it returns. As a result, any lwb's outstanding when `zil_commit_impl` is called will be guaranteed to reach the `LWB_STATE_DONE` state by the time it returns. Further, no new lwb's will be created via `zil_commit` since the zilog's `zl_suspend` flag will be set. This will force all new callers of `zil_commit` to use `txg_wait_synced` instead of creating and issuing new lwb's. Thus, all lwb's left on the zilog's lwb list when `zil_destroy` is called will be in the `LWB_STATE_DONE` state, and we'll avoid this race condition. OpenZFS-issue: https://www.illumos.org/issues/8909 OpenZFS-commit: https://github.com/openzfs/openzfs/commit/ece62b6f8d Closes #6940
242 lines
9.4 KiB
C
242 lines
9.4 KiB
C
/*
|
|
* CDDL HEADER START
|
|
*
|
|
* The contents of this file are subject to the terms of the
|
|
* Common Development and Distribution License (the "License").
|
|
* You may not use this file except in compliance with the License.
|
|
*
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
* See the License for the specific language governing permissions
|
|
* and limitations under the License.
|
|
*
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
*
|
|
* CDDL HEADER END
|
|
*/
|
|
/*
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
* Copyright (c) 2012, 2017 by Delphix. All rights reserved.
|
|
*/
|
|
|
|
/* Portions Copyright 2010 Robert Milkowski */
|
|
|
|
#ifndef _SYS_ZIL_IMPL_H
|
|
#define _SYS_ZIL_IMPL_H
|
|
|
|
#include <sys/zil.h>
|
|
#include <sys/dmu_objset.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/*
|
|
* Possible states for a given lwb structure.
|
|
*
|
|
* An lwb will start out in the "closed" state, and then transition to
|
|
* the "opened" state via a call to zil_lwb_write_open(). When
|
|
* transitioning from "closed" to "opened" the zilog's "zl_issuer_lock"
|
|
* must be held.
|
|
*
|
|
* After the lwb is "opened", it can transition into the "issued" state
|
|
* via zil_lwb_write_issue(). Again, the zilog's "zl_issuer_lock" must
|
|
* be held when making this transition.
|
|
*
|
|
* After the lwb's zio completes, and the vdev's are flushed, the lwb
|
|
* will transition into the "done" state via zil_lwb_write_done(). When
|
|
* transitioning from "issued" to "done", the zilog's "zl_lock" must be
|
|
* held, *not* the "zl_issuer_lock".
|
|
*
|
|
* The zilog's "zl_issuer_lock" can become heavily contended in certain
|
|
* workloads, so we specifically avoid acquiring that lock when
|
|
* transitioning an lwb from "issued" to "done". This allows us to avoid
|
|
* having to acquire the "zl_issuer_lock" for each lwb ZIO completion,
|
|
* which would have added more lock contention on an already heavily
|
|
* contended lock.
|
|
*
|
|
* Additionally, correctness when reading an lwb's state is often
|
|
* achieved by exploiting the fact that these state transitions occur in
|
|
* this specific order; i.e. "closed" to "opened" to "issued" to "done".
|
|
*
|
|
* Thus, if an lwb is in the "closed" or "opened" state, holding the
|
|
* "zl_issuer_lock" will prevent a concurrent thread from transitioning
|
|
* that lwb to the "issued" state. Likewise, if an lwb is already in the
|
|
* "issued" state, holding the "zl_lock" will prevent a concurrent
|
|
* thread from transitioning that lwb to the "done" state.
|
|
*/
|
|
typedef enum {
|
|
LWB_STATE_CLOSED,
|
|
LWB_STATE_OPENED,
|
|
LWB_STATE_ISSUED,
|
|
LWB_STATE_DONE,
|
|
LWB_NUM_STATES
|
|
} lwb_state_t;
|
|
|
|
/*
|
|
* Log write block (lwb)
|
|
*
|
|
* Prior to an lwb being issued to disk via zil_lwb_write_issue(), it
|
|
* will be protected by the zilog's "zl_issuer_lock". Basically, prior
|
|
* to it being issued, it will only be accessed by the thread that's
|
|
* holding the "zl_issuer_lock". After the lwb is issued, the zilog's
|
|
* "zl_lock" is used to protect the lwb against concurrent access.
