dnode_is_dirty: check dnode and its data for dirtiness

[robn]

Motivation and Context

Closes #15526.

Description

Over its history this the dirty dnode test has been changed between checking for a dnodes being on os_dirty_dnodes (dn_dirty_link) and dn_dirty_record.

de198f2 Fix lseek(SEEK_DATA/SEEK_HOLE) mmap consistency
2531ce3 Revert "Report holes when there are only metadata changes"
ec4f9b8 Report holes when there are only metadata changes
454365b Fix dirty check in dmu_offset_next()
66aca24 SEEK_HOLE should not block on txg_wait_synced()

Also illumos/illumos-gate@c543ec060d illumos/illumos-gate@2bcf0248e9

It turns out both are actually required.

In the case of appending data to a newly created file, the dnode proper is dirtied (at least to change the blocksize) and dirty records are added. Thus, a single logical operation is represented by separate dirty indicators, and must not be separated.

The incorrect dirty check becomes a problem when the first block of a file is being appended to while another process is calling lseek to skip holes. It can happen that the dnode part is undirtied, while dirty records are still on the dnode for the next txg. In this case, lseek(fd, 0, SEEK_DATA) would not know that the file is dirty, and would go to dnode_next_offset(). Since the object has no data blocks yet, it returns ESRCH, indicating no data found, which results in ENXIO being returned to lseek()'s caller.

Since coreutils 9.2, cp performs sparse copies by default, that is, it uses SEEK_DATA and SEEK_HOLE against the source file and attempts to replicate the holes in the target. When it hits the bug, its initial search for data fails, and it goes on to call fallocate() to create a hole over the entire destination file.

This has come up more recently as users upgrade their systems, getting OpenZFS 2.2 as well as a newer coreutils. However, this problem has been reproduced against 2.1, as well as on FreeBSD 13 and 14.

This change simply updates the dirty check to check both types of dirty. If there's anything dirty at all, we immediately go to the "wait for sync" stage, It doesn't really matter after that; both changes are on disk, so the dirty fields should be correct.

How Has This Been Tested?

@tonyhutter produced a repro script in #15526 which has been extremely useful. Its not perfect, but it can usually trip the issue in a couple of minutes. With the patch in place, no one has been able to trigger the issue. @rincebrain has been driving it reasonably hard (I think), no hits.

Full test suite run has passed.

I've done some general sanity and stress tests on customer workloads. They don't exercise the bug, but they all did fine, so this maybe hasn't broken anything.

I'd like to write a test for this case, since its bitten a few times in the past, but it requires lseek() to be called after the dnode proper being undirtied but before the dbufs are undirtied. I don't have that kind of control from outside. Ideas welcome.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[rincebrain]

Even if it isn't a complete fix, and it seems to work well as that for me, it seems like a pretty safe change given how we kept bouncing between "if A" or "if B" for this check historically.

[KungFuJesus]

Any chance this PR and your other one can make it into freebsd 14 release after it gets merged? I think it ought to given that it's a critical fix. @mmatuska ?

[emaste]

Follow FreeBSD PR 275308 for details about FreeBSD EN updates.

[Bronek]

Since I was able to reproduce the original bug in #15526 , I took on testing this bugfix - so far it is looking promising. No bug seen (where I was able to see it before) on my test VM. Going to try it on bare metal soon.

[Bronek]

Since I was able to reproduce the original bug in #15526 , I took on testing this bugfix - so far it is looking promising. No bug seen (where I was able to see it before) on my test VM. Going to try it on bare metal soon.

Tested on bare metal, on a relatively large machine where I could reproduce it previously, did not see the bug manifest after I have applied this patch.

[admnd]

Two different Gentoo Linux systems running a patched ZFS (with this commit): they are no longer being able to reproduce the corruption after 4-5 dozens of attempts done with reproducer.sh while the issue was triggering fairly easily after 3-4 runs in a row before. Good job!

[grahamperrin]

CVE-2023-49298

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49298 includes references to:

• this PR
• some copied files are corrupted (chunks replaced by zeros) #15526
• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308

---

Re: #15571 (comment)

Follow FreeBSD PR 275308 for details about FreeBSD EN updates.

@emaste for what it's worth, from the current description of CVE-2023-49298 I lean towards treating it as parallel to 275308; not requiring a FreeBSD security advisory (SA).

For you and your secteam@ colleagues to assess. Thanks.

[robn]

For whatever its worth, I have no idea who posted the CVE or why. The scenario described really just sounds like the author hasn't really understood the detail.

[KungFuJesus]

Yeah it's not exactly an attack vector that could be controlled, you'd need an application with permission to modify the file to begin with.

Also both bug fixes need to land in 14, security vulnerability or not. Hopefully an SA is not required for a revised .0 release.

[no-usernames-left]

CVE-2023-49298

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49298

This CVE says:

NOTE: this issue is not always security related, but can be security related in realistic situations.

@grahamperrin @emaste Security is not just confidentiality, but also integrity and availability. Data corruption is therefore, absolutely and unquestionably, a security issue.

[grahamperrin]

@KungFuJesus please follow report 275308.

---

For all readers: #15571 (comment) was solely for awareness. I have no idea who made the original report (I discovered it today, through conversation in Matrix).

Re: the CVE, I respectfully suggest discussion elsewhere (Matrix, maybe); so that discussion here can remain focused on the PR.

Thanks

[admnd]

@grahamperrin worse, the information is misleading (unless I am missing something). Quoting:

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes

This is simply not true, the corruption issue being spotted on older versions as well.

[thesamesam]

I think if someone really wants to give constructive feedback, they should focus on ideas for test cases.

[samy-mahmoudi]

Just to clarify, beyond the minor suggestions for changes in wording, the intention behind my proposal is to make the comment as intelligible/readable as possible.

Especially since it seems that this part of the code has been critically misunderstood (resp. prone to errors) in the past.

[robn]

(re-pushed with updated author/signoff/sponsorship)

[admnd]

(re-pushed with updated author/signoff/sponsorship)

@robn is this one ready for testing or do need you review/push some other changes before?

[robn]

@admnd its the same patch that we've all been banging on for the last few days. The updates here are just housekeeping. Not that I mind more testing :)