Bug 1712197
| Summary: | crash in is_size_safe_to_change as the result of race condition in management of cifsInodeInfo->openFileList | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Frank Sorenson <fsorenso> |
| Component: | kernel | Assignee: | cifs-maint |
| kernel sub component: | CIFS | QA Contact: | JianHong Yin <jiyin> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | urgent | CC: | dwhiter, dwysocha, gsierohu, jaeshin, lconicel, lsahlber, pbhati, xifeng, xzhou |
| Version: | 8.0 | Keywords: | Reproducer |
| Target Milestone: | rc | ||
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-4.18.0-111.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 21:55:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Note: I have reproduced this crash without kerberos. Simply mount with 'multiuser', then have 2-3 users run the test script using their own creds: # su - user1 $ cifscreds add vm1 Password: $ cd /mnt/vm1 $ ./openloop (and similar with user2 and user3) This is not reproducing for me with a 5.1 kernel Patch(es) available on kernel-4.18.0-111.el8 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3517 |
Description of problem: A list corruption of cifsInodeInfo->openFileList can occur due to a race condition between multiple processes opening/closing the same file. The list corruption then results in a crash while walking the list in is_inode_writeable() [ 1623.170714] general protection fault: 0000 [#1] SMP PTI [ 1623.170749] CPU: 2 PID: 13949 Comm: R Kdump: loaded Not tainted 4.18.0-80.1.2.el8_0.x86_64 #1 [ 1623.170778] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 1623.170841] RIP: 0010:is_size_safe_to_change+0x57/0xb0 [cifs] ... [ 1623.171273] cifs_fattr_to_inode+0x146/0x580 [cifs] [ 1623.171302] cifs_get_file_info+0xed/0x360 [cifs] [ 1623.171329] cifs_llseek+0x4a/0xc0 [cifs] [ 1623.171349] ksys_lseek+0x62/0xb0 [ 1623.171366] do_syscall_64+0x5b/0x1b0 [ 1623.171382] entry_SYSCALL_64_after_hwframe+0x65/0xca Version-Release number of selected component (if applicable): 4.18.0-80.1.2.el8_0.x86_64 (also seen previously in RHEL 7) How reproducible: simple; see reproducer below Steps to Reproduce: test program /tmp/openloop.py #!/usr/bin/env python from __future__ import print_function i=0 while True: with open('testfile', 'r') as myfile: content = myfile.read() print("test {}\r".format(i), end="") i = i + 1 # mount.cifs //vm1/share /mnt/vm1 --verbose -o vers=2.1,sec=krb5,multiuser # cd /mnt/vm1 # echo testing > testfile start 3 copies of the test program, each with different krb5 creds: # su - user1 $ kinit -kt krb5-smbuser1.keytab -c /tmp/krb5cc_$UID smbuser1 $ cd /mnt/vm1 $ /tmp/openloop.py # su - user2 $ kinit -kt krb5-smbuser2.keytab -c /tmp/krb5cc_$UID smbuser2 $ cd /mnt/vm1 $ /tmp/openloop.py # su - user3 $ kinit -kt krb5-smbuser3.keytab -c /tmp/krb5cc_$UID smbuser3 $ cd /mnt/vm1 $ /tmp/openloop.py The crash will usually occur within several minutes Actual results: kernel crash Expected results: no crash Additional info: also see RHEL 7 BZ 1580165 for this issue