| blob | 061c27496ddf0bb4b58b895051cecf25192e5c08 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
26 /*
27 * NFS Version 4 state recovery code.
28 */
30 #include <nfs/nfs4_clnt.h>
31 #include <nfs/nfs4.h>
32 #include <nfs/rnode4.h>
33 #include <sys/cmn_err.h>
34 #include <sys/cred.h>
35 #include <sys/systm.h>
36 #include <sys/flock.h>
37 #include <sys/dnlc.h>
38 #include <sys/ddi.h>
39 #include <sys/disp.h>
40 #include <sys/list.h>
41 #include <sys/sdt.h>
42 #include <sys/mount.h>
43 #include <sys/door.h>
44 #include <nfs/nfssys.h>
45 #include <nfs/nfsid_map.h>
46 #include <nfs/nfs4_idmap_impl.h>
50 /*
51 * Information that describes what needs to be done for recovery. It is
52 * passed to a client recovery thread as well as passed to various recovery
53 * routines. rc_mi, rc_vp1, and rc_vp2 refer to the filesystem and
54 * vnode(s) affected by recovery. rc_vp1 and rc_vp2 are references (use
55 * VN_HOLD) or NULL. rc_lost_rqst contains information about the lost
56 * lock or open/close request, and it holds reference counts for the
57 * various objects (vnode, etc.). The recovery thread also uses flags set
58 * in the mntinfo4_t or vnode_t to tell it what to do. rc_error is used
59 * to save the error that originally triggered the recovery event -- will
60 * later be used to set mi_error if recovery doesn't work. rc_bseqid_rqst
61 * contains information about the request that got NFS4ERR_BAD_SEQID, and
62 * it holds reference count for the various objects (vnode, open owner,
63 * open stream, lock owner).
64 */
70 nfs4_recov_t rc_action;
71 stateid4 rc_stateid;
81 /*
82 * How long to wait before trying again if there is an error doing
83 * recovery, in seconds.
84 */
88 /*
89 * How long to wait when processing NFS4ERR_GRACE or NFS4ERR_DELAY
90 * errors. Expressed in seconds. Default is defined as
91 * NFS4ERR_DELAY_TIME and this variable is initialized in nfs4_subr_init()
92 */
95 /*
96 * Tuneable to limit how many time "exempt" ops go OTW
97 * after a recovery error. Exempt op hints are OH_CLOSE,
98 * OH_LOCKU, OH_DELEGRETURN. These previously always went
99 * OTW even after rnode was "dead" due to recovery errors.
100 *
101 * The tuneable below limits the number of times a start_fop
102 * invocation will retry the exempt hints. After the limit
103 * is reached, nfs4_start_fop will return an error just like
104 * it would for non-exempt op hints.
105 */
108 /*
109 * Number of seconds the recovery thread should pause before retry when the
110 * filesystem has been forcibly unmounted.
111 */
115 #ifdef DEBUG
117 /*
118 * How long to wait (in seconds) between recovery operations on a given
119 * file. Normally zero, but could be set longer for testing purposes.
120 */
123 /*
124 * Switch that controls whether to go into the debugger when recovery
125 * fails.
126 */
129 /*
130 * Tuneables to debug client namespace interaction with server
131 * mount points:
132 *
133 * nfs4_srvmnt_fail_cnt:
134 * number of times EACCES returned because client
135 * attempted to cross server mountpoint
136 *
137 * nfs4_srvmnt_debug:
138 * trigger console printf whenever client attempts
139 * to cross server mountpoint
140 */
143 #endif
147 /* forward references, in alphabetic order */
149 nfs4_error_t *);
178 nfs4_server_t *);
183 vnode_t *);
186 /*
187 * Return non-zero if the given errno, status, and rpc status codes
188 * in the nfs4_error_t indicate that client recovery is needed.
189 * "stateful" indicates whether the call that got the error establishes or
190 * removes state on the server (open, close, lock, unlock, delegreturn).
191 */
193 int
195 {
199 /*
200 * Try failover if the error values justify it and if
201 * it's a failover mount. Don't try if the mount is in
202 * progress, failures are handled explicitly by nfs4rootvp.
203 */
211 }
214 /*
215 * The server may have gotten the request, so for stateful
216 * ops we need to resynchronize and possibly back out the
217 * op.
218 */
220 }
224 /* stat values are listed alphabetically */
225 /*
226 * There are two lists here: the errors for which we have code, and
227 * the errors for which we plan to have code before FCS. For the
228 * second list, print a warning message but don't attempt recovery.
229 */
246 #ifdef DEBUG
253 #endif
254 }
257 }
259 /*
260 * Some operations such as DELEGRETURN want to avoid invoking
261 * recovery actions that will only mark the file dead. If
262 * better handlers are invoked for any of these errors, this
263 * routine should be modified.
264 */
265 int
267 {
274 }
276 /*
277 * Transfer the state recovery information in recovp to mi's resend queue,
278 * and mark mi as having a lost state request.
