[PATCH 0/2] rbd: prevent open of image being unmapped

[PATCH 0/2] rbd: prevent open of image being unmapped

[Alex Elder]

This series protects an open of a mapped rbd image from succeeding
once an unmap of that image is underway.

Note:  Once committed these should be back-ported.

					-Alex

[PATCH 1/2] rbd: define flags field, use it for exists flag
[PATCH 2/2] rbd: prevent open for image being removed

[PATCH 1/2] rbd: define flags field, use it for exists flag

[Alex Elder]

Define a new rbd device flags field, manipulated using atomic bit
operations.  Replace the use of the current "exists" flag with a
bit in this new "flags" field.

Signed-off-by: Alex Elder <elder@inktank.com>
---
 drivers/block/rbd.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 02002b1..9eb1631 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -232,7 +232,7 @@ struct rbd_device {
 	spinlock_t		lock;		/* queue lock */

 	struct rbd_image_header	header;
-	atomic_t		exists;
+	unsigned long		flags;
 	struct rbd_spec		*spec;

 	char			*header_name;
@@ -260,6 +260,12 @@ struct rbd_device {
 	unsigned long		open_count;
 };

+/* Flag bits for rbd_dev->flags */
+
+enum rbd_dev_flags {
+	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
+};
+
 static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */

 static LIST_HEAD(rbd_dev_list);    /* devices */
@@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
*rbd_dev)
 			goto done;
 		rbd_dev->mapping.read_only = true;
 	}
-	atomic_set(&rbd_dev->exists, 1);
+	set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
+
 done:
 	return ret;
 }
@@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
 			snapc = ceph_get_snap_context(rbd_dev->header.snapc);
 			up_read(&rbd_dev->header_rwsem);
 			rbd_assert(snapc != NULL);
-		} else if (!atomic_read(&rbd_dev->exists)) {
+		} else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
 			rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
 			dout("request for non-existent snapshot");
 			result = -ENXIO;
@@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
rbd_client *rbdc,
 		return NULL;

 	spin_lock_init(&rbd_dev->lock);
-	atomic_set(&rbd_dev->exists, 0);
+	rbd_dev->flags = 0;
 	INIT_LIST_HEAD(&rbd_dev->node);
 	INIT_LIST_HEAD(&rbd_dev->snaps);
 	init_rwsem(&rbd_dev->header_rwsem);
@@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
*rbd_dev)
 			/* Existing snapshot not in the new snap context */

 			if (rbd_dev->spec->snap_id == snap->id)
-				atomic_set(&rbd_dev->exists, 0);
+				set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
 			rbd_remove_snap_dev(snap);
 			dout("%ssnap id %llu has been removed\n",
 				rbd_dev->spec->snap_id == snap->id ?
-- 
1.7.9.5

[PATCH 2/2] rbd: prevent open for image being removed

[Alex Elder]

An open request for a mapped rbd image can arrive while removal of
that mapping is underway.  The control mutex and an open count is
protect a mapped device that's in use from being removed.  But it
is possible for the removal of the mapping to reach the point of no
return *after* a racing open has concluded it is OK to proceed.  The
result of this is not good.

Define and use a flag to indicate a mapping is getting removed to
avoid this problem.

This addresses http://tracker.newdream.net/issues/3427

Signed-off-by: Alex Elder <elder@inktank.com>
---
 drivers/block/rbd.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 9eb1631..760f7f7 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -264,6 +264,7 @@ struct rbd_device {

 enum rbd_dev_flags {
 	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
+	rbd_dev_flag_removing,	/* this mapping is being removed */
 };

 static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */
@@ -351,17 +352,22 @@ static int rbd_dev_v2_refresh(struct rbd_device
*rbd_dev, u64 *hver);
 static int rbd_open(struct block_device *bdev, fmode_t mode)
 {
 	struct rbd_device *rbd_dev = bdev->bd_disk->private_data;
+	int ret = 0;

 	if ((mode & FMODE_WRITE) && rbd_dev->mapping.read_only)
 		return -EROFS;

 	mutex_lock_nested(&ctl_mutex, SINGLE_DEPTH_NESTING);
-	(void) get_device(&rbd_dev->dev);
-	set_device_ro(bdev, rbd_dev->mapping.read_only);
-	rbd_dev->open_count++;
+	if (!test_bit(rbd_dev_flag_removing, &rbd_dev->flags)) {
+		(void) get_device(&rbd_dev->dev);
+		set_device_ro(bdev, rbd_dev->mapping.read_only);
+		rbd_dev->open_count++;
+	} else {
+		ret = -ENOENT;
+	}
 	mutex_unlock(&ctl_mutex);

