From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [git pull] vfs part 2
Date: Thu, 2 Jul 2015 04:20:42 +0100 [thread overview]
Message-ID: <20150702032042.GA32613@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20150701184408.GF17109@ZenIV.linux.org.uk>
On Wed, Jul 01, 2015 at 07:44:08PM +0100, Al Viro wrote:
> Mismatched reply could also be a possibility, but only if we end up with
> sending more than one request with the same tag without waiting for response
> for the first one.
... and I think I see what's going on. Tags are 16bit. Suppose the
server stalls for some reason *and* we keep piling the requests up.
New tags keep being grabbed by this:
tag = P9_NOTAG;
if (type != P9_TVERSION) {
tag = p9_idpool_get(c->tagpool);
if (tag < 0)
return ERR_PTR(-ENOMEM);
}
tag is int here. Then we pass tag to
req = p9_tag_alloc(c, tag, req_size);
and that's what sets req->tc->tag. OK, but... The argument of p9_tag_alloc()
in u16, so after 2^16 pending requests we'll wrap around. p9_idpool_get()
will happily return values greater than 65535 - it's using idr and it's
used (with different pools) for 16bit tags and 32bit FIDs.
Now, p9_tag_alloc(c, 65539, max_size) will return the same req we'd got from
p9_tag_alloc(c, 3, max_size). And we are fucked - as far as the server is
concerned, we'd just sent another request with tag 3. And on the client
there are two threads waiting for responses on the same p9_req_t. Both
happen to be TWRITE. Response to the first request arrives and we happen
to let the second thread go at it first. Voila - the first request had
been for page-sized write() and got successfully handled. The _second_ one
had been short and is very surprised to see confirmation of 4Kb worth of
data having been written.
It should be easy to confirm - in p9_client_prepare_req() add
if (WARN_ON_ONCE(tag != (u16)tag)) {
p9_idpool_put(tag, c->tagpool);
return ERR_PTR(-ENOMEM);
}
right after
tag = p9_idpool_get(c->tagpool);
if (tag < 0)
return ERR_PTR(-ENOMEM);
and see if it triggers. I'm not sure if failing with ENOMEM is the
right response (another variant is to sleep there until the pile
gets cleaned or until we get killed), and WARN_ON_ONCE() is definitely
not for the real work, but it will do for confirming that this is what
we are hitting.
next prev parent reply other threads:[~2015-07-02 3:20 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-15 18:14 [git pull] vfs part 2 Al Viro
2015-04-23 10:16 ` Andrey Ryabinin
2015-05-25 8:30 ` Andrey Ryabinin
2015-06-21 21:12 ` Al Viro
2015-06-21 21:16 ` Linus Torvalds
2015-06-21 21:35 ` Al Viro
2015-06-22 12:02 ` Andrey Ryabinin
2015-07-01 6:27 ` Al Viro
2015-07-01 7:50 ` Andrey Ryabinin
2015-07-01 8:27 ` Al Viro
2015-07-01 8:41 ` Andrey Ryabinin
2015-07-01 8:55 ` Al Viro
2015-07-01 11:25 ` Andrey Ryabinin
2015-07-01 18:44 ` Al Viro
2015-07-02 3:20 ` Al Viro [this message]
2015-07-02 4:10 ` running out of tags in 9P (was Re: [git pull] vfs part 2) Al Viro
2015-07-02 7:50 ` Andrey Ryabinin
2015-07-02 7:59 ` Al Viro
2015-07-02 8:19 ` Andrey Ryabinin
2015-07-02 8:25 ` Al Viro
2015-07-02 8:42 ` Al Viro
2015-07-02 12:19 ` Andrey Ryabinin
2015-07-02 16:43 ` Al Viro
2015-07-02 16:49 ` Al Viro
2015-07-03 8:19 ` Andrey Ryabinin
2015-07-03 9:42 ` Al Viro
2015-07-03 15:00 ` [PATCH] forgetting to cancel request in interrupted zero-copy 9P RPC " Al Viro
2015-07-03 19:56 ` Andrey Ryabinin
2015-07-02 20:26 ` running out of tags in 9P " Andrey Ryabinin
[not found] ` <5594E5EB.4030808@samsung.com>
2015-07-02 7:50 ` Al Viro
2015-07-02 12:00 ` [git pull] vfs part 2 Jeff Layton
2015-07-02 12:07 ` Jeff Layton
2015-07-02 16:45 ` Al Viro
2015-07-02 17:01 ` Jeff Layton
2015-07-02 17:56 ` Dominique Martinet
2015-07-02 18:43 ` Al Viro
2015-07-02 21:00 ` Dominique Martinet
2015-07-02 18:59 ` Jeff Layton
2015-07-02 20:36 ` Andrey Ryabinin
2015-07-02 18:40 ` Al Viro
2015-07-02 19:16 ` Linus Torvalds
2015-07-02 20:44 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2012-03-31 5:19 Al Viro
2012-03-31 18:28 ` Linus Torvalds
2012-03-31 18:31 ` Linus Torvalds
2012-03-31 18:57 ` Al Viro
2012-03-31 19:29 ` Linus Torvalds
2012-03-31 19:39 ` Al Viro
2012-03-31 19:42 ` Al Viro
2012-03-31 19:48 ` Linus Torvalds
2012-03-31 20:08 ` Al Viro
2012-03-31 21:37 ` Linus Torvalds
2010-03-05 16:29 Al Viro
2010-03-05 19:53 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150702032042.GA32613@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=a.ryabinin@samsung.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox