RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1933527 - Files on cifs mount can get mixed contents when underlying file is removed but inode number is reused, when mounted with 'serverino' and 'cache=strict '
Summary: Files on cifs mount can get mixed contents when underlying file is removed bu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2021-12-08
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: kernel
Version: 8.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.5
Assignee: cifs-maint
QA Contact: xiaoli feng
URL:
Whiteboard:
Depends On:
Blocks: 1948356
TreeView+ depends on / blocked
 
Reported: 2021-03-01 00:05 UTC by Frank Sorenson
Modified: 2021-11-10 03:50 UTC (History)
7 users (show)

Fixed In Version: kernel-4.18.0-304.7.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1948356 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:06:55 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
reproducer (1.82 KB, application/x-perl)
2021-03-01 00:05 UTC, Frank Sorenson 		no flags Details
packet capture (57.12 KB, application/octet-stream)
2021-03-01 16:03 UTC, Frank Sorenson 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/rhel/src/kernel rhel-8 merge_requests 258 0 None None None 2021-03-30 00:45:22 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 19:07:26 UTC

Description Frank Sorenson 2021-03-01 00:05:52 UTC 
Created attachment 1759859 [details]
reproducer

Description of problem:

On a cifs mount with 'serverino' (the default) and 'cache=strict' (also the default), if a file is removed elsewhere but the inode number is reused for a new file, when the client reads the new file, the contents will be a combination of the cached original file, a partially-zeroed page, and the contents of the new file.



Version-Release number of selected component (if applicable):

RHEL 8 kernel 4.18.0-240.5.1.el8_3.x86_64
all tested RHEL 7 kernels
upstream kernel through at least 5.6


How reproducible:

easy


Steps to Reproduce:

can be performed on a single system, using a locally-running samba:

create user 'user1', cifs-mount the user's directory:

# mount //localhost/user1 /mnt/tmp -overs=1.0,credentials=/root/.user1_smb_creds,uid=$(id -u user1),gid=$(id -g user1)

** write a file 'data1' on cifs mount
** delete the file 'data1' from the local filesystem
** create the 'data2' on the local filesystem with a larger size
** open and read 'data2' from the cifs mount


##### test_cifs_cache #####
#!/bin/bash
# Frank Sorenson <sorenson>, 2021

localdir=${1:-/home/user1}
cifsdir=${2:-/mnt/tmp}

rm -f $cifsdir/data{1,2}
sync
sysctl vm.drop_caches=3 >/dev/null 2>&1

perl -e 'printf("%s", "1"x10411);' >$cifsdir/data1

rm -f $localdir/data1
perl -e 'printf("%s", "2"x55431);' >$localdir/data2

echo contents of data2
hexdump -C $cifsdir/data2
##### test_cifs_cache #####


execute the script
# ./test_cifs_cache /home/user1 /mnt/tmp



Actual results:

contents of data2
00000000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
000028a0  31 31 31 31 31 31 31 31  31 31 31 00 00 00 00 00  |11111111111.....|
000028b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00003000  32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32  |2222222222222222|
*
0000d880  32 32 32 32 32 32 32                              |2222222|
0000d887


the file contents of 'data2' are the 10411 bytes from 'data1' (from cache), the remainder of that last partial page is zeroed, and the remainder of the file has the actual contents from 'data2'


Expected results:

File contents read over cifs match the actual contents

# hexdump -C /mnt/tmp/testdir/data2
00000000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
0000d880  31 31 31 31 31 31 31                              |1111111|
0000d887


Additional info:

Repeating the above sequence several times, the contents of multiple files may be merged, as in this example with 5 files, each increasing in size:

# ./test_cifs_cache-2 /home/user1 /mnt/tmp 10411,16385,55431,65536,75678
resulting file:
00000000  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000028a0  30 30 30 30 30 30 30 30  30 30 30 00 00 00 00 00  |00000000000.....|
000028b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00003000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
00004000  31 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |1...............|
00004010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00005000  32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32  |2222222222222222|
*
0000d880  32 32 32 32 32 32 32 00  00 00 00 00 00 00 00 00  |2222222.........|
0000d890  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000e000  33 33 33 33 33 33 33 33  33 33 33 33 33 33 33 33  |3333333333333333|
*
00010000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00011000  34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34  |4444444444444444|
*
00012790  34 34 34 34 34 34 34 34  34 34 34 34 34 34        |44444444444444|
0001279e