-	return 0;
+	return ret;
 }

 static int rbd_release(struct gendisk *disk, fmode_t mode)
@@ -3796,6 +3802,7 @@ static ssize_t rbd_remove(struct bus_type *bus,
 		ret = -EBUSY;
 		goto done;
 	}
+	set_bit(rbd_dev_flag_removing, &rbd_dev->flags);

 	rbd_remove_all_snaps(rbd_dev);
 	rbd_bus_del_dev(rbd_dev);
-- 
1.7.9.5

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Dan Mick]

I see that set_bit is atomic, but I don't see that test_bit is.  Am I 
missing a subtlety?

On 01/14/2013 10:50 AM, Alex Elder wrote:
> Define a new rbd device flags field, manipulated using atomic bit
> operations.  Replace the use of the current "exists" flag with a
> bit in this new "flags" field.
>
> Signed-off-by: Alex Elder <elder@inktank.com>
> ---
>   drivers/block/rbd.c |   17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index 02002b1..9eb1631 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -232,7 +232,7 @@ struct rbd_device {
>   	spinlock_t		lock;		/* queue lock */
>
>   	struct rbd_image_header	header;
> -	atomic_t		exists;
> +	unsigned long		flags;
>   	struct rbd_spec		*spec;
>
>   	char			*header_name;
> @@ -260,6 +260,12 @@ struct rbd_device {
>   	unsigned long		open_count;
>   };
>
> +/* Flag bits for rbd_dev->flags */
> +
> +enum rbd_dev_flags {
> +	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
> +};
> +
>   static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */
>
>   static LIST_HEAD(rbd_dev_list);    /* devices */
> @@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
> *rbd_dev)
>   			goto done;
>   		rbd_dev->mapping.read_only = true;
>   	}
> -	atomic_set(&rbd_dev->exists, 1);
> +	set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
> +
>   done:
>   	return ret;
>   }
> @@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
>   			snapc = ceph_get_snap_context(rbd_dev->header.snapc);
>   			up_read(&rbd_dev->header_rwsem);
>   			rbd_assert(snapc != NULL);
> -		} else if (!atomic_read(&rbd_dev->exists)) {
> +		} else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>   			rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>   			dout("request for non-existent snapshot");
>   			result = -ENXIO;
> @@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
> rbd_client *rbdc,
>   		return NULL;
>
>   	spin_lock_init(&rbd_dev->lock);
> -	atomic_set(&rbd_dev->exists, 0);
> +	rbd_dev->flags = 0;
>   	INIT_LIST_HEAD(&rbd_dev->node);
>   	INIT_LIST_HEAD(&rbd_dev->snaps);
>   	init_rwsem(&rbd_dev->header_rwsem);
> @@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
> *rbd_dev)
>   			/* Existing snapshot not in the new snap context */
>
>   			if (rbd_dev->spec->snap_id == snap->id)
> -				atomic_set(&rbd_dev->exists, 0);
> +				set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>   			rbd_remove_snap_dev(snap);
>   			dout("%ssnap id %llu has been removed\n",
>   				rbd_dev->spec->snap_id == snap->id ?
>

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Alex Elder]

On 01/14/2013 02:32 PM, Dan Mick wrote:
> I see that set_bit is atomic, but I don't see that test_bit is.  Am I
> missing a subtlety?

That's an interesting observation.  I'm certain it's safe, but
I needed to research it a bit, and I still haven't verified it
to my satisfaction.

I *think* (but please look over the following and see if you
come to the same conclusion) that this operation doesn't need
to be made atomic, because the implementation of the routines
that implement the "set" operations guarantee their effects are
visible once they are done.

But I'm not sure whether "visible" here means precisely that
another CPU will be forced to go read the updated memory when
it calls test_bit().

http://www.kernel.org/doc/Documentation/atomic_ops.txt
The section of interest can be found by looking for the
sentence I'm talking about:
  Likewise, the atomic bit operation must be visible globally before any
  subsequent memory operation is made visible.

It doesn't come right and explain it though.  Please let me
know what you think.