279 */
280 static void
282 {
298 else
305 }
307 /*
308 * Transfer the bad seqid recovery information in recovp to mi's
309 * bad seqid queue, and mark mi as having a bad seqid request.
310 */
311 void
313 {
323 }
325 /*
326 * Initiate recovery.
327 *
328 * The nfs4_error_t contains the return codes that triggered a recovery
329 * attempt. mi, vp1, and vp2 refer to the filesystem and files that were
330 * being operated on. vp1 and vp2 may be NULL.
331 *
332 * Multiple calls are okay. If recovery is already underway, the call
333 * updates the information about what state needs recovery but does not
334 * start a new thread. The caller should hold mi->mi_recovlock as a reader
335 * for proper synchronization with any recovery thread.
336 *
337 * This will return TRUE if recovery was aborted, and FALSE otherwise.
338 */
339 bool_t
343 {
351 /*
352 * If there is lost state, we need to kick off recovery even if the
353 * filesystem has been unmounted or the zone is shutting down.
354 */
359 /* failed due to forced unmount, no new lost state */
361 }
364 /* some other failure, no existing lost state */
366 }
372 }
373 }
387 }
389 /*
390 * Internal version of nfs4_start_recovery. The difference is that the
391 * caller specifies the recovery action, rather than the errors leading to
392 * recovery.
393 */
394 static void
397 {
410 }
412 static void
416 {
421 /*
422 * Bump the reference on the vfs so that we can pass it to the
423 * recovery thread.
424 */
427 again:
443 /*
444 * If the filesystem has been unmounted, punt.
445 */
449 /*
450 * If nobody else is working on the clientid, mark the
451 * clientid as being no longer set. Then mark the specific
452 * filesystem being worked on.
453 */
458 }
506 /*
507 * Recover the filehandle now, rather than using a
508 * separate thread. We can do this because filehandle
509 * recovery is independent of any other state, and because
510 * we know that we are not competing with the recovery
511 * thread at this time. recov_filehandle will deal with
512 * threads that are competing to recover this filehandle.
513 */
523 /*
524 * NFS4ERR_STALE handling
525 * recov_stale() could set MI4R_NEED_NEW_SERVER to
526 * indicate that we can and should failover.
527 */
539 }
548 }
581 }
583 /*
584 * If either file recently went through the same recovery, wait
585 * awhile. This is in case there is some sort of bug; we might not
586 * be able to recover properly, but at least we won't bombard the
587 * server with calls, and we won't tie up the client.
588 */
594 /*
595 * If there's already a recovery thread, don't start another one.
596 */
602 }
613 }
618 }
623 minclsyspri);
626 /* not reached by thread creating call */
627 out_no_thread:
636 /*
637 * Free up resources that were allocated for us.
638 */
640 }
642 static int
645 {
657 /*
658 * If there was a recovery error, then allow op hints "exempt" from
659 * recov errors to retry (currently 3 times). Either r_error or
660 * EIO is returned for non-exempt op hints.
661 */
664 nfs4_max_recov_error_retry) {
666 /*
667 * Check to make sure that we haven't already inc'd
668 * rs_num_retry_despite_err for current nfs4_start_fop
669 * instance. We don't want to double inc (if we were
670 * called with vp2, then the vp1 call could have
671 * already incremented.
672 */
681 /*
682 * An ESTALE error on a non-regular file is not
683 * "sticky". Return the ESTALE error once, but
684 * clear the condition to allow future operations
685 * to go OTW. This will allow the client to
686 * recover if the server has merely unshared then
687 * re-shared the file system. For regular files,
688 * the unshare has destroyed the open state at the
689 * server and we aren't willing to do a reopen (yet).
690 */
696 }
701 }
702 }
706 }
708 /*
709 * Initial setup code that every operation should call if it might invoke
710 * client recovery. Can block waiting for recovery to finish on a
711 * filesystem. Either vnode ptr can be NULL.
712 *
713 * Returns 0 if there are no outstanding errors. Can return an
714 * errno value under various circumstances (e.g., failed recovery, or
715 * interrupted while waiting for recovery to finish).
716 *
717 * There must be a corresponding call to nfs4_end_op() to free up any locks
718 * or resources allocated by this call (assuming this call succeeded),
719 * using the same rsp that's passed in here.
720 *
721 * The open and lock seqid synchronization must be stopped before calling this
722 * function, as it could lead to deadlock when trying to reopen a file or
723 * reclaim a lock. The synchronization is obtained with calls to:
724 * nfs4_start_open_seqid_sync()
725 * nfs4_start_lock_seqid_sync()
726 *
727 * *startrecovp is set TRUE if the caller should not bother with the
728 * over-the-wire call, and just initiate recovery for the given request.
729 * This is typically used for state-releasing ops if the filesystem has
730 * been forcibly unmounted. startrecovp may be NULL for
731 * non-state-releasing ops.
