crimson/osd: clear peer_missing entries for deleted objects

[shraddhaag]

The Issue

This issue occurs when backfilling for an object and a client request to delete for the same object coincide. In such a case, there is a race to acquire the OBC lock between backfill and client delete.

Consider the scenario when the backfill is in progress and has already added the peer_missing entry for the given object. Now, one of two scenarios can happen:

When the lock is acquired first by the backfill, the object is recovered first, and then deleted by the client delete request. When recovering the object, the corresponding peer_missing entry is cleared when backfill recovers the object, the client delete sends a complete delete op to the backfilling OSD (hence, deleting the object) and we are able to transition to Recovered state successfully.

When the lock is acquired first by client delete request, the object is deleted. Then backfill tries to recover the object, finds it deleted and exits early. The stale peer_missing entry is not cleared. In Recovered::Recovered, needs_recovery() sees this stale peer_missing entry and calls abort.

The below image summaries the issue seen in https://pulpito.ceph.com/shraddhaag-2026-02-09_14:34:53-crimson-rados-main-distro-debug-trial/41478/.

The fix.

This issue is fixed by clearing out the stale peer_missing entries for the deleted object when object is discovered to be deleted by recover_object().

The fix was tested across many runs, all successfully passed:

• https://pulpito.ceph.com/shraddhaag-2026-02-25_12:00:58-crimson-rados-main-distro-debug-trial/
• https://pulpito.ceph.com/shraddhaag-2026-02-25_17:24:22-crimson-rados-main-distro-debug-trial/
• https://pulpito.ceph.com/shraddhaag-2026-02-25_17:27:13-crimson-rados-main-distro-debug-trial/
• https://pulpito.ceph.com/amathuri-2026-02-26_10:12:21-crimson-rados:thrash-wip-amat-fix-74504-distro-debug-trial/

Earlier, an alternative fix was to clear the stale peer_missing entries in enqueue_delete_for_backfill called by the client delete. This approach was abandoned as this can also lead to a race condition which might result in this same error. In such a case, the backfill would complete before the entries are cleared in enqueue_delete_for_backfill().

Fixes: https://tracker.ceph.com/issues/70501

QA Analysis

https://tracker.ceph.com/projects/crimson/wiki/MAIN#httpspulpitocephcomshraddhaag-2026-02-26_022256-crimson-rados-main-distro-debug-trial

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins test classic perf Jenkins Job | Jenkins Job Definition
• jenkins test crimson perf Jenkins Job | Jenkins Job Definition
• jenkins test signed Jenkins Job | Jenkins Job Definition
• jenkins test make check Jenkins Job | Jenkins Job Definition
• jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
• jenkins test submodules Jenkins Job | Jenkins Job Definition
• jenkins test dashboard Jenkins Job | Jenkins Job Definition
• jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
• jenkins test api Jenkins Job | Jenkins Job Definition
• jenkins test docs ReadTheDocs | Github Workflow Definition
• jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
• jenkins test windows Jenkins Job | Jenkins Job Definition
• jenkins test rook e2e Jenkins Job | Jenkins Job Definition

You must only issue one Jenkins command per-comment. Jenkins does not understand
comments with more than one command.

[amathuria]

Looks good, approving.
Thanks for the detailed explanation @shraddhaag!

[shraddhaag]

jenkins test make check arm64

[Matan-B]

Good progress!
I think this approach hides the issue but we should instead make sure racing deletes are properly handled.
We can't skip recovery each time object is not found - there could be cases where the object is not found due to actual error and was not deleted.

[Matan-B]

We should consider the case where the object is being recovered and can't (for some catastrophic reason) be found without being deleted.
This must result in an error (abort/retry). Otherwise, we always let missing objects be marked as recovered - even on non-deleted objects.

[Matan-B]

ReplicatedRecoveryBackend::recover_delete already pushes MOSDPGRecoveryDelete to all peers that still have the object marked as missing.

The above would be responsible for letting peer handle call on_local_recover with is_delete=true and handling the reply from this peer (via handle_recovery_delete_reply) and eventually call on_peer_recover.

I think it's wrong to skip the logic above, by calling on_peer_recover here. We trick peering_state into thinking "That peer recovered this object" - while this is not the case.

The issue here (prior to the changes in the PR) seems to be that we thought that we "Abort the recovery in this case .."(l. 46) but we didn't actually abort it and later on PeeringState "Recovered" would fail on ceph_assert(!ps->needs_recovery()); - since we some peers still think they have missing objects.

---

I would try to understand how we can let MOSDPGRecoveryDelete logic execute properly and/or dropping/aborting recovery for this object.
Alternatively, we could try making maybe_pull_missing_obj smarter and by not pulling deleted objects? Currently we only skip pulls if the object is not missing, perhaps this case could be further expanded to detect deletes.

ReplicatedRecoveryBackend::maybe_pull_missing_obj(
{
  if (!local_missing.is_missing(soid)) {
    // object is not missing, don't pull
    return seastar::make_ready_future<>();
  }