					-Alex


> On 01/14/2013 10:50 AM, Alex Elder wrote:
>> Define a new rbd device flags field, manipulated using atomic bit
>> operations.  Replace the use of the current "exists" flag with a
>> bit in this new "flags" field.
>>
>> Signed-off-by: Alex Elder <elder@inktank.com>
>> ---
>>   drivers/block/rbd.c |   17 ++++++++++++-----
>>   1 file changed, 12 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
>> index 02002b1..9eb1631 100644
>> --- a/drivers/block/rbd.c
>> +++ b/drivers/block/rbd.c
>> @@ -232,7 +232,7 @@ struct rbd_device {
>>       spinlock_t        lock;        /* queue lock */
>>
>>       struct rbd_image_header    header;
>> -    atomic_t        exists;
>> +    unsigned long        flags;
>>       struct rbd_spec        *spec;
>>
>>       char            *header_name;
>> @@ -260,6 +260,12 @@ struct rbd_device {
>>       unsigned long        open_count;
>>   };
>>
>> +/* Flag bits for rbd_dev->flags */
>> +
>> +enum rbd_dev_flags {
>> +    rbd_dev_flag_exists,    /* mapped snapshot has not been deleted */
>> +};
>> +
>>   static DEFINE_MUTEX(ctl_mutex);      /* Serialize
>> open/close/setup/teardown */
>>
>>   static LIST_HEAD(rbd_dev_list);    /* devices */
>> @@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
>> *rbd_dev)
>>               goto done;
>>           rbd_dev->mapping.read_only = true;
>>       }
>> -    atomic_set(&rbd_dev->exists, 1);
>> +    set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>> +
>>   done:
>>       return ret;
>>   }
>> @@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
>>               snapc = ceph_get_snap_context(rbd_dev->header.snapc);
>>               up_read(&rbd_dev->header_rwsem);
>>               rbd_assert(snapc != NULL);
>> -        } else if (!atomic_read(&rbd_dev->exists)) {
>> +        } else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>>               rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>>               dout("request for non-existent snapshot");
>>               result = -ENXIO;
>> @@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
>> rbd_client *rbdc,
>>           return NULL;
>>
>>       spin_lock_init(&rbd_dev->lock);
>> -    atomic_set(&rbd_dev->exists, 0);
>> +    rbd_dev->flags = 0;
>>       INIT_LIST_HEAD(&rbd_dev->node);
>>       INIT_LIST_HEAD(&rbd_dev->snaps);
>>       init_rwsem(&rbd_dev->header_rwsem);
>> @@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
>> *rbd_dev)
>>               /* Existing snapshot not in the new snap context */
>>
>>               if (rbd_dev->spec->snap_id == snap->id)
>> -                atomic_set(&rbd_dev->exists, 0);
>> +                set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>>               rbd_remove_snap_dev(snap);
>>               dout("%ssnap id %llu has been removed\n",
>>                   rbd_dev->spec->snap_id == snap->id ?
>>

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Dan Mick]

I think I agree that the claim is that the onus is on the set, and so
I think the proposed code is safe.