|
|
*/
|
|
typedef struct lwb {
|
|
zilog_t *lwb_zilog; /* back pointer to log struct */
|
|
blkptr_t lwb_blk; /* on disk address of this log blk */
|
|
boolean_t lwb_fastwrite; /* is blk marked for fastwrite? */
|
|
boolean_t lwb_slog; /* lwb_blk is on SLOG device */
|
|
int lwb_nused; /* # used bytes in buffer */
|
|
int lwb_sz; /* size of block and buffer */
|
|
lwb_state_t lwb_state; /* the state of this lwb */
|
|
char *lwb_buf; /* log write buffer */
|
|
zio_t *lwb_write_zio; /* zio for the lwb buffer */
|
|
zio_t *lwb_root_zio; /* root zio for lwb write and flushes */
|
|
dmu_tx_t *lwb_tx; /* tx for log block allocation */
|
|
uint64_t lwb_max_txg; /* highest txg in this lwb */
|
|
list_node_t lwb_node; /* zilog->zl_lwb_list linkage */
|
|
list_t lwb_itxs; /* list of itx's */
|
|
list_t lwb_waiters; /* list of zil_commit_waiter's */
|
|
avl_tree_t lwb_vdev_tree; /* vdevs to flush after lwb write */
|
|
kmutex_t lwb_vdev_lock; /* protects lwb_vdev_tree */
|
|
hrtime_t lwb_issued_timestamp; /* when was the lwb issued? */
|
|
} lwb_t;
|
|
|
|
/*
|
|
* ZIL commit waiter.
|
|
*
|
|
* This structure is allocated each time zil_commit() is called, and is
|
|
* used by zil_commit() to communicate with other parts of the ZIL, such
|
|
* that zil_commit() can know when it safe for it return. For more
|
|
* details, see the comment above zil_commit().
|
|
*
|
|
* The "zcw_lock" field is used to protect the commit waiter against
|
|
* concurrent access. This lock is often acquired while already holding
|
|
* the zilog's "zl_issuer_lock" or "zl_lock"; see the functions
|
|
* zil_process_commit_list() and zil_lwb_flush_vdevs_done() as examples
|
|
* of this. Thus, one must be careful not to acquire the
|
|
* "zl_issuer_lock" or "zl_lock" when already holding the "zcw_lock";
|
|
* e.g. see the zil_commit_waiter_timeout() function.
|
|
*/
|
|
typedef struct zil_commit_waiter {
|
|
kcondvar_t zcw_cv; /* signalled when "done" */
|
|
kmutex_t zcw_lock; /* protects fields of this struct */
|
|
list_node_t zcw_node; /* linkage in lwb_t:lwb_waiter list */
|
|
lwb_t *zcw_lwb; /* back pointer to lwb when linked */
|
|
boolean_t zcw_done; /* B_TRUE when "done", else B_FALSE */
|
|
int zcw_zio_error; /* contains the zio io_error value */
|
|
} zil_commit_waiter_t;
|
|
|
|
/*
|
|
* Intent log transaction lists
|
|
*/
|
|
typedef struct itxs {
|
|
list_t i_sync_list; /* list of synchronous itxs */
|
|
avl_tree_t i_async_tree; /* tree of foids for async itxs */
|
|
} itxs_t;
|
|
|
|
typedef struct itxg {
|
|
kmutex_t itxg_lock; /* lock for this structure */
|
|
uint64_t itxg_txg; /* txg for this chain */
|
|
itxs_t *itxg_itxs; /* sync and async itxs */
|
|
} itxg_t;
|
|
|
|
/* for async nodes we build up an AVL tree of lists of async itxs per file */
|
|
typedef struct itx_async_node {
|
|
uint64_t ia_foid; /* file object id */
|
|
list_t ia_list; /* list of async itxs for this foid */
|
|
avl_node_t ia_node; /* AVL tree linkage */
|
|
} itx_async_node_t;
|
|
|
|
/*
|
|
* Vdev flushing: during a zil_commit(), we build up an AVL tree of the vdevs
|
|
* we've touched so we know which ones need a write cache flush at the end.
|
|
*/
|
|
typedef struct zil_vdev_node {
|
|
uint64_t zv_vdev; /* vdev to be flushed */
|
|
avl_node_t zv_node; /* AVL tree linkage */
|
|
} zil_vdev_node_t;
|
|
|
|
#define ZIL_PREV_BLKS 16
|
|
|
|
/*
|
|
* Stable storage intent log management structure. One per dataset.
