| blob | 012a0e3c6c17207f4ce1a32b35897b2937203674 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or https://opensource.org/licenses/CDDL-1.0.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2012, 2015 by Delphix. All rights reserved.
24 * Copyright (c) 2017, Intel Corporation.
25 * Copyright (c) 2024, Klara Inc.
26 */
28 /*
29 * ZFS fault injection
30 *
31 * To handle fault injection, we keep track of a series of zinject_record_t
32 * structures which describe which logical block(s) should be injected with a
33 * fault. These are kept in a global list. Each record corresponds to a given
34 * spa_t and maintains a special hold on the spa_t so that it cannot be deleted
35 * or exported while the injection record exists.
36 *
37 * Device level injection is done using the 'zi_guid' field. If this is set, it
38 * means that the error is destined for a particular device, not a piece of
39 * data.
40 *
41 * This is a rather poor data structure and algorithm, but we don't expect more
42 * than a few faults at any one time, so it should be sufficient for our needs.
43 */
45 #include <sys/arc.h>
46 #include <sys/zio.h>
47 #include <sys/zfs_ioctl.h>
48 #include <sys/vdev_impl.h>
49 #include <sys/dmu_objset.h>
50 #include <sys/dsl_dataset.h>
51 #include <sys/fs/zfs.h>
55 /*
56 * Data describing each zinject handler registered on the system, and
57 * contains the list node linking the handler in the global zinject
58 * handler list.
59 */
64 zinject_record_t zi_record;
67 list_node_t zi_link;
70 /*
71 * List of all zinject handlers registered on the system, protected by
72 * the inject_lock defined below.
73 */
76 /*
77 * This protects insertion into, and traversal of, the inject handler
78 * list defined above; as well as the inject_delay_count. Any time a
79 * handler is inserted or removed from the list, this lock should be
80 * taken as a RW_WRITER; and any time traversal is done over the list
81 * (without modification to it) this lock should be taken as a RW_READER.
82 */
85 /*
86 * This holds the number of zinject delay handlers that have been
87 * registered on the system. It is protected by the inject_lock defined
88 * above. Thus modifications to this count must be a RW_WRITER of the
89 * inject_lock, and reads of this count must be (at least) a RW_READER
90 * of the lock.
91 */
94 /*
95 * This lock is used only in zio_handle_io_delay(), refer to the comment
96 * in that function for more details.
97 */
100 /*
101 * Used to assign unique identifying numbers to each new zinject handler.
102 */
105 /*
106 * Test if the requested frequency was triggered
107 */
108 static boolean_t
110 {
111 /*
112 * zero implies always (100%)
113 */
117 /*
118 * Note: we still handle legacy (unscaled) frequency values
119 */
123 }
125 /*
126 * Returns true if the given record matches the I/O in progress.
127 */
128 static boolean_t
131 {
132 /*
133 * Check for a match against the MOS, which is based on type
134 */
141 else
143 }
145 /*
146 * Check for an exact match.
147 */
157 }
160 }
162 /*
163 * Panic the system when a config change happens in the function
164 * specified by tag.
165 */
166 void
168 {
182 }
185 }
187 /*
188 * Inject a decryption failure. Decryption failures can occur in
189 * both the ARC and the ZIO layers.
190 */
191 int
194 {
211 }
212 }
216 }
218 /*
219 * If this is a physical I/O for a vdev child determine which DVA it is
220 * for. We iterate backwards through the DVAs matching on the offset so
221 * that we end up with ZI_NO_DVA (-1) if we don't find a match.
222 */
223 static int
225 {
236 /* Compensate for vdev label added to leaves */
242 }
243 }
246 }
249 /*
250 * Determine if the I/O in question should return failure. Returns the errno
251 * to be returned to the caller.
252 */
253 int
255 {
259 /*
260 * Ignore I/O not associated with any logical data.
261 */
265 /*
266 * Currently, we only support fault injection on reads.
267 */
271 /*
272 * A rebuild I/O has no checksum to verify.
273 */
285 /* If this handler matches, return the specified error */
291 }
292 }
297 }
299 /*
300 * Determine if the zio is part of a label update and has an injection
301 * handler associated with that portion of the label. Currently, we
302 * allow error injection in either the nvlist or the uberblock region of
303 * of the vdev label.