On 01/14/2013 01:23 PM, Alex Elder wrote:
> On 01/14/2013 02:32 PM, Dan Mick wrote:
>> I see that set_bit is atomic, but I don't see that test_bit is.  Am I
>> missing a subtlety?
>
> That's an interesting observation.  I'm certain it's safe, but
> I needed to research it a bit, and I still haven't verified it
> to my satisfaction.
>
> I *think* (but please look over the following and see if you
> come to the same conclusion) that this operation doesn't need
> to be made atomic, because the implementation of the routines
> that implement the "set" operations guarantee their effects are
> visible once they are done.
>
> But I'm not sure whether "visible" here means precisely that
> another CPU will be forced to go read the updated memory when
> it calls test_bit().
>
> http://www.kernel.org/doc/Documentation/atomic_ops.txt
> The section of interest can be found by looking for the
> sentence I'm talking about:
>    Likewise, the atomic bit operation must be visible globally before any
>    subsequent memory operation is made visible.
>
> It doesn't come right and explain it though.  Please let me
> know what you think.
>
> 					-Alex
>
>
>> On 01/14/2013 10:50 AM, Alex Elder wrote:
>>> Define a new rbd device flags field, manipulated using atomic bit
>>> operations.  Replace the use of the current "exists" flag with a
>>> bit in this new "flags" field.
>>>
>>> Signed-off-by: Alex Elder <elder@inktank.com>
>>> ---
>>>    drivers/block/rbd.c |   17 ++++++++++++-----
>>>    1 file changed, 12 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
>>> index 02002b1..9eb1631 100644
>>> --- a/drivers/block/rbd.c
>>> +++ b/drivers/block/rbd.c
>>> @@ -232,7 +232,7 @@ struct rbd_device {
>>>        spinlock_t        lock;        /* queue lock */
>>>
>>>        struct rbd_image_header    header;
>>> -    atomic_t        exists;
>>> +    unsigned long        flags;
>>>        struct rbd_spec        *spec;
>>>
>>>        char            *header_name;
>>> @@ -260,6 +260,12 @@ struct rbd_device {
>>>        unsigned long        open_count;
>>>    };
>>>
>>> +/* Flag bits for rbd_dev->flags */
>>> +
>>> +enum rbd_dev_flags {
>>> +    rbd_dev_flag_exists,    /* mapped snapshot has not been deleted */
>>> +};
>>> +
>>>    static DEFINE_MUTEX(ctl_mutex);      /* Serialize
>>> open/close/setup/teardown */
>>>
>>>    static LIST_HEAD(rbd_dev_list);    /* devices */
>>> @@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
>>> *rbd_dev)
>>>                goto done;
>>>            rbd_dev->mapping.read_only = true;
>>>        }
>>> -    atomic_set(&rbd_dev->exists, 1);
>>> +    set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>>> +
>>>    done:
>>>        return ret;
>>>    }
>>> @@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
>>>                snapc = ceph_get_snap_context(rbd_dev->header.snapc);
>>>                up_read(&rbd_dev->header_rwsem);
>>>                rbd_assert(snapc != NULL);
>>> -        } else if (!atomic_read(&rbd_dev->exists)) {
>>> +        } else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>>>                rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>>>                dout("request for non-existent snapshot");
>>>                result = -ENXIO;
>>> @@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
>>> rbd_client *rbdc,
>>>            return NULL;
>>>
>>>        spin_lock_init(&rbd_dev->lock);
>>> -    atomic_set(&rbd_dev->exists, 0);
>>> +    rbd_dev->flags = 0;
>>>        INIT_LIST_HEAD(&rbd_dev->node);
>>>        INIT_LIST_HEAD(&rbd_dev->snaps);
>>>        init_rwsem(&rbd_dev->header_rwsem);
>>> @@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
>>> *rbd_dev)
>>>                /* Existing snapshot not in the new snap context */
>>>
>>>                if (rbd_dev->spec->snap_id == snap->id)
>>> -                atomic_set(&rbd_dev->exists, 0);
>>> +                set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>>>                rbd_remove_snap_dev(snap);
>>>                dout("%ssnap id %llu has been removed\n",
>>>                    rbd_dev->spec->snap_id == snap->id ?
>>>
>

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Dan Mick]

Reviewed-by: Dan Mick <dan.mick@inktank.com>

On 01/14/2013 10:50 AM, Alex Elder wrote:
> Define a new rbd device flags field, manipulated using atomic bit
> operations.  Replace the use of the current "exists" flag with a
> bit in this new "flags" field.
>
> Signed-off-by: Alex Elder <elder@inktank.com>
> ---
>   drivers/block/rbd.c |   17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index 02002b1..9eb1631 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -232,7 +232,7 @@ struct rbd_device {
>   	spinlock_t		lock;		/* queue lock */
>
>   	struct rbd_image_header	header;
> -	atomic_t		exists;
> +	unsigned long		flags;
>   	struct rbd_spec		*spec;
>
>   	char			*header_name;
> @@ -260,6 +260,12 @@ struct rbd_device {
>   	unsigned long		open_count;
>   };
>
> +/* Flag bits for rbd_dev->flags */
> +
> +enum rbd_dev_flags {
> +	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
> +};
> +
>   static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */
>
>   static LIST_HEAD(rbd_dev_list);    /* devices */
> @@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
> *rbd_dev)
>   			goto done;
>   		rbd_dev->mapping.read_only = true;
>   	}
> -	atomic_set(&rbd_dev->exists, 1);
> +	set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
> +
>   done:
>   	return ret;
>   }
> @@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
>   			snapc = ceph_get_snap_context(rbd_dev->header.snapc);
>   			up_read(&rbd_dev->header_rwsem);
>   			rbd_assert(snapc != NULL);
> -		} else if (!atomic_read(&rbd_dev->exists)) {
> +		} else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>   			rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>   			dout("request for non-existent snapshot");
>   			result = -ENXIO;
> @@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
> rbd_client *rbdc,
>   		return NULL;
>
>   	spin_lock_init(&rbd_dev->lock);
> -	atomic_set(&rbd_dev->exists, 0);
> +	rbd_dev->flags = 0;
>   	INIT_LIST_HEAD(&rbd_dev->node);
>   	INIT_LIST_HEAD(&rbd_dev->snaps);
>   	init_rwsem(&rbd_dev->header_rwsem);
> @@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
> *rbd_dev)
>   			/* Existing snapshot not in the new snap context */
>
>   			if (rbd_dev->spec->snap_id == snap->id)
> -				atomic_set(&rbd_dev->exists, 0);
> +				set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>   			rbd_remove_snap_dev(snap);
>   			dout("%ssnap id %llu has been removed\n",
>   				rbd_dev->spec->snap_id == snap->id ?
>

