From ac2d87fb6380de2ba83013983ad9c53f81347e11 Mon Sep 17 00:00:00 2001
From: Andrew Deason <adeason@sinenomine.net>
Date: Thu, 1 Nov 2012 16:46:13 -0500
Subject: [PATCH] afs: Add some comments on GetValidDSlot panics

A couple of call sites for afs_GetValidDSlot currently panic if an
error is returned, but no explanation is given. Add a few comments
helping explain why there is a panic there, instead of graceful error
handling.

Reviewed-on: http://gerrit.openafs.org/8407
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
(cherry picked from commit 3081a2cff2e4f9499268854504873fa801d50ce5)

Change-Id: I3bbe8f32683cb6086add494641b206c5b861fe3a
Reviewed-on: http://gerrit.openafs.org/10358
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/afs/afs_segments.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c
index 631cb7c0f..f407b4993 100644
--- a/src/afs/afs_segments.c
+++ b/src/afs/afs_segments.c
@@ -540,7 +540,19 @@ afs_InvalidateAllSegments(struct vcache *avc)
     for (index = afs_dvhashTbl[hash]; index != NULLIDX;) {
 	if (afs_indexUnique[index] == avc->f.fid.Fid.Unique) {
 	    tdc = afs_GetValidDSlot(index);
-	    if (!tdc) osi_Panic("afs_InvalidateAllSegments tdc count");
+	    if (!tdc) {
+		/* In the case of fatal errors during stores, we MUST
+		 * invalidate all of the relevant chunks. Otherwise, the chunks
+		 * will be left with the 'new' data that was never successfully
+		 * written to the server, but the DV in the dcache is still the
+		 * old DV. So, we may indefintely serve serve applications data
+		 * that is not actually in the file on the fileserver. If we
+		 * cannot afs_GetValidDSlot the appropriate entries, currently
+		 * there is no way to ensure the dcache is invalidated. So for
+		 * now, to avoid risking serving bad data from the cache, panic
+		 * instead. */
+		osi_Panic("afs_InvalidateAllSegments tdc count");
+	    }
 	    ReleaseReadLock(&tdc->tlock);
 	    if (!FidCmp(&tdc->f.fid, &avc->f.fid))
 		dcListMax++;
@@ -555,7 +567,13 @@ afs_InvalidateAllSegments(struct vcache *avc)
     for (index = afs_dvhashTbl[hash]; index != NULLIDX;) {
 	if (afs_indexUnique[index] == avc->f.fid.Fid.Unique) {
 	    tdc = afs_GetValidDSlot(index);
-	    if (!tdc) osi_Panic("afs_InvalidateAllSegments tdc store");
+	    if (!tdc) {
+		/* We cannot proceed after getting this error; we risk serving
+		 * incorrect data to applications. So panic instead. See the
+		 * above comment next to the previous afs_GetValidDSlot call
+		 * for details. */
+		osi_Panic("afs_InvalidateAllSegments tdc store");
+	    }
 	    ReleaseReadLock(&tdc->tlock);
 	    if (!FidCmp(&tdc->f.fid, &avc->f.fid)) {
 		/* same file? we'll zap it */
-- 
2.39.5