732 */
734 int
737 {
742 uint_t droplock_cnt;
743 #ifdef DEBUG
745 #endif
750 #ifdef DEBUG
753 fop_caller);
754 }
756 #endif
762 /*
763 * Process the items that may delay() based on server response
764 */
773 }
775 /* Wait for a delegation recall to complete. */
781 /*
782 * Wait for any current recovery actions to finish. Note that a
783 * recovery thread can still start up after wait_for_recovery()
784 * finishes. We don't block out recovery operations until we
785 * acquire s_recovlock and mi_recovlock.
786 */
791 /*
792 * Check to see if the rnode is already marked with a
793 * recovery error. If so, return it immediately. But
794 * always pass CLOSE, LOCKU, and DELEGRETURN so we can
795 * clean up state on the server.
796 */
802 }
808 }
810 /*
811 * The lock order calls for us to acquire s_recovlock before
812 * mi_recovlock, but we have to hold mi_recovlock to look up sp (to
813 * prevent races with the failover/migration code). So acquire
814 * mi_recovlock, look up sp, drop mi_recovlock, acquire
815 * s_recovlock and mi_recovlock, then verify that sp is still the
816 * right object. XXX Can we find a simpler way to deal with this?
817 */
822 }
823 get_sp:
829 }
837 }
838 }
845 }
846 /*
847 * If the mntinfo4_t hasn't changed nfs4_sever_ts then
848 * there's no point in double checking to make sure it
849 * has switched.
850 */
854 /* try again */
859 }
867 }
874 }
875 }
876 }
880 }
882 /*
883 * If the fileystem uses volatile filehandles, obtain a lock so
884 * that we synchronize with renames. Exception: mount operations
885 * can change mi_fh_expire_type, which could be a problem, since
886 * the end_op code needs to be consistent with the start_op code
887 * about mi_rename_lock. Since mounts don't compete with renames,
888 * it's simpler to just not acquire the rename lock for mounts.
889 */
899 }
901 }
904 /*
905 * For forced unmount, letting the request proceed will
906 * almost always delay response to the user, so hand it off
907 * to the recovery thread. For exiting lwp's, we don't
908 * have a good way to tell if the request will hang. We
909 * generally want processes to handle their own requests so
910 * that they can be done in parallel, but if there is
911 * already a recovery thread, hand the request off to it.
912 * This will improve user response at no cost to overall
913 * system throughput. For zone shutdown, we'd prefer
914 * the recovery thread to handle this as well.
915 */
923 else
933 out:
941 }
944 #ifdef DEBUG
946 #endif
948 }
950 /*
951 * It is up to the caller to determine if rsp->rs_sp being NULL
952 * is detrimental or not.
953 */
954 int
957 {
961 }
963 /*
964 * Release any resources acquired by nfs4_start_op().
965 * 'sp' should be the nfs4_server pointer returned by nfs4_start_op().
966 *
967 * The operation hint is used to avoid a deadlock by bypassing delegation
968 * return logic for writes, which are done while returning a delegation.
969 */
971 void
974 {
979 #ifdef DEBUG
982 #endif
991 /* may need to clear the delay interval */
997 }
998 }
1000 }
1002 /*
1003 * If the corresponding nfs4_start_op() found a sp,
1004 * then there must still be a sp.
1005 */
1016 }
1017 }
1019 void
1022 {
1024 }
1026 /*
1027 * If the filesystem is going through client recovery, block until
1028 * finished.
1029 * Exceptions:
1030 * - state-releasing ops (CLOSE, LOCKU, DELEGRETURN) are allowed to proceed
1031 * if the filesystem has been forcibly unmounted or the lwp is exiting.
1032 *
1033 * Return value:
1034 * - 0 if no errors
1035 * - EINTR if the call was interrupted
1036 * - EIO if the filesystem has been forcibly unmounted (non-state-releasing
1037 * op)
1038 * - the errno value from the recovery thread, if recovery failed
1039 */
1041 static int
1043 {
1060 /* XXX - use different cv? */
1066 }
1069 }
1080 }
1085 }
1087 /*
1088 * If the client received NFS4ERR_GRACE for this particular mount,
1089 * the client blocks here until it is time to try again.
1090 *
1091 * Return value:
1092 * - 0 if wait was successful
1093 * - EINTR if the call was interrupted
1094 */
1096 int
1098 {
1102 /* do a unprotected check to reduce mi_lock contention */
1128 }
1129 }
1131 }
1134 }
1136 /*
1137 * If the client received NFS4ERR_DELAY for an operation on a vnode,
1138 * the client blocks here until it is time to try again.
1139 *
1140 * Return value:
1141 * - 0 if wait was successful
1142 * - EINTR if the call was interrupted
1143 */
1145 int
1147 {
1156 /* do a unprotected check to reduce r_statelock contention */
1165 }
1185 }
1186 }
1188 }
1191 }
1193 /*
1194 * The recovery thread.
1195 */
1197 static void
1199 {
1204 callb_cpr_t cpr_info;
1205 kmutex_t cpr_lock;
1218 /*
1219 * We don't really need protection here against failover or
1220 * migration, since the current thread is the one that would make
1221 * any changes, but hold mi_recovlock anyway for completeness (and
1222 * to satisfy any ASSERTs).
