Ceph : Issues
https://tracker.ceph.com/
https://tracker.ceph.com/favicon.ico
2021-02-01T06:04:06Z
Ceph
Redmine
CephFS - Bug #49074 (Resolved): mds: don't start purging inodes in the middle of recovery
https://tracker.ceph.com/issues/49074
2021-02-01T06:04:06Z
Zheng Yan
ukernel@gmail.com
<p>If mds kills client session in the middle of recovery, it will purge preallocated inos in the killed session twice. once in Server::_session_logged(); once in MDCache::start_purge_inodes().</p>
CephFS - Bug #48249 (Resolved): mds: dir->mark_new should together with dir->mark_dirty
https://tracker.ceph.com/issues/48249
2020-11-16T14:40:48Z
Zheng Yan
ukernel@gmail.com
CephFS - Feature #47102 (Resolved): mds: add perf counter for cap messages
https://tracker.ceph.com/issues/47102
2020-08-24T01:30:32Z
Zheng Yan
ukernel@gmail.com
CephFS - Feature #47034 (New): mds: readdir for snapshot diff
https://tracker.ceph.com/issues/47034
2020-08-19T07:46:56Z
Zheng Yan
ukernel@gmail.com
<p>make readdir return changed/removed dentries since given snapshot</p>
CephFS - Bug #47033 (Duplicate): client: inode ref leak
https://tracker.ceph.com/issues/47033
2020-08-19T07:29:40Z
Zheng Yan
ukernel@gmail.com
<p>It can be easily reproduced by following program.</p>
<pre>
#define _FILE_OFFSET_BITS 64
#include <features.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <time.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <cephfs/libcephfs.h>
int main(int argc, char *argv[]) {
struct ceph_mount_info *cmount = NULL;
int n = 64;
bool parent = true;
if (argc > 2)
n = atoi(argv[2]);
while (--n >= 0) {
pid_t pid = fork();
if (pid < 0) {
printf("fork fail %d\n", pid);
exit(-1);
}
if (pid == 0) {
parent = false;
break;
}
}
if (parent) {
pid_t pid;
int status;
while ((pid = wait(&status)) > 0);
return 0;
}
ceph_create(&cmount, "admin");
ceph_conf_read_file(cmount, "./ceph.conf");
ceph_mount(cmount, NULL);
ceph_chdir(cmount, argv[1]);
char buf[4096];
sprintf(buf, "dir%d", n);
int ret = ceph_mkdir(cmount, buf, 0755);
if (ret < 0 && ret != -EEXIST) {
printf("ceph_mkdir fail %d\n", ret);
return 0;
}
ceph_chdir(cmount, buf);
/*
struct ceph_dir_result *dirp;
ret = ceph_opendir(cmount, ".", &dirp);
if (ret < 0) {
printf("ceph_opendir fail %d\n", ret);
return 0;
}
while (ceph_readdir(cmount, dirp))
;
ceph_closedir(cmount, dirp);
*/
int count = 0;
time_t start = time(NULL);
for (int i = 0; i < 20000; ++i) {
sprintf(buf, "file%d", i, i);
int fd = ceph_open(cmount, buf, O_CREAT|O_RDONLY, 0644);
if (fd < 0) {
printf("ceph_open fail %d\n", fd);
exit(-1);
}
/*
ret = ceph_fchmod(cmount, fd, 0666);
if (ret < 0) {
printf("ceph_fchmod fail %d\n", ret);
exit(-1);
}
*/
ceph_close(cmount, fd);
count++;
if (time(NULL) > start) {
printf("%d\n", count);
count = 0;
start = time(NULL);
}
}
ceph_unmount(cmount);
return 0;
}
</pre>
<p>pre-create testdir at root of cephfs, change mode of testdir to 0777.</p>
<p>repeatedly run './test_create testdir 1' (without removing cleanup data)</p>
<p>last good commit is aef8569b807dc946f7dabc44b20c5d986c44e364. taking client_lock in Client::put_inode does not work</p>
CephFS - Bug #47011 (Resolved): client: Client::open() pass wrong cap mask to path_walk
https://tracker.ceph.com/issues/47011
2020-08-18T14:23:48Z
Zheng Yan
ukernel@gmail.com
CephFS - Bug #46988 (Resolved): mds: 'forward loop' when forward_all_requests_to_auth is set
https://tracker.ceph.com/issues/46988
2020-08-17T08:38:32Z
Zheng Yan
ukernel@gmail.com
CephFS - Bug #46984 (Resolved): mds: recover files after normal session close
https://tracker.ceph.com/issues/46984
2020-08-16T04:30:41Z
Zheng Yan
ukernel@gmail.com
<p>client does not flush its cap release before sending session close request.</p>
CephFS - Bug #46902 (Rejected): mds: CInode::maybe_export_pin is broken
https://tracker.ceph.com/issues/46902
2020-08-11T13:39:53Z
Zheng Yan
ukernel@gmail.com
<p>void CInode::maybe_export_pin(bool update)