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Josh Durgin]

On 01/14/2013 01:23 PM, Alex Elder wrote:
> On 01/14/2013 02:32 PM, Dan Mick wrote:
>> I see that set_bit is atomic, but I don't see that test_bit is.  Am I
>> missing a subtlety?
>
> That's an interesting observation.  I'm certain it's safe, but
> I needed to research it a bit, and I still haven't verified it
> to my satisfaction.
>
> I *think* (but please look over the following and see if you
> come to the same conclusion) that this operation doesn't need
> to be made atomic, because the implementation of the routines
> that implement the "set" operations guarantee their effects are
> visible once they are done.
>
> But I'm not sure whether "visible" here means precisely that
> another CPU will be forced to go read the updated memory when
> it calls test_bit().
>
> http://www.kernel.org/doc/Documentation/atomic_ops.txt
> The section of interest can be found by looking for the
> sentence I'm talking about:
>    Likewise, the atomic bit operation must be visible globally before any
>    subsequent memory operation is made visible.

I read that differently. I think that only applies to the test_and_set 
style operations mentioned directly above, not set_bit.

Documentation/memory-barriers.txt confirms this interpretation:

     The following operations are potential problems as they do
     _not_ imply memory barriers, but might be used for
     implementing such things as UNLOCK-class operations:

             atomic_set();
             set_bit();
             clear_bit();
             change_bit();

     With these the appropriate explicit memory barrier should be
     used if necessary (smp_mb__before_clear_bit() for instance).

And:

     Memory operations that occur after an UNLOCK operation may appear to
     happen before it completes.

So I think we need a memory barrier before and after set_bit for the
removing flag, but we don't need barriers for the exists flag, since
it's a best-effort value that can't stop already-in-flight requests.