1223 */
1230 /*
1231 * Do any necessary recovery, based on the information in recovp
1232 * and any recovery flags.
1233 */
1238 bool_t activesrv;
1242 "nfs4_recov_thread: file system has been "
1248 /*
1249 * If the server has lost its state for us and
1250 * the filesystem is unmounted, then the filesystem
1251 * can be tossed, even if there are lost lock or
1252 * lost state calls in the recovery queue.
1253 */
1261 }
1262 /*
1263 * We don't know if the server has any state for
1264 * us, and the filesystem has been unmounted. If
1265 * there are "lost state" recovery items, keep
1266 * trying to process them until there are no more
1267 * mounted filesystems for the server. Otherwise,
1268 * bail out. The reason we don't mark the
1269 * filesystem as failing recovery is in case we
1270 * have to do "lost state" recovery later (e.g., a
1271 * user process exits).
1272 */
1277 }
1285 }
1296 /*
1297 * Mark the server instance as
1298 * dead, so that nobody will attach
1299 * a new filesystem.
1300 */
1302 }
1303 }
1308 }
1310 /*
1311 * Check if we need to select a new server for a
1312 * failover. Choosing a new server will force at
1313 * least a check of the clientid.
1314 */
1323 /*
1324 * Check if we need to recover the clientid. This
1325 * must be done before file and lock recovery, and it
1326 * potentially affects the recovery threads for other
1327 * filesystems, so it gets special treatment.
1328 */
1335 /*
1336 * Unset this flag in case another recovery
1337 * thread successfully recovered the clientid
1338 * for us already.
1339 */
1344 }
1345 }
1347 /*
1348 * Check if we need to get the security information.
1349 */
1358 /*
1359 * If error, nothing more can be done, stop
1360 * the recovery.
1361 */
1370 }
1375 /*
1376 * Check if there's a bad seqid to recover.
1377 */
1389 /*
1390 * Next check for recovery that affects the entire
1391 * filesystem.
1392 */
1401 }
1403 /*
1404 * Send any queued state recovery requests.
1405 */
1415 /* done */
1419 }
1423 }
1425 /*
1426 * See if there is anything more to do. If not, announce
1427 * that we are done and exit.
1428 *
1429 * Need mi_recovlock to keep 'sp' valid. Must grab
1430 * mi_recovlock before mi_lock to preserve lock ordering.
1431 */
1436 list_t local_lost_state;
1439 /*
1440 * We need to remove the lost requests before we
1441 * unmark the mi as no longer doing recovery to
1442 * avoid a race with a new thread putting new lost
1443 * requests on the same mi (and the going away
1444 * thread would remove the new lost requests).
1445 *
1446 * Move the lost requests to a local list since
1447 * nfs4_remove_lost_rqst() drops mi_lock, and
1448 * dropping the mi_lock would make our check to
1449 * see if recovery is done no longer valid.
1450 */
1458 /*
1459 * Now officially free the "moved"
1460 * lost requests.
1461 */
1465 }
1471 /*
1472 * If the filesystem has been forcibly unmounted, there is
1473 * probably no point in retrying immediately. Furthermore,
1474 * there might be user processes waiting for a chance to
1475 * queue up "lost state" requests, so that they can exit.
1476 * So pause here for a moment. Same logic for zone shutdown.
1477 */
1483 }
1490 /*
1491 * Return all recalled delegations
1492 */
1499 /*
1500 * Free up resources that were allocated for us.
1501 */
1507 /* now we are done using the mi struct, signal the waiters */
1521 }
1523 /*
1524 * Log the end of recovery and notify any waiting threads.
1525 */
1527 static void
1529 {
1539 }
1541 /*
1542 * State-specific recovery routines, by state.
1543 */
1545 /*
1546 * Failover.
1547 *
1548 * Replaces *spp with a reference to the new server, which must
1549 * eventually be freed.
1550 */
1552 static void
1554 {
1565 nfs_fh4 fh;
1575 /*
1576 * Ping the null NFS procedure of every server in
1577 * the list until one responds. We always start
1578 * at the head of the list and always skip the one
1579 * that is current, since it's caused us a problem.
1580 */
1593 }
1600 }
1625 }
1626 }
1634 }
1636 }
1637 }
1643 }
1645 #if DEBUG
1649 #endif
1658 /*
1659 * Update server-dependent fields in the root vnode.
1660 */
1707 }
1709 /*
1710 * Clientid.
1711 */
1713 static void
1715 {
1723 /*
1724 * Acquire the recovery lock and then verify that the clientid
1725 * still needs to be recovered. (Note that s_recovlock is supposed
1726 * to be acquired before s_lock.) Since the thread holds the
1727 * recovery lock, no other thread will recover the clientid.
1728 */
1736 nfs4_error_t n4e;
1743 /*
1744 * nfs4setclientid may have set MI4R_NEED_NEW_SERVER,
1745 * if so, just return and let recov_thread drive
1746 * failover.