{<br /> if (!g_conf()->mds_bal_export_pin)<br /> return;<br /> if (!is_dir() || !is_normal()) // this always return true<br /> return;</p>
CephFS - Bug #46809 (In Progress): mds: purge orphan objects created by lost async file creation
https://tracker.ceph.com/issues/46809
2020-08-03T01:02:35Z
Zheng Yan
ukernel@gmail.com
CephFS - Bug #46747 (In Progress): mds: make rstats in CInode::old_inodes stable
https://tracker.ceph.com/issues/46747
2020-07-29T09:28:24Z
Zheng Yan
ukernel@gmail.com
<p>when modifying dir, MDCache::project_rstat_frag_to_inode may wrongly update rstats in old_inodes of the dir.</p>
CephFS - Bug #46533 (Resolved): mds: null pointer dereference in MDCache::finish_rollback
https://tracker.ceph.com/issues/46533
2020-07-14T12:43:18Z
Zheng Yan
ukernel@gmail.com
<p>introduce by <a class="external" href="https://tracker.ceph.com/issues/45024">https://tracker.ceph.com/issues/45024</a></p>
CephFS - Bug #46302 (Resolved): mds: optimize ephemeral rand pin
https://tracker.ceph.com/issues/46302
2020-07-01T13:57:06Z
Zheng Yan
ukernel@gmail.com
<p>there can be two optimization<br />1. get_ephemeral_rand() is called for each loaded inode of dirfrag fetch. all calls get the same result. We only need to call get_ephemeral_rand() once for a dirfrag fetch<br />2. skip generate random number of threshold is 0</p>
CephFS - Bug #45699 (Resolved): mds may start to fragment dirfrag before rollback finishes
https://tracker.ceph.com/issues/45699
2020-05-25T13:46:47Z
Zheng Yan
ukernel@gmail.com
<p>/ceph/teuthology-archive/pdonnell-2020-05-21_21:34:09-kcephfs-wip-pdonnell-testing-20200520.182104-distro-basic-smithi/5078456/remote/smithi130/log/ceph-mds.c.log.gz</p>
<p>or<br /><a class="external" href="http://pulpito.ceph.com/pdonnell-2020-05-21_21:34:09-kcephfs-wip-pdonnell-testing-20200520.182104-distro-basic-smithi/5078456">http://pulpito.ceph.com/pdonnell-2020-05-21_21:34:09-kcephfs-wip-pdonnell-testing-20200520.182104-distro-basic-smithi/5078456</a></p>
Linux kernel client - Bug #45649 (Resolved): use-after-free during AIO
https://tracker.ceph.com/issues/45649
2020-05-22T07:23:08Z
Zheng Yan
ukernel@gmail.com
<p>[ 2768.702419] ==================================================================<br />[ 2768.704404] BUG: KASAN: use-after-free in ceph_read_iter+0x1986/0x1eb0 [ceph]<br />[ 2768.706013] Read of size 4 at addr ffff888104e05d20 by task fsstress/29043</p>
<p>[ 2768.707968] CPU: 3 PID: 29043 Comm: fsstress Tainted: G E --------- - - 4.18.0+ <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: gpf in tcp_sendpage (Closed)" href="https://tracker.ceph.com/issues/1">#1</a><br />[ 2768.709959] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014<br />[ 2768.712016] Call Trace:<br />[ 2768.712597] dump_stack+0x9a/0xf0<br />[ 2768.713412] print_address_description.cold.3+0x9/0x23b<br />[ 2768.714613] kasan_report.cold.4+0x64/0x95<br />[ 2768.715525] ? ceph_read_iter+0x1986/0x1eb0 [ceph]<br />[ 2768.716704] ceph_read_iter+0x1986/0x1eb0 [ceph]<br />[ 2768.717812] ? kvm_sched_clock_read+0x14/0x30<br />[ 2768.718825] ? sched_clock+0x5/0x10<br />[ 2768.719701] ? ceph_write_iter+0x1c80/0x1c80 [ceph]<br />[ 2768.720845] ? sched_clock+0x5/0x10<br />[ 2768.721618] ? find_held_lock+0x3a/0x1c0<br />[ 2768.722596] ? __save_stack_trace.constprop.3+0x80/0x100<br />[ 2768.723883] ? lock_downgrade+0x6f0/0x6f0<br />[ 2768.724906] ? rcu_read_lock_held+0xaf/0xc0<br />[ 2768.726008] ? fsnotify_nameremove+0x240/0x240<br />[ 2768.727046] ? fsnotify_first_mark+0x150/0x150<br />[ 2768.728104] ? aio_read+0x20f/0x340<br />[ 2768.728899] aio_read+0x20f/0x340<br />[ 2768.729574] ? aio_write+0x530/0x530<br />[ 2768.730338] ? sched_clock_cpu+0x18/0x1e0<br />[ 2768.731959] ? kvm_sched_clock_read+0x14/0x30<br />[ 2768.733692] ? lock_downgrade+0x6f0/0x6f0<br />[ 2768.735306] ? lock_acquire+0x14f/0x3b0<br />[ 2768.736877] ? __might_fault+0xc4/0x1a0<br />[ 2768.738609] io_submit_one+0x856/0xb50<br />[ 2768.740593] ? aio_read+0x340/0x340<br />[ 