Received: by 2002:a17:90a:88:0:0:0:0 with SMTP id a8csp4591523pja; Thu, 21 Nov 2019 22:27:14 -0800 (PST) X-Google-Smtp-Source: APXvYqwLQqDRVqEjh21RNxH+O0ogREw+IWC25hb+5sKxljgL2L7v1jb5OurvKkzXbQej0L7xW8uo X-Received: by 2002:a17:906:5959:: with SMTP id g25mr19481626ejr.248.1574404033865; Thu, 21 Nov 2019 22:27:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574404033; cv=none; d=google.com; s=arc-20160816; b=SYA+i1yHunKsNh/1ojfkp2I0WeqPKF6dpZsTENCJl3/vr8Ay8DsJTCmT5p1a/iXIPS k5wHZ8NHM4mUKgwTzeMPkH/Mv0ZhCsOD5/oPHzXmnoPVMS1+iuwt0an4xugrorwQCAq+ HqRmNIEcA1zQiODIjusIaVfYIDVeZJ9B9w+1hEkAwDu6MC9lfZeCkDVF4MCAbjAP6YDd 0NlV+y74KvP7PJ0MK7VG7PjRwVXSFdqN+4uPnWn8Q8CgpRXoKlyiJ83PEULHXp7GxwiL ymKVqP7Gc5gURvnUJNribWpUIn7eq7s2+i4qaSBfahjwzh/ZQ3eEFDJna7h07J3FVlXw eOFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=x1fWrJNe5a2gGPG9KWQ3OyY2igzCCmFabSkDt/qwFrI=; b=vdofYPY1mZ5eeBe36s3kAWCtwiyxUTc7B3/9OXsiaxw0RHH+cK5g/wI8AzHpKr5bXv eMJ2mcvB5prndiVO+f5EaH09+sm4fSV6DDP0Y+q3h9YtIgw83h1irQiWroFbhLRahpKl ZQgqn25LTTtSJJW6PcSyQNZzmVROdAIYKDdsWdl358cchpG9i1unSuVYvr34Jok2iFN8 IhSO4AwVh+M/zB8c70VnDjU9owaLUgEx26zVMAYMPd3hfkd4JVJzS4EDvMG5xS1JLswn +pqj8Z7WekZbF4QCMP6CpSEyh+EQLYPPZgCo9NPntbsFadUzBcSLehRv5EQdaO+0Dp3M rFew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VV5CE1xz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si4111116eda.22.2019.11.21.22.26.50; Thu, 21 Nov 2019 22:27:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VV5CE1xz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728231AbfKVFvl (ORCPT + 99 others); Fri, 22 Nov 2019 00:51:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:56734 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728184AbfKVFve (ORCPT ); Fri, 22 Nov 2019 00:51:34 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DD24F2077B; Fri, 22 Nov 2019 05:51:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574401893; bh=/3HkWOlR2dU9QLO0moTsiH4d2QGGmw01hAMxrei0oLs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VV5CE1xzMHGseDhXMsmO5/UcaFFGoU+896NL4FtllD1elUuzRR8yo4sRQjksr5MGQ Uk+1ZUz2Ck9HqMHyxphBzvVQ9jM6i3KaK3XKqbFmLoCGYLJDEeWXrptdwvet5xTCKI dlLMMP+TgGjmFaoXqQFY5pUfbsV2yZwLn2BaKgmo= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lars Ellenberg , Jens Axboe , Sasha Levin , drbd-dev@lists.linbit.com, linux-block@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 126/219] drbd: reject attach of unsuitable uuids even if connected Date: Fri, 22 Nov 2019 00:47:38 -0500 Message-Id: <20191122054911.1750-119-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191122054911.1750-1-sashal@kernel.org> References: <20191122054911.1750-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lars Ellenberg [ Upstream commit fe43ed97bba3b11521abd934b83ed93143470e4f ] Multiple failure scenario: a) all good Connected Primary/Secondary UpToDate/UpToDate b) lose disk on Primary, Connected Primary/Secondary Diskless/UpToDate c) continue to write to the device, changes only make it to the Secondary storage. d) lose disk on Secondary, Connected Primary/Secondary Diskless/Diskless e) now try to re-attach on Primary This would have succeeded before, even though that is clearly the wrong data set to attach to (missing the modifications from c). Because we only compared our "effective" and the "to-be-attached" data generation uuid tags if (device->state.conn < C_CONNECTED). Fix: change that constraint to (device->state.pdsk != D_UP_TO_DATE) compare the uuids, and reject the attach. This patch also tries to improve the reverse scenario: first lose Secondary, then Primary disk, then try to attach the disk on Secondary. Before this patch, the attach on the Secondary succeeds, but since commit drbd: disconnect, if the wrong UUIDs are attached on a connected peer the Primary will notice unsuitable data, and drop the connection hard. Though unfortunately at a point in time during the handshake where we cannot easily abort the attach on the peer without more refactoring of the handshake. We now reject any attach to "unsuitable" uuids, as long as we can see a Primary role, unless we already have access to "good" data. Signed-off-by: Lars Ellenberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/block/drbd/drbd_nl.c | 6 +++--- drivers/block/drbd/drbd_receiver.c | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c index 319fabdd63a3f..3366c1a91ee00 100644 --- a/drivers/block/drbd/drbd_nl.c +++ b/drivers/block/drbd/drbd_nl.c @@ -1935,9 +1935,9 @@ int drbd_adm_attach(struct sk_buff *skb, struct genl_info *info) } } - if (device->state.conn < C_CONNECTED && - device->state.role == R_PRIMARY && device->ed_uuid && - (device->ed_uuid & ~((u64)1)) != (nbc->md.uuid[UI_CURRENT] & ~((u64)1))) { + if (device->state.pdsk != D_UP_TO_DATE && device->ed_uuid && + (device->state.role == R_PRIMARY || device->state.peer == R_PRIMARY) && + (device->ed_uuid & ~((u64)1)) != (nbc->md.uuid[UI_CURRENT] & ~((u64)1))) { drbd_err(device, "Can only attach to data with current UUID=%016llX\n", (unsigned long long)device->ed_uuid); retcode = ERR_DATA_NOT_CURRENT; diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c index c9e8d61dea248..cbb6ef719978f 100644 --- a/drivers/block/drbd/drbd_receiver.c +++ b/drivers/block/drbd/drbd_receiver.c @@ -4395,6 +4395,25 @@ static int receive_state(struct drbd_connection *connection, struct packet_info if (peer_state.conn == C_AHEAD) ns.conn = C_BEHIND; + /* TODO: + * if (primary and diskless and peer uuid != effective uuid) + * abort attach on peer; + * + * If this node does not have good data, was already connected, but + * the peer did a late attach only now, trying to "negotiate" with me, + * AND I am currently Primary, possibly frozen, with some specific + * "effective" uuid, this should never be reached, really, because + * we first send the uuids, then the current state. + * + * In this scenario, we already dropped the connection hard + * when we received the unsuitable uuids (receive_uuids(). + * + * Should we want to change this, that is: not drop the connection in + * receive_uuids() already, then we would need to add a branch here + * that aborts the attach of "unsuitable uuids" on the peer in case + * this node is currently Diskless Primary. + */ + if (device->p_uuid && peer_state.disk >= D_NEGOTIATING && get_ldev_if_state(device, D_NEGOTIATING)) { int cr; /* consider resync */ -- 2.20.1