1747 */
1756 }
1764 /* don't destroy the nfs4_server, let umount do it */
1765 }
1766 }
1771 /*
1772 * If still_stale isn't true, then another thread already
1773 * recovered the clientid. And that thread that set the
1774 * clientid will have initiated reopening files on all the
1775 * filesystems for the server, so we should not initiate
1776 * reopening for this filesystem here.
1777 */
1782 }
1784 }
1799 /*
1800 * Initiate recovery of open files for other filesystems.
1801 * We create an array of filesystems, rather than just
1802 * walking the filesystem list, to avoid deadlock issues
1803 * with s_lock and mi_recovlock.
1804 */
1814 }
1815 }
1819 }
1820 }
1822 /*
1823 * Return an array of filesystems associated with the given server. The
1824 * caller should call free_milist() to free the references and memory.
1825 */
1829 {
1837 nummi++;
1845 }
1850 }
1852 /*
1853 * Free the filesystem list created by make_milist().
1854 */
1856 static void
1858 {
1865 }
1867 }
1869 /*
1870 * Filehandle
1871 */
1873 /*
1874 * Lookup the filehandle for the given vnode and update the rnode if it has
1875 * changed.
1876 *
1877 * Errors:
1878 * - if the filehandle could not be updated because of an error that
1879 * requires further recovery, initiate that recovery and return.
1880 * - if the filehandle could not be updated because of a signal, pretend we
1881 * succeeded and let someone else deal with it.
1882 * - if the filehandle could not be updated and the filesystem has been
1883 * forcibly unmounted, pretend we succeeded, and let the caller deal with
1884 * the forced unmount (to retry or not to retry, that is the question).
1885 * - if the filehandle could not be updated because of some other error,
1886 * mark the rnode bad and return.
1887 */
1888 static void
1890 {
1893 bool_t needrecov;
1900 }
1902 /*
1903 * If someone else is updating the filehandle, wait for them to
1904 * finish and then let our caller retry.
1905 */
1909 }
1912 }
1917 /* shouldn't happen */
1920 }
1925 /*
1926 * If we get BADHANDLE, FHEXPIRED or STALE in their handler,
1927 * something is broken. Don't try to recover, just mark the
1928 * file dead.
1929 */
1940 }
1941 }
1949 /*
1950 * Don't set r_error to ESTALE. Higher-level code (e.g.,
1951 * cstatat_getvp()) retries on ESTALE, which would cause
1952 * an infinite loop.
1953 */
1954 }
1955 norec:
1960 }
1962 /*
1963 * Stale Filehandle
1964 */
1966 /*
1967 * A stale filehandle can happen when an individual file has
1968 * been removed, or when an entire filesystem has been taken
1969 * offline. To distinguish these cases, we do this:
1970 * - if a GETATTR with the current filehandle is okay, we do
1971 * nothing (this can happen with two-filehandle ops)
1972 * - if the GETATTR fails, but a GETATTR of the root filehandle
1973 * succeeds, mark the rnode with R4STALE, which will stop use
1974 * - if the GETATTR fails, and a GETATTR of the root filehandle
1975 * also fails, we consider the problem filesystem-wide, so:
1976 * - if we can failover, we should
1977 * - if we can't failover, we should mark both the original
1978 * vnode and the root bad
1979 */
1980 static void
1982 {
1986 nfs4_ga_res_t gar;
1988 bool_t needrecov;
1998 }
2006 }
2010 /* Try a GETATTR on this vnode */
2013 /*
2014 * Handle non-STALE recoverable errors
2015 */
2025 }
2026 }
2030 }
2031 norec:
2032 /* Are things OK for this vnode? */
2038 }
2040 /* Did we get an unrelated non-recoverable error? */
2047 }
2049 /*
2050 * If we don't appear to be dealing with the root node, find it.
2051 */
2061 }
2062 }
2064 /* Try a GETATTR on the root vnode */
2078 }
2079 }
2082 }
2083 unrec:
2084 /*
2085 * Check to see if a failover attempt is warranted
2086 * NB: nfs4_try_failover doesn't check for STALE
2087 * because recov_stale gets a shot first. Now that
2088 * recov_stale has failed, go ahead and try failover.
2089 *
2090 * If the getattr on the root filehandle was successful,
2091 * then mark recovery as failed for 'vp' and exit.
2092 */
2094 /*
2095 * pass the original error to fail_recov, not
2096 * the one from trying the root vnode.
2097 */
2100 "recov_stale: root node OK, marking "
2103 }
2104 }
2106 /*
2107 * Here, we know that both the original file and the
2108 * root filehandle (which may be the same) are stale.
2109 * We want to fail over if we can, and if we can't, we
2110 * want to mark everything in sight bad.
2111 */
2123 /*
2124 * Can't fail over, so mark things dead.
2125 *
2126 * If rootvp is set, we know we have a distinct
2127 * non-root vnode which can be marked dead in
2128 * the usual way.