304 */
305 int
307 {
328 /*
329 * The injection region is the relative offsets within a
330 * vdev label. We must determine the label which is being
331 * updated and adjust our region accordingly.
332 */
341 }
342 }
345 }
347 static int
349 {
356 /* flip a single random bit in an abd data buffer */
360 }
362 static int
364 {
368 /*
369 * We skip over faults in the labels unless it's during device open
370 * (i.e. zio == NULL) or a device flush (offset is meaningless)
371 */
378 }
393 }
395 /* Handle type specific I/O failures */
403 /*
404 * limit error injection if requested
405 */
409 /*
410 * For a failed open, pretend like the device
411 * has gone away.
412 */
415 VDEV_AUX_OPEN_FAILED;
417 /*
418 * Treat these errors as if they had been
419 * retried so that all the appropriate stats
420 * and FMA events are generated.
421 */
426 /*
427 * EILSEQ means flip a bit after a read
428 */
433 /* locate buffer data and flip a bit */
436 zio);
438 }
442 }
446 }
447 }
448 }
453 }
455 int
457 {
459 }
461 int
463 {
465 }
467 /*
468 * Simulate hardware that ignores cache flushes. For requested number
469 * of seconds nix the actual writing to disk.
470 */
471 void
473 {
481 /* Ignore errors not destined for this pool */
486 /*
487 * Positive duration implies # of seconds, negative
488 * a number of txgs
489 */
493 else
495 }
497 /* Have a "problem" writing 60% of the time */
501 }
504 }
506 void
508 {
530 /* duration is negative so the subtraction here adds */
535 }
536 }
539 }
541 hrtime_t
543 {
550 /*
551 * inject_delay_count is a subset of zio_injection_enabled that
552 * is only incremented for delay handlers. These checks are
553 * mainly added to remind the reader why we're not explicitly
554 * checking zio_injection_enabled like the other functions.
555 */
559 /*
560 * If there aren't any inject delay handlers registered, then we
561 * can short circuit and simply return 0 here. A value of zero
562 * informs zio_delay_interrupt() that this request should not be
563 * delayed. This short circuit keeps us from acquiring the
564 * inject_delay_mutex unnecessarily.
565 */
569 }
571 /*
572 * Each inject handler has a number of "lanes" associated with
573 * it. Each lane is able to handle requests independently of one
574 * another, and at a latency defined by the inject handler
575 * record's zi_timer field. Thus if a handler in configured with
576 * a single lane with a 10ms latency, it will delay requests
577 * such that only a single request is completed every 10ms. So,
578 * if more than one request is attempted per each 10ms interval,
579 * the average latency of the requests will be greater than
580 * 10ms; but if only a single request is submitted each 10ms
581 * interval the average latency will be 10ms.
582 *
583 * We need to acquire this mutex to prevent multiple concurrent
584 * threads being assigned to the same lane of a given inject
585 * handler. The mutex allows us to perform the following two
586 * operations atomically:
587 *
588 * 1. determine the minimum handler and minimum target
589 * value of all the possible handlers
590 * 2. update that minimum handler's lane array
591 *
592 * Without atomicity, two (or more) threads could pick the same
593 * lane in step (1), and then conflict with each other in step
594 * (2). This could allow a single lane handler to process
595 * multiple requests simultaneously, which shouldn't be possible.
596 */
610 /* also match on I/O type (e.g., -T read) */
614 }
616 /*
617 * Defensive; should never happen as the array allocation
618 * occurs prior to inserting this handler on the list.
619 */
622 /*
623 * This should never happen, the zinject command should
624 * prevent a user from setting an IO delay with zero lanes.
625 */
631 /*
632 * We want to issue this IO to the lane that will become
633 * idle the soonest, so we compare the soonest this
634 * specific handler can complete the IO with all other
635 * handlers, to find the lowest value of all possible
636 * lanes. We then use this lane to submit the request.
637 *
638 * Since each handler has a constant value for its
639 * delay, we can just use the "next" lane for that
640 * handler; as it will always be the lane with the
641 * lowest value for that particular handler (i.e. the
642 * lane that will become idle the soonest). This saves a
643 * scan of each handler's lanes array.
