On Tue, Nov 26, 2024 at 12:12:16PM +0100, Martin Wilck wrote: > On Mon, 2024-11-25 at 15:31 -0500, Benjamin Marzinski wrote: > > On Mon, Nov 25, 2024 at 03:32:22PM +0100, Martin Wilck wrote: > > > pp->pgindex is set in disassemble_map() when a map is parsed. > > > There are various possiblities for this index to become invalid. > > > pp->pgindex is only used in enable_group() and > > > followover_should_fallback(), > > > and both callers take no action if it is 0, which is the right > > > thing to do if we don't know the path's pathgroup. > > > > > > Make sure pp->pgindex is reset to 0 in various places: > > > - when it's orphaned, > > > - before (re)grouping paths, > > > - when we detect a bad mpp assignment in update_pathvec_from_dm(). > > > > > > The hunk in group_paths is mostly redundant with the hunk in > > > free_pgvec(), but > > > because we're looping over pg->paths in the former and over pg->pgp > > > in > > > the latter, I think it's better too play safe. > > > > I'm not sure this will always fix issue #105. Perhaps I'm overlooking > > the connection in the code and this just needs a more explicit > > explanation to aid clueless reviewers, but here's what I don't get. > > > > As far as I can see, the only change here that would effect the > > reported > > issue is the change to update_pathvec_from_dm(). While I totally > > agree > > that if you have a path that appears to be two multipath devices, you > > can't trust pp->pgindex, I believe there's also another problem. > > > > Say you have a multipath device with two path groups (pgp1 and pgp2) > > each with one path (pp1 in pgp1 and pp2 in pgp2). In this case, > > pp1->pgindex == 1 and pp2->pgindex == 2. If update_pathvec_from_dm() > > discovers that pp1 is part of another multipath device, and removes > > it, > > that will mean that pgp1 is now empty, so update_pathvec_from_dm() > > will > > also remove that (at the delete_pg label). But pp2->pgindex will > > still > > be set to 2 even though there's only one path group, so it will now > > point off the end of the pgp list. Right? > > Right, thanks for pointing this out. If we delete a pg, we need to > invalidate all pgindex values for all paths in the map. We can't > decrement them, because they must match kernel indices (see below). > > > At any rate, updating pgindex seems finicky and perhaps we should > > just > > drop it. It's not that much work to scan the path groups for the path > > in > > enable_group() and since we're already reading through the path > > groups > > in followover_should_failback(), we can just refactor the code a > > little > > bit to avoid needing pgindex at all. > > I had similar thoughts, but I was looking for a minimal fix for the > 0.11.0 release. Probably dropping pgindex for good is the right thing > to do, but is it 0.11.0 material? I'd be fine with removing it, but it's your call. I have nothing against your approach for 0.11.0 and then a more involved fix afterwards. > We'd still have the problem that enable_group() et al. need a pgindex > value that matches the kernel configuration. We can only be sure that > this index is correct if disassemble_map() has just set it. Any change > we apply in multipathd's data structures won't match the kernel's view > of the map. > > This problem is subtle, AFAICS. It's related to the fact that if > update_pathvec_from_dm() finds any inconsistencies, we *should* reload > the map, possibly multiple times, until these inconsistencies have been > resolved. But we can't do that in all code paths in which this function > is called (or at least, we haven't been able to prove that we can > without risking breakage). > > I have vague ideas how this could be solved, but they would require a > major code restructuring. We could use mpp->need_reload to signal that pgindex was invalid. It might still make sense to drop pgindex so we don't have to unset it in cases like when a path is in two multipath devices. But if the map needed reloading, we could just let the reload deal with adjusting the path groups. The only problem is that we can set need_reload, but not actually trigger that reload for a while. -Ben > Regards, > Martin