Hide Forgot
Created attachment 1759859 [details] reproducer Description of problem: On a cifs mount with 'serverino' (the default) and 'cache=strict' (also the default), if a file is removed elsewhere but the inode number is reused for a new file, when the client reads the new file, the contents will be a combination of the cached original file, a partially-zeroed page, and the contents of the new file. Version-Release number of selected component (if applicable): RHEL 8 kernel 4.18.0-240.5.1.el8_3.x86_64 all tested RHEL 7 kernels upstream kernel through at least 5.6 How reproducible: easy Steps to Reproduce: can be performed on a single system, using a locally-running samba: create user 'user1', cifs-mount the user's directory: # mount //localhost/user1 /mnt/tmp -overs=1.0,credentials=/root/.user1_smb_creds,uid=$(id -u user1),gid=$(id -g user1) ** write a file 'data1' on cifs mount ** delete the file 'data1' from the local filesystem ** create the 'data2' on the local filesystem with a larger size ** open and read 'data2' from the cifs mount ##### test_cifs_cache ##### #!/bin/bash # Frank Sorenson <sorenson>, 2021 localdir=${1:-/home/user1} cifsdir=${2:-/mnt/tmp} rm -f $cifsdir/data{1,2} sync sysctl vm.drop_caches=3 >/dev/null 2>&1 perl -e 'printf("%s", "1"x10411);' >$cifsdir/data1 rm -f $localdir/data1 perl -e 'printf("%s", "2"x55431);' >$localdir/data2 echo contents of data2 hexdump -C $cifsdir/data2 ##### test_cifs_cache ##### execute the script # ./test_cifs_cache /home/user1 /mnt/tmp Actual results: contents of data2 00000000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 000028a0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....| 000028b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00003000 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 |2222222222222222| * 0000d880 32 32 32 32 32 32 32 |2222222| 0000d887 the file contents of 'data2' are the 10411 bytes from 'data1' (from cache), the remainder of that last partial page is zeroed, and the remainder of the file has the actual contents from 'data2' Expected results: File contents read over cifs match the actual contents # hexdump -C /mnt/tmp/testdir/data2 00000000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 0000d880 31 31 31 31 31 31 31 |1111111| 0000d887 Additional info: Repeating the above sequence several times, the contents of multiple files may be merged, as in this example with 5 files, each increasing in size: # ./test_cifs_cache-2 /home/user1 /mnt/tmp 10411,16385,55431,65536,75678 resulting file: 00000000 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| * 000028a0 30 30 30 30 30 30 30 30 30 30 30 00 00 00 00 00 |00000000000.....| 000028b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00003000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 00004000 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |1...............| 00004010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00005000 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 |2222222222222222| * 0000d880 32 32 32 32 32 32 32 00 00 00 00 00 00 00 00 00 |2222222.........| 0000d890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0000e000 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 |3333333333333333| * 00010000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00011000 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 |4444444444444444| * 00012790 34 34 34 34 34 34 34 34 34 34 34 34 34 34 |44444444444444| 0001279e I'll attach this version of the script as well, since it allows testing file sizes dynamically, etc.
I also want to note that the second time that the new file is read, the entire file is re-fetched from the server: # ./test_cifs_cache-2 /home/user1 /mnt/tmp 10411,55431 ; echo "reading file a second time:" ; hexdump -C /mnt/tmp/testdir/data1 resulting file: 00000000 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| * 000028a0 30 30 30 30 30 30 30 30 30 30 30 00 00 00 00 00 |00000000000.....| 000028b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00003000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 0000d880 31 31 31 31 31 31 31 |1111111| 0000d887 reading file a second time: 00000000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 0000d880 31 31 31 31 31 31 31 |1111111| 0000d887 so the apparent file corruption is fleeting. This may have helped this bug avoid detection for so long.
Created attachment 1759996 [details] packet capture a packet capture shows that the pages containing the original file (including the final partial page) are not re-fetched from the server. In this example: data0 with 10411 bytes already exists on the server client reads 12288 bytes at offset 0 from data0 (10411 bytes received) over cifs file is deleted from local filesystem data1 is created on local filesystem, 55431 bytes are written at offest 0 client reads 28672 bytes from offset 12288 from data1 over cifs client reads 16384 bytes from offset 40960 from data1 over cifs (14471 bytes received) resulting file as read by userspace: 00000000 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| * 000028a0 30 30 30 30 30 30 30 30 30 30 30 00 00 00 00 00 |00000000000.....| 000028b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00003000 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 |1111111111111111| * 0000d880 31 31 31 31 31 31 31 |1111111| 0000d887
The following Merge Request has pipeline job artifacts available: Title: cifs: revalidate mapping when we open files for SMB1 POSIX MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/258 Pipeline: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/pipelines/278527587 This Repo URL is *not* accessible from a web browser! It only functions as a dnf or yum baseurl. Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/278527593/$basearch/4.18.0-301.1.el8.mr258_210330_0059.$basearch 4.18.0-301.1.el8.mr258_210330_0059.s390x: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238656 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238656/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.s390x/ Current automated test status: success 4.18.0-301.1.el8.mr258_210330_0059.ppc64le: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238655 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238655/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.ppc64le/ Current automated test status: success 4.18.0-301.1.el8.mr258_210330_0059.aarch64: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238654 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238654/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.aarch64/ Current automated test status: success 4.18.0-301.1.el8.mr258_210330_0059.x86_64: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238653 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238653/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.x86_64/ Current automated test status: success
The following Merge Request has pipeline job artifacts available: Title: cifs: revalidate mapping when we open files for SMB1 POSIX MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/257 Pipeline: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/pipelines/278480148 This Repo URL is *not* accessible from a web browser! It only functions as a dnf or yum baseurl. Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/278480165/$basearch/4.18.0-301.1.el8.mr257_210329_2158.$basearch 4.18.0-301.1.el8.mr257_210329_2158.s390x: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985008 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985008/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.s390x/ Current automated test status: success 4.18.0-301.1.el8.mr257_210329_2158.ppc64le: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985007 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985007/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.ppc64le/ Current automated test status: success 4.18.0-301.1.el8.mr257_210329_2158.aarch64: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985006 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985006/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.aarch64/ Current automated test status: success 4.18.0-301.1.el8.mr257_210329_2158.x86_64: Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985005 Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985005/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.x86_64/ Current automated test status: success
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4356