EIO caused by encryption + recursive gang

[ahrens]

Motivation and Context

Encrypted blocks can not have 3 DVAs, because they use the space of the 3rd DVA for the IV+salt. zio_write_gang_block() takes this into account, setting gbh_copies to no more than 2 in this case. Gang members BP's do not have the X (encrypted) bit set (nor do they have the DMU level and type fields set), because encryption is not handled at this level. The gang block is reassembled, and then encryption (and compression) are handled.

To check if this gang block is encrypted, the code in zio_write_gang_block() checks pio->io_bp. This is normally fine, because the block that's being ganged is typically the encrypted BP.

Caused-by: #14356
Closes #14413

Description

The problem is that if there is "recursive ganging", where a gang member is itself a gang block, then when zio_write_gang_block() is called to create a gang block for a gang member, pio->io_bp is the gang member's BP, which doesn't have the X bit set, so the number of DVA's is not restricted to 2. It should instead be looking at the the "gang leader", i.e. the top-level gang block, to determine how many DVA's can be used, to avoid a "NDVA's inversion" (where a child has more DVA's than its parent).

gang leader BP: X (encrypted) bit set, 2 DVA's, IV+salt in 3rd DVA's space:

DVA[0]=<1:...:100400> DVA[1]=<0:...:100400> salt=... iv=...
[L0 ZFS plain file] fletcher4 uncompressed encrypted LE
gang unique double size=100000L/100000P birth=... fill=1 cksum=...

leader's GBH contains a BP with gang bit set and 3 DVA's:

DVA[0]=<1:...:55600> DVA[1]=<0:...:55600>
[L0 unallocated] fletcher4 uncompressed unencrypted LE
contiguous unique double size=55600L/55600P birth=... fill=0 cksum=...

DVA[0]=<1:...:55600> DVA[1]=<0:...:55600>
[L0 unallocated] fletcher4 uncompressed unencrypted LE
contiguous unique double size=55600L/55600P birth=... fill=0 cksum=...

DVA[0]=<1:...:55600> DVA[1]=<0:...:55600> DVA[2]=<1:...:200>
[L0 unallocated] fletcher4 uncompressed unencrypted LE
gang unique double size=55400L/55400P birth=... fill=0 cksum=...

On nondebug bits, having the 3rd DVA in the gang block works for the most part, because it's true that all 3 DVA's are available in the gang member BP (in the GBH). However, for accounting purposes, gang block DVA's ASIZE include all the space allocated below them, i.e. the 512-byte gang block header (GBH) as well as the gang members below that. We see that above where the gang leader BP is 1MB logical (and after compression: 0x100000P), but the ASIZE of each DVA is 2 sectors (1KB) more than 1MB (0x100400).

Since there are 3 copies of a block below it, we increment the ATIME of the 3rd DVA of the gang leader by the space used by the 3rd DVA of the child (1 sector, in this case). But there isn't really a 3rd DVA of the parent; the salt is stored in place of the 3rd DVA's ASIZE.

So when zio_write_gang_member_ready() increments the parent's BP's DVA[2]'s ASIZE, it's actually incrementing the parent's salt. When we later try to read the encrypted recursively-ganged block, the salt doesn't match what we used to write it, so MAC verification fails and we get an EIO.

zio_encrypt():  encrypted 515/2/0/403 salt: 25 25 bb 9d ad d6 cd 89
zio_decrypt(): decrypting 515/2/0/403 salt: 26 25 bb 9d ad d6 cd 89

This commit addresses the problem by not increasing the number of copies of the GBH beyond 2 (even for non-encrypted blocks). This simplifies the logic while maintaining the ability to traverse all metadata (including gang blocks) even if one copy is lost. (Note that 3 copies of the GBH will still be created if requested, e.g. for copies=3 or MOS blocks.) Additionally, the code that increments the parent's DVA's ASIZE is made to check the parent DVA's NDVAS even on nondebug bits. So if there's a similar bug in the future, it will cause a panic when trying to write, rather than corrupting the parent BP and causing an error when reading.

How Has This Been Tested?

#!/bin/bash -x

dd if=/dev/urandom of=/tmp/key bs=32 count=1

zpool create test nvme4n1 nvme5n1
zfs destroy test/gang
zfs create \
	-o recordsize=1m \
	-o primarycache=metadata \
	-o compression=off \
	-o encryption=on \
	-o keylocation=file:///tmp/key \
	-o keyformat=raw \
	-o copies=2 \
	test/gang


echo $((128*1024)) >/sys/module/zfs/parameters/metaslab_force_ganging

while true; do
	dd if=/dev/urandom of=/var/run/data bs=1024k count=1000
	dd if=/var/run/data of=/test/gang/file bs=1024k count=1000
	zpool sync test
	dd if=/test/gang/file of=/var/run/out bs=1024k || exit
	diff /var/run/out /var/run/data || exit
done

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[thesamesam]

Thanks, I'll give this some testing. Could that bash script be turned into a full test for committing too?

[ahrens]

@thesamesam

Could that bash script be turned into a full test for committing too?

Probably. I don't have a lot of additional time to spend on this, so if someone is able to work on the ZTS aspect, that would be helpful.

[behlendorf]

@ahrens I went ahead and adapted your test case for the test suite, behlendorf@8c12f68. If it looks alright you can just cherry pick it in to this PR. I made a few minor changes.

1. It only performs one iteration of the test to avoid bogging down the CI
2. Tests non-encrypted and encrypted pools
3. Varies metaslab_force_ganging between 32k and 128k
4. Calculates sha256 checksums to compare files

[ahrens]

@behlendorf awesome, thank you!

[behlendorf]

With the PR applied I haven't been able to reproduce the issue. @thesamesam please let us know if you uncover anything in your testing but I believe this is good to go.