Null bytes in files access by 2 or more NFS clients

Bug #199037 reported by Timo Aaltonen on 2008-03-06
4
Affects Status Importance Assigned to Milestone
linux (Fedora)
Fix Released
High
linux (Ubuntu)
High
Ben Collins

Bug Description

There's a bug in the linux NFS client where it's possible to corrupt files when the server is a NetApp filer and two (or more) clients have write access to the file. A good example of such a file is ~/.zhistory. This has been fixed upstream and on RHEL5:

http://lkml.org/lkml/2008/2/7/642 (second changeset)

and discussed here:

https://bugzilla.redhat.com/show_bug.cgi?id=429755

Please apply to the Hardy kernel, and possibly others, thanks!

Download full text (5.4 KiB)

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Description of problem:
CommuniGate Systems is reporting this case on behalf of two CommuniGate/RedHat customers running RedHat Enterprise Server 5.1 and seeing some problems related to file integrity on this platform. We have two customers who upgraded their CommuniGate Pro cluster nodes to RedHat 5.1, from an earlier RHES 4.1 version. In both these cases, the kernel reportedly in use is this: 2.6.18-53.el5

We also have reports of a possibly identical problem with a customer running this kernel version, though we don't have the specifics of the Linux OS version: kernel version 2.6.18-8.1.8

In both of these cases, the customers began to get what appear to be
"null bytes" in mailboxes. I will a screenshot png of one of
these mailboxes, as seen with vi.

The mount options used are:
tcp,rsize=32768,wsize=32768,hard,intr,timeo=600,bg,retrans=2,noatime

The output of "mount -v" for one of these customers showed the following:
>>>172.30.35.5:/vol/CGPweb on /CGPweb type nfs
>>>(rw,nfsvers=3,proto=tcp,rsize=32768,wsize=32768,timeo=600,hard,intr,bg,acregmax=6,addr=172.30.35.5)

The exact operating system in use was:
>>>Linux MSA 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686 i386 GNU/Linux Red Hat Enterprise Linux 5.

When I last researched this in detail, it appeared that the byte offsets
and total sizes were still correct after the null bytes were inserted;
only the contents of those bytes were replaced with null characters. So,
it appeared at first glance that it was a 1:1 replacement of valid data
with "corruption"-type data of some sort.

When analyzing CommuniGate Pro logs (which report the file sizes and offsets of all messages), we found two types of symptoms:

1. a missing message with null bytes inserted instead (1:1 replacement of characters bytes into NULL bytes)
2. no missing message, but null bytes between/within two messages, and there is some indication that parts of some messages are missing (and replaced with NULL bytes)

A key question that is not 100% clearly answered is whether there is any indication of additional bytes ever being added, or if the null bytes are simply byte-replacement of data. From the available evidence, it appears that there is just 1:1 byte replacement.

Also, shile this is not 100% confirmed - CommuniGate Pro appears to be getting the correct byte offsets from the file system, as noted in the "math" parts of this document. This would suggest a problem that is different than the previous pre-2.6.13 Linux NFS kernel problem. Also, the time interval between some of the events that insert null bytes is rather large, often times 10+ minutes of interval between events.

Of these two customers, both went back to RedHat 4.5, and the problem
immediately disappeared. We have many customers running RedHat ES 4.5 successfully. Earlier RedHat versions than this still have a different NFS kernel bug which can cause serious problems in an CommuniGate Pro Dynamic Cluster when NFS-based. (A few years ago, we discovered a Linux
kernel bug related to NFS client handling in the kernel (s...

Read more...

Created attachment 292558
vi session screenshot of mailbox showing null bytes in message file

Please note that the screenshot has been modified to obfuscate potentially
proprietary data. These fields are clearly designated with red boxes.

This screenshot is quite representative of the problem, demonstrating how
entire or partial sections of messages are replaced with null bytes, in what
appear to be 1:1 byte replacements. The following message is properly
delineated in the message "mbox" file with a new special From line:

From <...

Few questions:

1. How did these corrupted files look like from server end ?
2. As stated in the problem statement, "RHEL 4.5" doesn't have this issue but
   it is not clear when the platform was moved back to RHEL 4.5, was the
   server moved too ? What are the OSs running on server with and without
   the problem ? What is server's filesystem (GFS, ext3, etc) ?

Intuitively, if file size and offset are correct but file contens were
partially filled with "NULL" characters, it normally implies the file
spaces are allocated but file contents are not there. We need to isolate
whether this is really a NFS client issue as stated or it is a server
(nfsd and/or filesystem) issue.

The NAS servers reportedly in use here are the following:

1. Customer A: NetApp 3020c running OnTAP v7.2.2
2. Customer B: NetApp 3020c

So, both are using NetApp.

We have contacts at NetApp if they should be brought into the discussion.
However, one note that may or may not be in the case so far, but should be, is
that the "null bytes" problem disappeared when Customer A went to a single NFS
client (taking one CommuniGate Pro "Backend Server" offline). It is only with
two or more NFS clients (Backend Servers) online that the problem can occur.

NetApp uses a proprietary filesystem called "WAFS". I am unsure whether NetApp
can provide filesystem/shell-level access to WAFS directly from their NAS
device, but it may be possible.

If we can attempt to reproduce these tests in-house, we do have a NetApp device
on which to try this; although the model number and NetApp OS version may
differ, and would need to be researched.

ok, thanks ! Was wondering whether GFS clusters were involved. With above
info, I would say this does look like an NFS client issue at this moment.
Info will be passed to Red Hat NFS kernel folks.