2129 *
2130 * Then we want to mark the root vnode dead.
2131 * Note that if rootvp wasn't set, our vp is
2132 * actually the root vnode.
2133 */
2142 }
2144 /*
2145 * Mark root dead, but quietly - since
2146 * the root rnode is frequently recreated,
2147 * we can encounter this at every access.
2148 * Also mark recovery as failed on this VFS.
2149 */
2166 }
2168 out:
2171 }
2173 /*
2174 * Locks.
2175 */
2177 /*
2178 * Reclaim all the active (acquired) locks for the given file.
2179 * If a process lost a lock, the process is sent a SIGLOST. This is not
2180 * considered an error.
2181 *
2182 * Return values:
2183 * Errors and status are returned via the nfs4_error_t parameter
2184 * If an error indicates that recovery is needed, the caller is responsible
2185 * for dealing with it.
2186 */
2188 static void
2190 fattr4_change pre_change)
2191 {
2203 /*
2204 * If we get an error that requires recovery actions, just bail out
2205 * and let the top-level recovery code handle it.
2206 *
2207 * If we get some other error, kill the process that owned the lock
2208 * and mark its remaining locks (if any) as belonging to NOPID, so
2209 * that we don't make any more reclaim requests for that process.
2210 */
2221 /*
2222 * If we need to restart recovery, stop processing the
2223 * list. Some errors would be recoverable under other
2224 * circumstances, but if they happen here we just give up
2225 * on the lock.
2226 */
2232 }
2233 /*
2234 * In case the server isn't offering us a grace period, or
2235 * if we missed it, we might have opened & locked from scratch,
2236 * rather than reopened/reclaimed.
2237 * We need to ensure that the object hadn't been otherwise
2238 * changed during this time, by comparing the changeinfo.
2239 * We get passed the changeinfo from before the reopen by our
2240 * caller, in pre_change.
2241 * The changeinfo from after the reopen is in rp->r_change,
2242 * courtesy of the GETATTR in the reopen.
2243 * If they're different, then the file has changed, and we
2244 * have to SIGLOST the app.
2245 */
2251 }
2258 else
2267 /* Reinitialize the nfs4_error and continue */
2269 }
2270 }
2274 }
2276 /*
2277 * Reclaim the given lock.
2278 *
2279 * Errors are returned via the nfs4_error_t parameter.
2280 */
2281 static void
2284 {
2292 }
2300 }
2311 }
2313 /*
2314 * Open files.
2315 */
2317 /*
2318 * Verifies if the nfsstat4 is a valid error for marking this vnode dead.
2319 * Returns 1 if the error is valid; 0 otherwise.
2320 */
2321 static int
2323 {
2324 /*
2325 * We should not be marking non-regular files as dead,
2326 * except in very rare cases (eg: BADHANDLE or NFS4ERR_BADNAME).
2327 */
2333 }
2335 /*
2336 * Failed attempting to recover a filehandle. If 'stat' is valid for 'vp',
2337 * then mark the object dead. Since we've had to do a lookup for
2338 * filehandle recovery, we will mark the object dead if we got NOENT.
2339 */
2340 static void
2342 {
2350 }
2352 /*
2353 * Recovery from a "shouldn't happen" error. In the long term, we'd like
2354 * to mark only the data structure(s) that provided the bad value as being
2355 * bad. But for now we'll just mark the entire file.
2356 */
2358 static void
2360 {
2368 }
2370 /*
2371 * Free up the information saved for a lost state request.
2372 */
2373 static void
2375 {
2389 }
2400 /* clean up the open file state. */
2403 }
2407 }
2413 }
2417 }
2421 }
2425 }
2429 }
2433 }
2437 }
2440 }
2442 /*
2443 * Remove any lost state requests and free them.
2444 */
2445 static void
2447 {
2456 }
2458 }
2460 /*
2461 * Reopen all the files for the given filesystem and reclaim any locks.
2462 */
2464 static void
2466 {
2470 open_claim_type4 claim;
2474 fattr4_change pre_change;
2478 /*
2479 * This check is to allow a 10ms pause before we reopen files
2480 * it should allow the server time to have received the CB_NULL
2481 * reply and update its internal structures such that (if
2482 * applicable) we are granted a delegation on reopened files.
2483 */
2489 }
2500 }
2501 }
2506 else
2511 /*
2512 * Get a snapshot of open files in the filesystem. Note
2513 * that new opens will stall until the server's grace
2514 * period is done.
2515 */
2521 /*
2522 * Since we are re-establishing state on the
2523 * server, its ok to blow away the saved lost
2524 * requests since we don't need to reissue it.
2525 */
2533 }
2537 /*
2538 * The current server does not have the file
2539 * that is to be remapped. This is most
2540 * likely due to an improperly maintained
2541 * replica. The files that are missing from
2542 * the server will be marked dead and logged
2543 * in order to make sys admins aware of the
2544 * problem.
2545 */
2548 /*
2549 * We've already handled the error so clear it.