I'll attach this version of the script as well, since it allows testing file sizes dynamically, etc.
Comment 1 Frank Sorenson 2021-03-01 15:30:02 UTC 
I also want to note that the second time that the new file is read, the entire file is re-fetched from the server:


# ./test_cifs_cache-2 /home/user1 /mnt/tmp 10411,55431 ; echo "reading file a second time:" ; hexdump -C /mnt/tmp/testdir/data1
resulting file:
00000000  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000028a0  30 30 30 30 30 30 30 30  30 30 30 00 00 00 00 00  |00000000000.....|
000028b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00003000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
0000d880  31 31 31 31 31 31 31                              |1111111|
0000d887
reading file a second time:
00000000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
0000d880  31 31 31 31 31 31 31                              |1111111|
0000d887


so the apparent file corruption is fleeting.

This may have helped this bug avoid detection for so long.
Comment 2 Frank Sorenson 2021-03-01 16:03:55 UTC 
Created attachment 1759996 [details]
packet capture

a packet capture shows that the pages containing the original file (including the final partial page) are not re-fetched from the server.

In this example:

data0 with 10411 bytes already exists on the server
client reads 12288 bytes at offset 0 from data0 (10411 bytes received) over cifs
file is deleted from local filesystem
data1 is created on local filesystem, 55431 bytes are written at offest 0
client reads 28672 bytes from offset 12288 from data1 over cifs
client reads 16384 bytes from offset 40960 from data1 over cifs (14471 bytes received)


resulting file as read by userspace:
00000000  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
000028a0  30 30 30 30 30 30 30 30  30 30 30 00 00 00 00 00  |00000000000.....|
000028b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00003000  31 31 31 31 31 31 31 31  31 31 31 31 31 31 31 31  |1111111111111111|
*
0000d880  31 31 31 31 31 31 31                              |1111111|
0000d887
Comment 9 kernel-workflow-bot 2021-03-30 16:29:22 UTC 
The following Merge Request has pipeline job artifacts available:

Title: cifs: revalidate mapping when we open files for SMB1 POSIX
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/258
Pipeline: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/pipelines/278527587

This Repo URL is *not* accessible from a web browser! It only functions as a dnf or yum baseurl.
Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/278527593/$basearch/4.18.0-301.1.el8.mr258_210330_0059.$basearch


4.18.0-301.1.el8.mr258_210330_0059.s390x:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238656
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238656/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.s390x/
Current automated test status: success

4.18.0-301.1.el8.mr258_210330_0059.ppc64le:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238655
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238655/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.ppc64le/
Current automated test status: success

4.18.0-301.1.el8.mr258_210330_0059.aarch64:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238654
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238654/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.aarch64/
Current automated test status: success

4.18.0-301.1.el8.mr258_210330_0059.x86_64:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238653
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1138238653/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr258_210330_0059.x86_64/
Current automated test status: success
Comment 10 kernel-workflow-bot 2021-03-31 12:16:36 UTC 
The following Merge Request has pipeline job artifacts available:

Title: cifs: revalidate mapping when we open files for SMB1 POSIX
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/257
Pipeline: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/pipelines/278480148

This Repo URL is *not* accessible from a web browser! It only functions as a dnf or yum baseurl.
Repo URL: https://s3.upshift.redhat.com/DH-PROD-CKI/internal/278480165/$basearch/4.18.0-301.1.el8.mr257_210329_2158.$basearch


4.18.0-301.1.el8.mr257_210329_2158.s390x:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985008
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985008/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.s390x/
Current automated test status: success

4.18.0-301.1.el8.mr257_210329_2158.ppc64le:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985007
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985007/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.ppc64le/
Current automated test status: success

4.18.0-301.1.el8.mr257_210329_2158.aarch64:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985006
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985006/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.aarch64/
Current automated test status: success

4.18.0-301.1.el8.mr257_210329_2158.x86_64:
Job: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985005
Gitlab browser: https://gitlab.com/redhat/red-hat-ci-tools/kernel/cki-internal-pipelines/cki-internal-contributors/-/jobs/1137985005/artifacts/browse/artifacts/repo/4.18.0-301.1.el8.mr257_210329_2158.x86_64/
Current automated test status: success
Comment 21 errata-xmlrpc 2021-11-09 19:06:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4356
Note You need to log in before you can comment on or make changes to this bug.