From cea218054ad277d6c126890213afde07b4eb1602 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Tue, 20 Nov 2007 23:19:03 +0000 Subject: [CIFS] Fix potential data corruption when writing out cached dirty pages Fix RedHat bug 329431 The idea here is separate "conscious" from "unconscious" flushes. Conscious flushes are those due to a fsync() or close(). Unconscious ones are flushes that occur as a side effect of some other operation or due to memory pressure. Currently, when an error occurs during an unconscious flush (ENOSPC or EIO), we toss out the page and don't preserve that error to report to the user when a conscious flush occurs. If after the unconscious flush, there are no more dirty pages for the inode, the conscious flush will simply return success even though there were previous errors when writing out pages. This can lead to data corruption. The easiest way to reproduce this is to mount up a CIFS share that's very close to being full or where the user is very close to quota. mv a file to the share that's slightly larger than the quota allows. The writes will all succeed (since they go to pagecache). The mv will do a setattr to set the new file's attributes. This calls filemap_write_and_wait, which will return an error since all of the pages can't be written out. Then later, when the flush and release ops occur, there are no more dirty pages in pagecache for the file and those operations return 0. mv then assumes that the file was written out correctly and deletes the original. CIFS already has a write_behind_rc variable where it stores the results from earlier flushes, but that value is only reported in cifs_close. Since the VFS ignores the return value from the release operation, this isn't helpful. We should be reporting this error during the flush operation. This patch does the following: 1) changes cifs_fsync to use filemap_write_and_wait and cifs_flush and also sync to check its return code. If it returns successful, they then check the value of write_behind_rc to see if an earlier flush had reported any errors. If so, they return that error and clear write_behind_rc. 2) sets write_behind_rc in a few other places where pages are written out as a side effect of other operations and the code waits on them. 3) changes cifs_setattr to only call filemap_write_and_wait for ATTR_SIZE changes. 4) makes cifs_writepages accurately distinguish between EIO and ENOSPC errors when writing out pages. Some simple testing indicates that the patch works as expected and that it fixes the reproduceable known problem. Acked-by: Dave Kleikamp Signed-off-by: Jeff Layton Signed-off-by: Steve French --- fs/cifs/README | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'fs/cifs/README') diff --git a/fs/cifs/README b/fs/cifs/README index b806b11b5560..bf11329ac784 100644 --- a/fs/cifs/README +++ b/fs/cifs/README @@ -225,12 +225,9 @@ If no password is provided, mount.cifs will prompt for password entry Restrictions ============ -Servers must support the NTLM SMB dialect (which is the most recent, supported -by Samba and Windows NT version 4, 2000 and XP and many other SMB/CIFS servers) Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC -1001/1002 support for "Netbios-Over-TCP/IP." Neither of these is likely to be a -problem as most servers support this. IPv6 support is planned for the future, -and is almost complete. +1001/1002 support for "Netbios-Over-TCP/IP." This is not likely to be a +problem as most servers support this. Valid filenames differ between Windows and Linux. Windows typically restricts filenames which contain certain reserved characters (e.g.the character : @@ -458,6 +455,8 @@ A partial list of the supported mount options follows: byte range locks). remount remount the share (often used to change from ro to rw mounts or vice versa) + cifsacl Report mode bits (e.g. on stat) based on the Windows ACL for + the file. (EXPERIMENTAL) servern Specify the server 's netbios name (RFC1001 name) to use when attempting to setup a session to the server. This is This is needed for mounting to some older servers (such @@ -584,8 +583,8 @@ Experimental When set to 1 used to enable certain experimental performance enhancement was disabled when signing turned on in case buffer was modified just before it was sent, also this flag will - be used to use the new experimental sessionsetup - code). + be used to use the new experimental directory change + notification code). These experimental features and tracing can be enabled by changing flags in /proc/fs/cifs (after the cifs module has been installed or built into the @@ -608,7 +607,8 @@ the start of smb requests and responses can be enabled via: Two other experimental features are under development. To test these requires enabling CONFIG_CIFS_EXPERIMENTAL - ipv6 enablement + cifsacl support needed to retrieve approximated mode bits based on + the contents on the CIFS ACL. DNOTIFY fcntl: needed for support of directory change notification and perhaps later for file leases) @@ -625,10 +625,7 @@ that they represent all for that share, not just those for which the server returned success. Also note that "cat /proc/fs/cifs/DebugData" will display information about -the active sessions and the shares that are mounted. Note: NTLMv2 enablement -will not work since its implementation is not quite complete yet. Do not alter -the ExtendedSecurity configuration value unless you are doing specific testing. -Enabling extended security works to Windows 2000 Workstations and XP but not to -Windows 2000 server or Samba since it does not usually send "raw NTLMSSP" -(instead it sends NTLMSSP encapsulated in SPNEGO/GSSAPI, which support is not -complete in the CIFS VFS yet). +the active sessions and the shares that are mounted. +Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is enabled +but requires a user space helper (from the Samba project). NTLM and NTLMv2 and +LANMAN support do not require this helpr. -- cgit v1.2.1