2550 */
2566 }
2573 }
2574 }
2575 #ifdef DEBUG
2578 #endif
2586 }
2590 }
2592 /*
2593 * Check to see if we need to remap files passed in
2594 * via the recovery arguments; this will have been
2595 * done for open files. A failure here is not fatal.
2596 */
2598 nfs4_error_t ignore;
2603 }
2604 }
2610 }
2617 }
2619 /*
2620 * Resend the queued state recovery requests in "rqsts".
2621 */
2623 static void
2625 {
2628 nfs4_error_t n4e;
2629 #ifdef NOTYET
2631 #endif
2645 "nfs4_resend_lost_rqsts: resend request: for vp %p got "
2649 /*
2650 * If we get a recovery error that we can actually
2651 * recover from (such as ETIMEDOUT, FHEXPIRED), we
2652 * return and let the recovery thread redrive the call.
2653 * Don't requeue unless the zone is still healthy.
2654 */
2661 /*
2662 * For these three errors, we want to delay a bit
2663 * instead of pounding the server into submission.
2664 * We have to do this manually; the normal
2665 * processing for these errors only works for
2666 * non-recovery requests.
2667 */
2677 }
2679 }
2687 }
2688 }
2690 /*
2691 * Resend the given op, and issue any necessary undo call.
2692 * errors are returned via the nfs4_error_t parameter.
2693 */
2695 static void
2698 {
2745 #ifdef DEBUG
2748 #endif
2754 }
2756 /*
2757 * No need to retry nor send an "undo" CLOSE in the
2758 * event the server rebooted.
2759 */
2764 /*
2765 * If we resent a CLOSE or OPEN_DOWNGRADE, there's nothing
2766 * to undo. Undoing locking operations was handled by
2767 * resend_lock().
2768 */
2772 /*
2773 * If we get any other error for OPEN, then don't attempt
2774 * to undo the resend of the open (since it was never
2775 * successful!).
2776 */
2781 /*
2782 * Now let's undo our OPEN.
2783 */
2790 done:
2793 }
2795 /*
2796 * Close a file that was opened via a resent OPEN.
2797 * Most errors are passed back to the caller (via the return value and
2798 * *statp), except for FHEXPIRED, which is retried.
2799 *
2800 * It might be conceptually cleaner to push the CLOSE request onto the
2801 * front of the resend queue, rather than sending it here. That would
2802 * match the way we undo lost lock requests. On the other
2803 * hand, we've already got something that works, and there's no reason to
2804 * change it at this time.
2805 */
2807 static void
2810 {
2819 /* else retry FHEXPIRED */
2820 }
2822 }
2824 /*
2825 * Resend the given lost lock request. Return an errno value. If zero,
2826 * *statp is set to the NFS status code for the call.
2827 *
2828 * Issue a SIGLOST and mark the rnode dead if we get a non-recovery error or
2829 * a recovery error that we don't actually recover from yet (eg: BAD_SEQID).
2830 * Let the recovery thread redrive the call if we get a recovery error that
2831 * we can actually recover from.
2832 */
2833 static void
2835 {
2856 /*
2857 * If we failed with a non-recovery error, send SIGLOST and
2858 * mark the file dead.
2859 */
2863 /*
2864 * Done with recovering LOST LOCK in the event the
2865 * server rebooted or we've lost the lease.
2866 */
2871 }
2873 /*
2874 * BAD_STATEID on an unlock indicates that the server has
2875 * forgotten about the lock anyway, so act like the call
2876 * was successful.
2877 */
2882 /*
2883 * If we got a recovery error that we don't actually
2884 * recover from, send SIGLOST. If the filesystem was
2885 * forcibly unmounted, we skip the SIGLOST because (a) it's
2886 * unnecessary noise, and (b) there could be a new process
2887 * with the same pid as the one that had generated the lost
2888 * state request.
2889 */
2895 }
2897 /*
2898 * If the filesystem was forcibly unmounted, we
2899 * still need to synchronize with the server and
2900 * release state. Try again later.
2901 */
2905 /*
2906 * If we get a recovery error that we can actually
2907 * recover from (such as ETIMEDOUT, FHEXPIRED),
2908 * return and let the recovery thread redrive the call.
2909 *
2910 * For the three errors below, we want to delay a bit
2911 * instead of pounding the server into submission.
2912 */
2918 }
2920 done:
2924 /*
2925 * Must be root or the actual thread being issued the
2926 * SIGLOST for this to work, so just become root.
2927 */
2934 /*
2935 * Flush any additional reinstantiation requests for
2936 * this operation. Sending multiple SIGLOSTs to the user
2937 * process is unlikely to help and may cause trouble.
2938 */
2941 }
2942 }
2944 /*
2945 * Remove any lock reinstantiation requests that correspond to the given
2946 * lost request. We only remove items that follow lrp in the queue,
2947 * assuming that lrp will be removed by the generic lost state code.