Thanks for the detailed BZ.

> Duplicating this problem will be challenging, though we believe possible ...

I am making arrangements to make RHEL 5.1 available to you. If you can reproduce
the problem that will be the first step.

Yes, thanks for the detailed bug report. I've looked over this and have a question:

2. Have one NFS client modify a non-binary, text file, using C++ operations such
as lseek(), write(), and fsync() (all filehandles are properly fsync()'d when
closed by an NFS client)
3. No less than 6 seconds later, have a second NFS client open the same file,
modify it (lseek/write/fsync).

is there any sort of fcntl locking going on here? You don't mention any so I
assume not...

Would it be possible for you to write a small a reproducer program and give us a
set of steps to duplicate this? Trying to troubleshoot this in the context of a
MTA is going to be tricky. It'll be much easier if we can reduce the reproducer
down.

Ideally we would, yes, write such a program. We do not have one currently for
this particular problem.

For the previous NFS-related "file-caching" bug (fixed in the 2.6.13/2.6.14
kernels by Trond Mykelbust), we did produce such a tool. However, that tool does
not appear to trigger this new problem.

I hope to be trying to reproduce this issue next week. If we can do so reliably,
we can write such an application.

Sincerely,
 -t

Excellent. I'll set this to NEEDINFO for now. Go ahead and set it back to
ASSIGNED once you have more info to go on.

Created attachment 294295
Trivial testcase that should demonstrate the problem

Instructions for the trivial testcase script:

Please edit the variables 'filename' and 'remote' depending on your
test environment.
The testcase should be run on NFS client number 1. '$remote' is another
NFS client that shares the same NFS namespace (and has access to the file
${filename})

Created attachment 294296
NFS: Fix a potential file corruption issue when writing

Proposed fix for the bug.

Thanks, Trond. Let me see what we can do about getting this in soon.

Yep, the reproducer here is indeed trivial and consistently fails. The patch
seems to fix it and looks sane.

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
release.

I've got some test kernels on my people page with this patch. Thom, would you be
able to test your product on them and let me know if they correct the issue?
Note that these kernels are based on develoment builds and aren't fully QA'ed,
so please only deploy them for testing purposes...

http://people.redhat.com/jlayton

Excellent work all around, thank you folks. Thank you, Trond. I hope to test
with the new kernel today.

Excellent. I've just posted a new set of test kernels on my people page
(jtltest.20). I'd recommend using those instead of any earlier ones since those
kernels should also have the fixes for the vmsplice() local exploit that was
disclosed recently.

Let me know how it goes.

in 2.6.18-81.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

I have confirmed that the new kernel 2.6.18-81.el5 looks to have eliminated the
null bytes problem, when using the testcase that Trond provided.

I am also running a "SPECmail" test on this environment today, with the new
kernel in place, in order to verify proper behaviour under higher load. Thanks,
sincerely, -t

More supporting detail - I ran two SPECmail tests this afternoon. Each test used
2 Linux NFS client servers, attached to a shared NFS storage volume. The kernels
used were as follows, along with the results:

Test tool: SPECmail (spec.org) v1.01
Server application: CommuniGate Pro 5.2.0 x86-64, 0+2 Dynamic Cluster
NFS server: NetApp FAS270
OS: RedHat 5.1 x86_64 [RHEL5.1-Server-20071017.0-x86_64-DVD.iso]

Test 1:
Kernel vmlinuz-2.6.18-53.el5
Resulted in null byte in CommuniGate Pro "mailbox" files
(I will attach a sample mailbox file demonstrating the null bytes.)

Test 2:
Kernel vmlinuz-2.6.18-81.el5
Resulted in no null bytes in mailboxes

Thank you, please let me know if there are any questions. Sincerely.

Created attachment 295054
INBOX mailbox with 1 message replaced with null bytes

Verified based on customer's report as well as the testcase.

Timo Aaltonen (tjaalton) on 2008-03-06
description: updated
Changed in linux:
milestone: none → ubuntu-8.04-beta
Changed in linux:
status: Unknown → Invalid
Timo Aaltonen (tjaalton) wrote :

uh, the bug watch updater is on crack.. the upstream bug is "verified" not "invalid".

Hi Timo,

Regarding the upstream tracker status, we filed a bug against malone but it didn't really get any resolution - https://bugs.edge.launchpad.net/malone/+bug/177230 .

Regarding this bug, I'm just adding the upstream git commit id for the kernel guys to reference. I'll be sure to have them take a look. Thanks.

commit 5d47a35600270e7115061cb1320ee60ae9bcb6b8
Author: Trond Myklebust <email address hidden>
Date: Thu Feb 7 17:24:07 2008 -0500

    NFS: Fix a potential file corruption issue when writing

Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → High
status: New → Triaged
Ben Collins (ben-collins) wrote :

Applied to git tree. Will be in 2.6.24-12.18 upload, and also available for Hardy Beta.

Changed in linux:
assignee: ubuntu-kernel-team → ben-collins
status: Triaged → Fix Committed
Steve Langasek (vorlon) wrote :

Ben, I can't find any mention of this fix in the linux package changelog. Can you confirm that this fix has made it into the archive, and close the bug if appropriate?

Ben Collins (ben-collins) wrote :

Patch has been included since linux-2.6.24-11.17

Changed in linux:
status: Fix Committed → Fix Released
Changed in linux:
status: Invalid → Fix Committed

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html

Changed in linux:
status: Fix Committed → Fix Released
Changed in linux (Fedora):
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.