Josh

> It doesn't come right and explain it though.  Please let me
> know what you think.
>
> 					-Alex
>
>
>> On 01/14/2013 10:50 AM, Alex Elder wrote:
>>> Define a new rbd device flags field, manipulated using atomic bit
>>> operations.  Replace the use of the current "exists" flag with a
>>> bit in this new "flags" field.
>>>
>>> Signed-off-by: Alex Elder <elder@inktank.com>
>>> ---
>>>    drivers/block/rbd.c |   17 ++++++++++++-----
>>>    1 file changed, 12 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
>>> index 02002b1..9eb1631 100644
>>> --- a/drivers/block/rbd.c
>>> +++ b/drivers/block/rbd.c
>>> @@ -232,7 +232,7 @@ struct rbd_device {
>>>        spinlock_t        lock;        /* queue lock */
>>>
>>>        struct rbd_image_header    header;
>>> -    atomic_t        exists;
>>> +    unsigned long        flags;
>>>        struct rbd_spec        *spec;
>>>
>>>        char            *header_name;
>>> @@ -260,6 +260,12 @@ struct rbd_device {
>>>        unsigned long        open_count;
>>>    };
>>>
>>> +/* Flag bits for rbd_dev->flags */
>>> +
>>> +enum rbd_dev_flags {
>>> +    rbd_dev_flag_exists,    /* mapped snapshot has not been deleted */
>>> +};
>>> +
>>>    static DEFINE_MUTEX(ctl_mutex);      /* Serialize
>>> open/close/setup/teardown */
>>>
>>>    static LIST_HEAD(rbd_dev_list);    /* devices */
>>> @@ -756,7 +762,8 @@ static int rbd_dev_set_mapping(struct rbd_device
>>> *rbd_dev)
>>>                goto done;
>>>            rbd_dev->mapping.read_only = true;
>>>        }
>>> -    atomic_set(&rbd_dev->exists, 1);
>>> +    set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>>> +
>>>    done:
>>>        return ret;
>>>    }
>>> @@ -1654,7 +1661,7 @@ static void rbd_rq_fn(struct request_queue *q)
>>>                snapc = ceph_get_snap_context(rbd_dev->header.snapc);
>>>                up_read(&rbd_dev->header_rwsem);
>>>                rbd_assert(snapc != NULL);
>>> -        } else if (!atomic_read(&rbd_dev->exists)) {
>>> +        } else if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>>>                rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>>>                dout("request for non-existent snapshot");
>>>                result = -ENXIO;
>>> @@ -2270,7 +2277,7 @@ struct rbd_device *rbd_dev_create(struct
>>> rbd_client *rbdc,
>>>            return NULL;
>>>
>>>        spin_lock_init(&rbd_dev->lock);
>>> -    atomic_set(&rbd_dev->exists, 0);
>>> +    rbd_dev->flags = 0;
>>>        INIT_LIST_HEAD(&rbd_dev->node);
>>>        INIT_LIST_HEAD(&rbd_dev->snaps);
>>>        init_rwsem(&rbd_dev->header_rwsem);
>>> @@ -2902,7 +2909,7 @@ static int rbd_dev_snaps_update(struct rbd_device
>>> *rbd_dev)
>>>                /* Existing snapshot not in the new snap context */
>>>
>>>                if (rbd_dev->spec->snap_id == snap->id)
>>> -                atomic_set(&rbd_dev->exists, 0);
>>> +                set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>>>                rbd_remove_snap_dev(snap);
>>>                dout("%ssnap id %llu has been removed\n",
>>>                    rbd_dev->spec->snap_id == snap->id ?
>>>

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Alex Elder]

On 01/15/2013 07:08 PM, Josh Durgin wrote:
> On 01/14/2013 01:23 PM, Alex Elder wrote:
>> On 01/14/2013 02:32 PM, Dan Mick wrote:
>>> I see that set_bit is atomic, but I don't see that test_bit is.  Am I
>>> missing a subtlety?
>>
>> That's an interesting observation.  I'm certain it's safe, but
>> I needed to research it a bit, and I still haven't verified it
>> to my satisfaction.
>>
>> I *think* (but please look over the following and see if you
>> come to the same conclusion) that this operation doesn't need
>> to be made atomic, because the implementation of the routines
>> that implement the "set" operations guarantee their effects are
>> visible once they are done.
>>
>> But I'm not sure whether "visible" here means precisely that
>> another CPU will be forced to go read the updated memory when
>> it calls test_bit().
>>
>> http://www.kernel.org/doc/Documentation/atomic_ops.txt
>> The section of interest can be found by looking for the
>> sentence I'm talking about:
>>    Likewise, the atomic bit operation must be visible globally before any
>>    subsequent memory operation is made visible.
> 
> I read that differently. I think that only applies to the test_and_set
> style operations mentioned directly above, not set_bit.
> 
> Documentation/memory-barriers.txt confirms this interpretation:
> 
>     The following operations are potential problems as they do
>     _not_ imply memory barriers, but might be used for
>     implementing such things as UNLOCK-class operations:
> 
>             atomic_set();
>             set_bit();
>             clear_bit();
>             change_bit();
> 
>     With these the appropriate explicit memory barrier should be
>     used if necessary (smp_mb__before_clear_bit() for instance).
> 
> And:
> 
>     Memory operations that occur after an UNLOCK operation may appear to
>     happen before it completes.
> 
> So I think we need a memory barrier before and after set_bit for the
> removing flag, but we don't need barriers for the exists flag, since
> it's a best-effort value that can't stop already-in-flight requests.

You know, I agree with your analysis but now I'm not sure
even that's enough.

Here's the code in question (from the other patch):

Test side:
        mutex_lock_nested(&ctl_mutex, SINGLE_DEPTH_NESTING);
        if (!test_bit(rbd_dev_flag_removing, &rbd_dev->flags)) {
                (void) get_device(&rbd_dev->dev);
                set_device_ro(bdev, rbd_dev->mapping.read_only);
                rbd_dev->open_count++;
        } else {
                ret = -ENOENT;
        }
        mutex_unlock(&ctl_mutex);


Set side:
        if (rbd_dev->open_count) {
                ret = -EBUSY;
                goto done;
        }
        set_bit(rbd_dev_flag_removing, &rbd_dev->flags);

And here's the scenario I'm thinking about.  Initially,
suppose rbd_dev->open_count is 0 and the removing flag
is not set.

OPENING THREAD                  UNMAPPING THREAD
--------------                  ----------------
                                if (rbd_dev->open_count) {
                                    /* not taken, it's zero */
                                    ret = -EBUSY;
                                    goto done;
                                }
if (!test_bit(removing)) {
    /* not set yet! */          /* barrier won't help here */
                                set_bit(removing);
                                /* clean stuff up */
    rbd_dev->open_count++;      /* == kablooie == */
} else {
    ret = -ENOENT;
}

So I think we need a spinlock, or some other thing.

In any case, I'm not going to commit this change until
we've had a chance to talk about it a little more.

					-Alex

[PATCH 1/2] rbd: define flags field, use it for exists flag

[Alex Elder]

Define a new rbd device flags field, manipulated using bit
operations.  Replace the use of the current "exists" flag with a bit
in this new "flags" field.  Add a little commentary about the
"exists" flag, which does not need to be manipulated atomically.

Signed-off-by: Alex Elder <elder@inktank.com>
---
 drivers/block/rbd.c |   37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 177ba0c..107df40 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -262,7 +262,7 @@ struct rbd_device {
 	spinlock_t		lock;		/* queue lock */

 	struct rbd_image_header	header;
-	atomic_t		exists;
+	unsigned long		flags;
 	struct rbd_spec		*spec;

 	char			*header_name;
@@ -291,6 +291,12 @@ struct rbd_device {
 	unsigned long		open_count;
 };

+/* Flag bits for rbd_dev->flags */
+
+enum rbd_dev_flags {
+	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
+};
+
 static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */

 static LIST_HEAD(rbd_dev_list);    /* devices */
@@ -790,7 +796,8 @@ static int rbd_dev_set_mapping(struct rbd_device
*rbd_dev)
 			goto done;
 		rbd_dev->mapping.read_only = true;
 	}
-	atomic_set(&rbd_dev->exists, 1);
+	set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
+
 done:
 	return ret;
 }
@@ -1886,9 +1893,14 @@ static void rbd_request_fn(struct request_queue *q)
 			rbd_assert(rbd_dev->spec->snap_id == CEPH_NOSNAP);
 		}

-		/* Quit early if the snapshot has disappeared */
-
-		if (!atomic_read(&rbd_dev->exists)) {
+		/*
+		 * Quit early if the mapped snapshot no longer
+		 * exists.  It's still possible the snapshot will
+		 * have disappeared by the time our request arrives
+		 * at the osd, but there's no sense in sending it if
+		 * we already know.
+		 */
+		if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
 			dout("request for non-existent snapshot");
 			rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
 			result = -ENXIO;
@@ -2578,7 +2590,7 @@ struct rbd_device *rbd_dev_create(struct
rbd_client *rbdc,
 		return NULL;

 	spin_lock_init(&rbd_dev->lock);
-	atomic_set(&rbd_dev->exists, 0);
+	rbd_dev->flags = 0;
 	INIT_LIST_HEAD(&rbd_dev->node);
 	INIT_LIST_HEAD(&rbd_dev->snaps);
 	init_rwsem(&rbd_dev->header_rwsem);
@@ -3207,10 +3219,17 @@ static int rbd_dev_snaps_update(struct
rbd_device *rbd_dev)
 		if (snap_id == CEPH_NOSNAP || (snap && snap->id > snap_id)) {
 			struct list_head *next = links->next;

-			/* Existing snapshot not in the new snap context */
-
+			/*
+			 * A previously-existing snapshot is not in
+			 * the new snap context.
+			 *
+			 * If the now missing snapshot is the one the
+			 * image is mapped to, clear its exists flag
+			 * so we can avoid sending any more requests
+			 * to it.
+			 */
 			if (rbd_dev->spec->snap_id == snap->id)
-				atomic_set(&rbd_dev->exists, 0);
+				clear_bit(rbd_dev_flag_exists, &rbd_dev->flags);
 			rbd_remove_snap_dev(snap);
 			dout("%ssnap id %llu has been removed\n",
 				rbd_dev->spec->snap_id == snap->id ?
-- 
1.7.9.5