2948 */
2950 static void
2952 {
2954 pid_t pid;
2962 /*
2963 * If there are any more reinstantation requests to get rid of,
2964 * they should all be clustered at the front of the lost state
2965 * queue.
2966 */
2981 }
2983 }
2985 /*
2986 * End of state-specific recovery routines.
2987 */
2989 /*
2990 * Allocate a lost request struct, initialize it from lost_rqstp (including
2991 * bumping the reference counts for the referenced vnode, etc.), and hang
2992 * it off of recovp.
2993 */
2995 static void
2998 {
3023 /*
3024 * Consume caller's utf8string
3025 */
3043 #ifdef DEBUG
3046 #endif
3054 }
3080 }
3082 }
3084 /*
3085 * Map the given return values (errno and nfs4 status code) to a recovery
3086 * action and fill in the following fields of recovp: rc_action,
3087 * rc_srv_reboot, rc_stateid, rc_lost_rqst.
3088 */
3090 void
3095 {
3109 /*
3110 * We start recovery for EINTR only in the lost lock
3111 * or lost open/close case.
3112 */
3119 }
3130 #ifdef notyet
3134 #endif
3165 /*
3166 * The client's lease has expired, either due
3167 * to a network partition or perhaps a client
3168 * error. In either case, try an NR_CLIENTID
3169 * style recovery. reboot remains false, since
3170 * there is no evidence the server has rebooted.
3171 * This will cause CLAIM_NULL opens and lock
3172 * requests without the reclaim bit.
3173 */
3188 /*
3189 * If this had been a FAILOVER mount, then
3190 * we'd have tried failover. Since it's not,
3191 * just delay a while and retry.
3192 */
3210 }
3211 }
3213 /* make sure action got set */
3218 NULL);
3219 }
3221 /*
3222 * Return the (held) credential for the process with the given pid.
3223 * May return NULL (e.g., process not found).
3224 */
3228 {
3236 }
3244 }
3246 /*
3247 * Send SIGLOST to the given process and queue the event.
3248 *
3249 * The 'dump' boolean tells us whether this action should dump the
3250 * in-kernel queue of recovery messages or not.
3251 */
3253 void
3256 {
3266 }
3268 /*
3269 * Scan the lock list for entries that match the given pid. Unregister those
3270 * locks that do and change their pid to NOPID.
3271 */
3273 static void
3275 {
3280 /*
3281 * Unregister the lost lock.
3282 */
3286 /* The unlock cannot fail */
3290 }
3291 }
3292 }
3294 /*
3295 * Mark a file as having failed recovery, after making a last-ditch effort
3296 * to return any delegation.
3297 *
3298 * Sets r_error to EIO or ESTALE for the given vnode.
3299 */
3300 void
3302 {
3305 #ifdef DEBUG
3308 #endif
3314 }
3316 /*
3317 * Set R4RECOVERRP to indicate that a recovery error is in
3318 * progress. This will shut down reads and writes at the top
3319 * half. Don't set R4RECOVERR until after we've returned the
3320 * delegation, otherwise it will fail.
3321 */
3338 }
3340 /*
3341 * recov_throttle: if the file had the same recovery action within the
3342 * throttle interval, wait for the throttle interval to finish before
3343 * proceeding.
3344 *
3345 * Side effects: updates the rnode with the current recovery information.
3346 */
3348 static void
3350 {
3368 }
3373 }
3375 /*
3376 * React to NFS4ERR_GRACE by setting the time we'll permit
3377 * the next call to this filesystem.
3378 */
3379 void
3381 {
3383 /* Mark the time for the future */
3386 }
3388 /*
3389 * React to MFS4ERR_DELAY by setting the time we'll permit
3390 * the next call to this vnode.
3391 */
3392 void
3394 {
3398 /*
3399 * Calculate amount we should delay, initial
3400 * delay will be short and then we will back off.
3401 */
3404 else
3405 /* calculate next interval value */
3410 }
3412 /*
3413 * The caller is responsible for freeing the returned string.
3414 */
3417 {
3423 /*
3424 * Calculate the length of the string required to hold all
3425 * of the server names plus either a comma or a null
3426 * character following each individual one.
3427 */
3434 }
3437 }
3447 }
3452 }
3458 }
3460 static void
3462 {
3480 }
3482 static void
3484 {
3492 }
3494 /*
3495 * We don't actually fully recover from NFS4ERR_BAD_SEQID. We
3496 * simply mark the open owner and open stream (if provided) as "bad".
3497 * Then future uses of these data structures will be limited to basically
3498 * just cleaning up the internal client state (no going OTW).
3499 *
3500 * The result of this is to return errors back to the app/usr when
3501 * we receive NFS4ERR_BAD_SEQID, but also allow future/new calls to
3502 * succeed so progress can be made.
3503 */
3504 void
3506 {
3512 pid_t pid;
3523 /*
3524 * Handle all the bad seqid entries on mi's list.
3525 */
3533 "recov_bad_seqid: mark oop %p lop %p as bad for "
3547 /* essentially reset the open owner */
3553 }
3568 }
3576 }
3581 }