drbd: An incapable primary should not outdate a far UpToDate secondary

Let's consider a diskless node A with a resync from C to B. B is Primary, and C is up-to-date. A / \ B<--C Then the resync is interrupted A / \ B C B becomes a primary without access to UpToDate data. It either throws I/O errors or it freezes I/O. In either case, it should not outdate C. Fix this by detecting B as an incapable primary when evaluating the data gathered in the empty two-phase commit after losing connection to a primary.
LINBIT · Jan 15, 2025 · d8214d4 · d8214d4
1 parent b2ef6ef
commit d8214d4
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drbd/drbd_state.c b/drbd/drbd_state.c
@@ -5559,8 +5559,9 @@ static bool do_twopc_after_lost_peer(struct change_context *context, enum change
 	struct twopc_reply *reply = &resource->twopc_reply;
 	u64 directly_reachable = directly_connected_nodes(resource, NEW) |
 		NODE_MASK(resource->res_opts.node_id);
+	bool pri_incapable = reply->primary_nodes && !reply->weak_nodes; /* TWOPC_PRI_INCAPABLE */
 
-	if (phase == PH_COMMIT && (reply->primary_nodes & ~directly_reachable)) {
+	if (phase == PH_COMMIT && (reply->primary_nodes & ~directly_reachable && !pri_incapable)) {
 		__outdate_myself(resource);
 	} else {
 		struct drbd_device *device;