644 *
645 * There's two cases to consider when determining when
646 * this specific IO request should complete. If this
647 * lane is idle, we want to "submit" the request now so
648 * it will complete after zi_timer milliseconds. Thus,
649 * we set the target to now + zi_timer.
650 *
651 * If the lane is busy, we want this request to complete
652 * zi_timer milliseconds after the lane becomes idle.
653 * Since the 'zi_lanes' array holds the time at which
654 * each lane will become idle, we use that value to
655 * determine when this request should complete.
656 */
666 }
671 /*
672 * We don't yet increment the "next lane" variable since
673 * we still might find a lower value lane in another
674 * handler during any remaining iterations. Once we're
675 * sure we've selected the absolute minimum, we'll claim
676 * the lane and increment the handler's "next lane"
677 * field below.
678 */
683 }
684 }
686 /*
687 * 'min_handler' will be NULL if no IO delays are registered for
688 * this vdev, otherwise it will point to the handler containing
689 * the lane that will become idle the soonest.
690 */
695 /*
696 * If we've used all possible lanes for this handler,
697 * loop back and start using the first lane again;
698 * otherwise, just increment the lane index.
699 */
702 }
708 }
710 static void
712 {
728 }
731 }
732 }
740 }
742 }
744 /* all done with this one-shot handler */
746 }
747 }
749 /*
750 * For testing, inject a delay during an import
751 */
752 void
754 {
756 }
758 /*
759 * For testing, inject a delay during an export
760 */
761 void
763 {
765 }
767 static int
769 {
776 /*
777 * Obtain the dnode for object using pool, objset, and object
778 */
797 /*
798 * Translate the range into block IDs
799 */
803 }
808 }
816 }
817 }
818 }
822 }
824 static boolean_t
826 {
840 }
841 }
845 }
846 /*
847 * Create a new handler for the given record. We add it to the list, adding
848 * a reference to the spa_t in the process. We increment zio_injection_enabled,
849 * which is the switch to trigger all fault injection.
850 */
851 int
853 {
858 /*
859 * If this is pool-wide metadata, make sure we unload the corresponding
860 * spa_t, so that the next attempt to load it will trigger the fault.
861 * We call spa_reset() to unload the pool appropriately.
862 */
868 /*
869 * A value of zero for the number of lanes or for the
870 * delay time doesn't make sense.
871 */
875 /*
876 * The number of lanes is directly mapped to the size of
877 * an array used by the handler. Thus, to ensure the
878 * user doesn't trigger an allocation that's "too large"
879 * we cap the number of lanes here.
880 */
883 }
885 /*
886 * If the supplied range was in bytes -- calculate the actual blkid
887 */
892 }
895 /*
896 * Pool delays for import or export don't take an
897 * injection reference on the spa. Instead they
898 * rely on matching by name.
899 */
904 /*
905 * Only one import | export delay handler per pool.
906 */
920 /*
921 * spa_inject_ref() will add an injection reference,
922 * which will prevent the pool from being removed
923 * from the namespace while still allowing it to be
924 * unloaded.
925 */
928 }
942 }
946 else
951 /*
952 * We can't move this increment into the conditional
953 * above because we need to hold the RW_WRITER lock of
954 * inject_lock, and we don't want to hold that while
955 * allocating the handler's zi_lanes array.
956 */
959 inject_delay_count++;
961 }
968 }
970 /*
971 * Flush the ARC, so that any attempts to read this data will end up
972 * going to the ZIO layer. Note that this is a little overkill, but
973 * we don't have the necessary ARC interfaces to do anything else, and
974 * fault injection isn't a performance critical path.
975 */
977 /*
978 * We must use FALSE to ensure arc_flush returns, since
979 * we're not preventing concurrent ARC insertions.
980 */
984 }
986 /*
987 * Returns the next record with an ID greater than that supplied to the
988 * function. Used to iterate over all handlers in the system.
989 */
990 int
993 {
1011 else
1016 }
1022 }
1024 /*
1025 * Clear the fault handler with the given identifier, or return ENOENT if none
1026 * exists.
1027 */
1028 int
1030 {
1043 }
1047 inject_delay_count--;
1049 }
1060 }
1071 }
1073 void
1075 {
1080 }
1082 void
1084 {
1088 }
1090 #if defined(_KERNEL)
1098 #endif