|
|
*/
|
|
struct zilog {
|
|
kmutex_t zl_lock; /* protects most zilog_t fields */
|
|
struct dsl_pool *zl_dmu_pool; /* DSL pool */
|
|
spa_t *zl_spa; /* handle for read/write log */
|
|
const zil_header_t *zl_header; /* log header buffer */
|
|
objset_t *zl_os; /* object set we're logging */
|
|
zil_get_data_t *zl_get_data; /* callback to get object content */
|
|
lwb_t *zl_last_lwb_opened; /* most recent lwb opened */
|
|
hrtime_t zl_last_lwb_latency; /* zio latency of last lwb done */
|
|
uint64_t zl_lr_seq; /* on-disk log record sequence number */
|
|
uint64_t zl_commit_lr_seq; /* last committed on-disk lr seq */
|
|
uint64_t zl_destroy_txg; /* txg of last zil_destroy() */
|
|
uint64_t zl_replayed_seq[TXG_SIZE]; /* last replayed rec seq */
|
|
uint64_t zl_replaying_seq; /* current replay seq number */
|
|
uint32_t zl_suspend; /* log suspend count */
|
|
kcondvar_t zl_cv_suspend; /* log suspend completion */
|
|
uint8_t zl_suspending; /* log is currently suspending */
|
|
uint8_t zl_keep_first; /* keep first log block in destroy */
|
|
uint8_t zl_replay; /* replaying records while set */
|
|
uint8_t zl_stop_sync; /* for debugging */
|
|
kmutex_t zl_issuer_lock; /* single writer, per ZIL, at a time */
|
|
uint8_t zl_logbias; /* latency or throughput */
|
|
uint8_t zl_sync; /* synchronous or asynchronous */
|
|
int zl_parse_error; /* last zil_parse() error */
|
|
uint64_t zl_parse_blk_seq; /* highest blk seq on last parse */
|
|
uint64_t zl_parse_lr_seq; /* highest lr seq on last parse */
|
|
uint64_t zl_parse_blk_count; /* number of blocks parsed */
|
|
uint64_t zl_parse_lr_count; /* number of log records parsed */
|
|
itxg_t zl_itxg[TXG_SIZE]; /* intent log txg chains */
|
|
list_t zl_itx_commit_list; /* itx list to be committed */
|
|
uint64_t zl_cur_used; /* current commit log size used */
|
|
list_t zl_lwb_list; /* in-flight log write list */
|
|
avl_tree_t zl_bp_tree; /* track bps during log parse */
|
|
clock_t zl_replay_time; /* lbolt of when replay started */
|
|
uint64_t zl_replay_blks; /* number of log blocks replayed */
|
|
zil_header_t zl_old_header; /* debugging aid */
|
|
uint_t zl_prev_blks[ZIL_PREV_BLKS]; /* size - sector rounded */
|
|
uint_t zl_prev_rotor; /* rotor for zl_prev[] */
|
|
txg_node_t zl_dirty_link; /* protected by dp_dirty_zilogs list */
|
|
uint64_t zl_dirty_max_txg; /* highest txg used to dirty zilog */
|
|
};
|
|
|
|
typedef struct zil_bp_node {
|
|
dva_t zn_dva;
|
|
avl_node_t zn_node;
|
|
} zil_bp_node_t;
|
|
|
|
/*
|
|
* Maximum amount of write data that can be put into single log block.
|
|
*/
|
|
#define ZIL_MAX_LOG_DATA (SPA_OLD_MAXBLOCKSIZE - sizeof (zil_chain_t) - \
|
|
sizeof (lr_write_t))
|
|
|
|
/*
|
|
* Maximum amount of log space we agree to waste to reduce number of
|
|
* WR_NEED_COPY chunks to reduce zl_get_data() overhead (~12%).
|
|
*/
|
|
#define ZIL_MAX_WASTE_SPACE (ZIL_MAX_LOG_DATA / 8)
|
|
|
|
/*
|
|
* Maximum amount of write data for WR_COPIED. Fall back to WR_NEED_COPY
|
|
* as more space efficient if we can't fit at least two log records into
|
|
* maximum sized log block.
|
|
*/
|
|
#define ZIL_MAX_COPIED_DATA ((SPA_OLD_MAXBLOCKSIZE - \
|
|
sizeof (zil_chain_t)) / 2 - sizeof (lr_write_t))
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* _SYS_ZIL_IMPL_H */
|