2768.742607] __x64_sys_io_submit+0x17f/0x420<br />[ 2768.745181] ? aio_fsync_work+0xd0/0xd0<br />[ 2768.747549] ? retint_user+0x18/0x18<br />[ 2768.749790] ? do_syscall_64+0xa5/0x4d0<br />[ 2768.752295] do_syscall_64+0xa5/0x4d0<br />[ 2768.754251] entry_SYSCALL_64_after_hwframe+0x6a/0xdf<br />[ 2768.756457] RIP: 0033:0x7ffff7ebbe0d<br />[ 2768.758342] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4b 90 0c 00 f7 d8 64 89 01 48<br />[ 2768.765492] RSP: 002b:00007fffffffa228 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1<br />[ 2768.768801] RAX: ffffffffffffffda RBX: 00007ffff7dc3b00 RCX: 00007ffff7ebbe0d<br />[ 2768.771933] RDX: 00007fffffffa278 RSI: 0000000000000001 RDI: 00007ffff7fca000<br />[ 2768.774708] RBP: 00007ffff7fca000 R08: 0000000000000000 R09: 0000000000000000<br />[ 2768.777558] R10: 00007ffff7800000 R11: 0000000000000246 R12: 0000000000000001<br />[ 2768.780099] R13: 0000000000000019 R14: 00007fffffffa278 R15: 00007ffff7800000</p>
<p>[ 2768.783440] Allocated by task 29043:<br />[ 2768.785226] kasan_kmalloc+0xbf/0xe0<br />[ 2768.786808] kmem_cache_alloc+0x10c/0x340<br />[ 2768.788338] io_submit_one+0xd3/0xb50<br />[ 2768.790086] __x64_sys_io_submit+0x17f/0x420<br />[ 2768.791912] do_syscall_64+0xa5/0x4d0<br />[ 2768.793585] entry_SYSCALL_64_after_hwframe+0x6a/0xdf<br />[ 2768.795251] 0xffffffffffffffff</p>
<p>[ 2768.797803] Freed by task 29028:<br />[ 2768.799093] __kasan_slab_free+0x125/0x170<br />[ 2768.800592] slab_free_freelist_hook+0x5e/0x140<br />[ 2768.802321] kmem_cache_free+0x9d/0x300<br />[ 2768.803906] aio_complete+0x56a/0xb90<br />[ 2768.805441] ceph_aio_complete_req+0xa8a/0x10e0 [ceph]<br />[ 2768.807846] __complete_request+0x49/0x140 [libceph]<br />[ 2768.810262] handle_reply+0x147d/0x2400 [libceph]<br />[ 2768.812559] dispatch+0x468/0x24d0 [libceph]<br />[ 2768.814747] try_read+0xcaf/0x1fd0 [libceph]<br />[ 2768.816936] ceph_con_workfn+0x1db/0x11e0 [libceph]<br />[ 2768.819394] process_one_work+0x8f0/0x17a0<br />[ 2768.821502] worker_thread+0x87/0xb50<br />[ 2768.823684] kthread+0x30c/0x3d0<br />[ 2768.825757] ret_from_fork+0x27/0x50<br />[ 2768.827800] 0xffffffffffffffff</p>
<p>[ 2768.831200] The buggy address belongs to the object at ffff888104e05d00<br /> which belongs to the cache aio_kiocb of size 184<br />[ 2768.836722] The buggy address is located 32 bytes inside of<br /> 184-byte region [ffff888104e05d00, ffff888104e05db8)<br />[ 2768.841608] The buggy address belongs to the page:<br />[ 2768.843896] page:ffffea0004138140 refcount:1 mapcount:0 mapping:ffff88810b9a1b00 index:0xffff888104e05900<br />[ 2768.847031] flags: 0x17ffffc0000100(slab)<br />[ 2768.849134] raw: 0017ffffc0000100 dead000000000100 dead000000000200 ffff88810b9a1b00<br />[ 2768.851978] raw: ffff888104e05900 0000000080100009 00000001ffffffff 0000000000000000<br />[ 2768.854933] page dumped because: kasan: bad access detected</p>
<p>[ 2768.858658] Memory state around the buggy address:<br />[ 2768.860826] ffff888104e05c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />[ 2768.863427] ffff888104e05c80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc<br />[ 2768.865934] >ffff888104e05d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />[ 2768.868430] ^<br />[ 2768.870286] ffff888104e05d80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc<br />[ 2768.872581] ffff888104e05e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />[ 2768.875054] ==================================================================<br />[ 2768.877544] Disabling lock debugging due to kernel taint</p>
<p>I suspect the use-after-free is at<br /><pre>
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 7243008bed72..9e0a0fc17a53 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1364,6 +1364,7 @@ ceph_direct_read_write(struct kiocb *iocb, struct iov_iter *iter,
if (ret != -EOLDSNAPC && pos > iocb->ki_pos) {
ret = pos - iocb->ki_pos;
iocb->ki_pos = pos;
+ ^^^
}
return ret;
}
<pre>
</p></pre>