Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Subject: Re: once again problems with interrupted slots
From:   Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CAN-5tyFdof2MxKn5wG6k3eJRjNKJeC1VvQ4qOYC-ByYfnoUWPg@mail.gmail.com>
Date:   Tue, 9 Jun 2020 14:29:17 -0400
Cc:     Tom Talpey <tom@talpey.com>, Bill Baker <Bill.Baker@oracle.com>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        Trond Myklebust <trond.myklebust@hammerspace.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B739E4A6-0FD5-4CDE-9917-03897B01FF31@oracle.com>
References: <CAN-5tyFCotATeYVR0J1B_UaxhXYBDhp21LbFEzZtLYmgN_i+hg@mail.gmail.com>
 <13bed646-39b7-197e-ff90-85f8af10d93c@talpey.com>
 <CAN-5tyFdof2MxKn5wG6k3eJRjNKJeC1VvQ4qOYC-ByYfnoUWPg@mail.gmail.com>
To:     Olga Kornievskaia <aglo@umich.edu>
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk


> On Jun 5, 2020, at 9:24 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
>=20
> On Fri, Jun 5, 2020 at 8:06 AM Tom Talpey <tom@talpey.com> wrote:
>>=20
>> On 6/4/2020 5:21 PM, Olga Kornievskaia wrote:
>>> Hi Trond,
>>>=20
>>> There is a problem with interrupted slots (yet again).
>>>=20
>>> We send an operation to the server and it gets interrupted by the a =
signal.
>>>=20
>>> We used to send a sole SEQUENCE to remove the problem of having real
>>> operation get an out of the cache reply and failing. Now we are not
>>> doing it again (since 3453d5708 NFSv4.1: Avoid false retries when =
RPC
>>> calls are interrupted"). So the problem is
>>>=20
>>> We bump the sequence on the next use of the slot, and get =
SEQ_MISORDERED.
>>=20
>> Misordered? It sounds like the client isn't managing the sequence
>> number, or perhaps the server never saw the original request, and
>> is being overly strict.
>=20
> Well, both the client and the server are acting appropriately.  I'm
> not arguing against bumping the sequence. Client sent say REMOVE with
> slot=3D1 seq=3D5 which got interrupted. So client doesn't know in what
> state the slot is left. So it sends the next operation say READ with
> slot=3D1 seq=3D6. Server acts appropriately too, as it's version of =
the
> slot has seq=3D4, this request with seq=3D6 gets SEQ_MISORDERED.
>=20
>>> We decrement the number back to the interrupted operation. This gets
>>> us a reply out of the cache. We again fail with REMOTE EIO error.
>>=20
>> Ew. The client *decrements* the sequence?
>=20
> Yes, as client then decides that server never received seq=3D5 =
operation
> so it re-sends with seq=3D5. But in reality seq=3D5 operation also =
reached
> the server so it has 2 requests REMOVE/READ both with seq=3D5 for
> slot=3D1. This leads to READ failing with some error.

> We used to before send a sole SEQUENCE when we have an interrupted
> slot to sync up the seq numbers. But commit 3453d5708 changed that and
> I would like to understand why. As I think we need to go back to
> sending sole SEQUENCE.

I think that's right. The question I have is _when_ a client
should use a SEQUENCE probe to resolve the problem.

>> On Wed Jun 20 17:53:34 2018 -0400, Trond Myklebust wrote:
>> NFSv4.1: Avoid false retries when RPC calls are interrupted
>>=20
>> A 'false retry' in NFSv4.1 occurs when the client attempts to =
transmit a
>> new RPC call using a slot+sequence number combination that references =
an
>> already cached one. Currently, the Linux NFS client will do this if a
>> user process interrupts an RPC call that is in progress.
>> The problem with doing so is that we defeat the main mechanism used =
by
>> the server to differentiate between a new call and a replayed one.  =
Even
>> if the server is able to perfectly cache the arguments of the old =
call,
>> it cannot know if the client intended to replay or send a new call.

The first and third sentences together seem to mean that:

The Linux client can transmit a new call using a slot and
sequence that references an already cached one, but it should
never do that.

The fourth sentence suggests that it is entirely up to the
client to ensure this aspect of session operation is correct
because the specification does not require a server to cache
Call arguments.

So 3453d5708 is a client bug fix, and thus probably cannot be
simply reverted without exposing an old bug.

The second sentence implies that the client used to know exactly
when there might be (client-induced) disagreement between the
slot sequence numbers on the client and server.

I'm a little naive about this stuff... but it seems to me that,
in those cases, the client should not retire that slot before
it ascertains whether the client and server sequence numbers
are in agreement.

In other words, instead of having the next slot user deal with
the fallout of an interrupted operation, the client should
ensure the client and server agree on slot state (possibly via
a singleton SEQUENCE probe) _before_ it retires the interrupted
slot. If the disagreement cannot be resolved, then the client
must not use that slot again.

Tom points out that there are only two valid sequence number
values on the server: N (Call received) or N-1 (Call not
received). Outside of those two, slot state is not recoverable.
That should enable slot recovery to be completed (success or
failure) in no more than one or two operations.

Perhaps the fix in 3453d5708 is incorrect or incomplete. Is
there a way to alter it to make it work, or should it be
reverted and replaced?

> On Jun 5, 2020, at 11:30 AM, Olga Kornievskaia <aglo@umich.edu> wrote:
> Not ever using an interrupted slot seems too drastic (we can end up
> with a session where all slots are unusable. or losing slots also
> means losing ability to send more requests in parallel). I thought
> that's given a sequence of events and error codes we should be able to
> re-sync the slot.

Maybe not so drastic. The way to prevent a deadlock if all slots
become unusable is to use DESTROY_SESSION and then create a fresh
session. The client could even do that preemptively if there are
more than, say, two or three unusable slots in a session.

Session-draining logic would need to continue to flush in-use
slots, but skip slots that are marked unusable to avoid a hang.

--
Chuck Lever