Re: [PATCH 1/2] rbd: define flags field, use it for exists flag

[Josh Durgin]

Reviewed-by: Josh Durgin <josh.durgin@inktank.com>

On 01/28/2013 02:09 PM, Alex Elder wrote:
> Define a new rbd device flags field, manipulated using bit
> operations.  Replace the use of the current "exists" flag with a bit
> in this new "flags" field.  Add a little commentary about the
> "exists" flag, which does not need to be manipulated atomically.
>
> Signed-off-by: Alex Elder <elder@inktank.com>
> ---
>   drivers/block/rbd.c |   37 ++++++++++++++++++++++++++++---------
>   1 file changed, 28 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index 177ba0c..107df40 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -262,7 +262,7 @@ struct rbd_device {
>   	spinlock_t		lock;		/* queue lock */
>
>   	struct rbd_image_header	header;
> -	atomic_t		exists;
> +	unsigned long		flags;
>   	struct rbd_spec		*spec;
>
>   	char			*header_name;
> @@ -291,6 +291,12 @@ struct rbd_device {
>   	unsigned long		open_count;
>   };
>
> +/* Flag bits for rbd_dev->flags */
> +
> +enum rbd_dev_flags {
> +	rbd_dev_flag_exists,	/* mapped snapshot has not been deleted */
> +};
> +
>   static DEFINE_MUTEX(ctl_mutex);	  /* Serialize open/close/setup/teardown */
>
>   static LIST_HEAD(rbd_dev_list);    /* devices */
> @@ -790,7 +796,8 @@ static int rbd_dev_set_mapping(struct rbd_device
> *rbd_dev)
>   			goto done;
>   		rbd_dev->mapping.read_only = true;
>   	}
> -	atomic_set(&rbd_dev->exists, 1);
> +	set_bit(rbd_dev_flag_exists, &rbd_dev->flags);
> +
>   done:
>   	return ret;
>   }
> @@ -1886,9 +1893,14 @@ static void rbd_request_fn(struct request_queue *q)
>   			rbd_assert(rbd_dev->spec->snap_id == CEPH_NOSNAP);
>   		}
>
> -		/* Quit early if the snapshot has disappeared */
> -
> -		if (!atomic_read(&rbd_dev->exists)) {
> +		/*
> +		 * Quit early if the mapped snapshot no longer
> +		 * exists.  It's still possible the snapshot will
> +		 * have disappeared by the time our request arrives
> +		 * at the osd, but there's no sense in sending it if
> +		 * we already know.
> +		 */
> +		if (!test_bit(rbd_dev_flag_exists, &rbd_dev->flags)) {
>   			dout("request for non-existent snapshot");
>   			rbd_assert(rbd_dev->spec->snap_id != CEPH_NOSNAP);
>   			result = -ENXIO;
> @@ -2578,7 +2590,7 @@ struct rbd_device *rbd_dev_create(struct
> rbd_client *rbdc,
>   		return NULL;
>
>   	spin_lock_init(&rbd_dev->lock);
> -	atomic_set(&rbd_dev->exists, 0);
> +	rbd_dev->flags = 0;
>   	INIT_LIST_HEAD(&rbd_dev->node);
>   	INIT_LIST_HEAD(&rbd_dev->snaps);
>   	init_rwsem(&rbd_dev->header_rwsem);
> @@ -3207,10 +3219,17 @@ static int rbd_dev_snaps_update(struct
> rbd_device *rbd_dev)
>   		if (snap_id == CEPH_NOSNAP || (snap && snap->id > snap_id)) {
>   			struct list_head *next = links->next;
>
> -			/* Existing snapshot not in the new snap context */
> -
> +			/*
> +			 * A previously-existing snapshot is not in
> +			 * the new snap context.
> +			 *
> +			 * If the now missing snapshot is the one the
> +			 * image is mapped to, clear its exists flag
> +			 * so we can avoid sending any more requests
> +			 * to it.
> +			 */
>   			if (rbd_dev->spec->snap_id == snap->id)
> -				atomic_set(&rbd_dev->exists, 0);
> +				clear_bit(rbd_dev_flag_exists, &rbd_dev->flags);
>   			rbd_remove_snap_dev(snap);
>   			dout("%ssnap id %llu has been removed\n",
>   				rbd_dev->spec->snap_id == snap->id ?
>