From patchwork Sat Oct 18 16:06:33 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Monakhov <dmonakhov@openvz.org>
X-Patchwork-Id: 5100101
Return-Path: <fstests-owner@kernel.org>
X-Original-To: patchwork-fstests@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id E12679F38C
	for <patchwork-fstests@patchwork.kernel.org>;
	Sat, 18 Oct 2014 16:06:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id B5F0B200D0
	for <patchwork-fstests@patchwork.kernel.org>;
	Sat, 18 Oct 2014 16:06:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 7F61920172
	for <patchwork-fstests@patchwork.kernel.org>;
	Sat, 18 Oct 2014 16:06:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751186AbaJRQGm (ORCPT
	<rfc822;patchwork-fstests@patchwork.kernel.org>);
	Sat, 18 Oct 2014 12:06:42 -0400
Received: from mailhub.sw.ru ([195.214.232.25]:24458 "EHLO relay.sw.ru"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751335AbaJRQGl (ORCPT <rfc822;fstests@vger.kernel.org>);
	Sat, 18 Oct 2014 12:06:41 -0400
Received: from mct2.qa.sw.ru ([10.29.1.63])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id s9IG6Y7R026193;
	Sat, 18 Oct 2014 20:06:36 +0400 (MSK)
From: Dmitry Monakhov <dmonakhov@openvz.org>
To: fstests@vger.kernel.org
Cc: Dmitry Monakhov <dmonakhov@openvz.org>
Subject: [PATCH 2/2] add aio/dio regression test race between write and
	fcntl V4
Date: Sat, 18 Oct 2014 20:06:33 +0400
Message-Id: <1413648393-17845-2-git-send-email-dmonakhov@openvz.org>
X-Mailer: git-send-email 1.9.3
In-Reply-To: <1413648393-17845-1-git-send-email-dmonakhov@openvz.org>
References: <1413648393-17845-1-git-send-email-dmonakhov@openvz.org>
Sender: fstests-owner@vger.kernel.org
Precedence: bulk
List-ID: <fstests.vger.kernel.org>
X-Mailing-List: fstests@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Original report: https://lkml.org/lkml/2014/10/8/545
perform AIO-DIO and fcntl(F_SETFL) concurently
Unaligned AIO likely result in synchronization which makes racewindow wider.

changes from v3
   rebase to current xfstests HEAD
changes from v2->v3
 - Copyright fixes according to Dave's comments
changes from v1->v2
 - Properly reuse aio context

Reviewed-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
---
 src/aio-dio-regress/aio-dio-fcntl-race.c |  149 ++++++++++++++++++++++++++++++
 tests/generic/036                        |   50 ++++++++++
 tests/generic/036.out                    |    2 +
 tests/generic/group                      |    1 +
 4 files changed, 202 insertions(+), 0 deletions(-)
 create mode 100644 src/aio-dio-regress/aio-dio-fcntl-race.c
 create mode 100755 tests/generic/036
 create mode 100644 tests/generic/036.out

diff --git a/src/aio-dio-regress/aio-dio-fcntl-race.c b/src/aio-dio-regress/aio-dio-fcntl-race.c
new file mode 100644
index 0000000..e9125c3
--- /dev/null
+++ b/src/aio-dio-regress/aio-dio-fcntl-race.c
@@ -0,0 +1,149 @@
+/*
+ * Perform aio writes to file and toggle O_DIRECT flag concurrently
+ * this may trigger race between file->f_flags read and modification
+ * unuligned aio allow to makes race window wider.
+ * Regression test for https://lkml.org/lkml/2014/10/8/545 CVE-2014-8086
+ * Patch proposed: http://www.spinics.net/lists/linux-ext4/msg45683.html
+ *
+ * Copyright (c) 2014 Dmitry Monakhov.  All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <libaio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define BUF_SIZE	512
+#define LOOP_SECONDS 10
+
+
+static int do_aio_loop(int fd, void *buf)
+{
+	int err, ret;
+	struct io_context *ctx = NULL;
+	struct io_event ev;
+	struct iocb iocb, *iocbs[] = { &iocb };
+	struct timeval start, now, delta = { 0, 0 };
+
+	ret = 0;
+	err = io_setup(1, &ctx);
+	if (err) {
+		fprintf(stderr, "error %s during %s\n",
+			strerror(-err), "io_setup" );
+		return 1;
+	}
+	while (1) {
+		io_prep_pwrite(&iocb, fd, buf, BUF_SIZE, BUF_SIZE);
+		err = io_submit(ctx, 1, iocbs);
+		if (err != 1) {
+			fprintf(stderr, "error %s during %s\n",
+				strerror(-err),
+				"io_submit");
+			ret = 1;
+			break;
+		}
+		err = io_getevents(ctx, 1, 1, &ev, NULL);
+		if (err != 1) {
+			fprintf(stderr, "error %s during %s\n",
+				strerror(-err),
+				"io_getevents");
+			ret = 1;
+			break;
+		}
+		gettimeofday(&now, NULL);
+		timersub(&now, &start, &delta);
+		if (delta.tv_sec >= LOOP_SECONDS)
+			break;
+	}
+	io_destroy(ctx);
+	return ret;
+}
+
+int main(int argc, char **argv)
+{
+	int flags, fd;
+	int pid1, pid2 = 0;
+	int ret1, ret = 0;
+
+	if (argc != 2){
+		printf("Usage %s fname\n", argv[0]);
+		return 1;
+	}
+	fd = open(argv[1], O_CREAT | O_TRUNC | O_RDWR, 0600);
+	if (fd < 0)
+		return 1;
+
+	pid1 = fork();
+	if (pid1 < 0)
+		return 1;
+
+	if (pid1 == 0) {
+		struct timeval start, now, delta = { 0, 0 };
+
+		gettimeofday(&start, NULL);
+
+		/* child: toggle O_DIRECT*/
+		flags = fcntl(fd, F_GETFL);
+		while (1) {
+			ret = fcntl(fd, F_SETFL, flags | O_DIRECT);
+			if (ret)
+				return ret;
+			ret = fcntl(fd, F_SETFL, flags);
+			if (ret)
+				return ret;
+
+			gettimeofday(&now, NULL);
+			timersub(&now, &start, &delta);
+			if (delta.tv_sec >= LOOP_SECONDS)
+				break;
+		}
+	} else {
+		/* parent: AIO */
+		void *buf;
+		posix_memalign(&buf, BUF_SIZE, BUF_SIZE);
+		/* Two tasks which performs unaligned aio will be serialized
+		   which maks race window wider */
+		pid2 = fork();
+		if (pid2 < 0)
+			goto out;
+		else if (pid2 > 0)
+			printf("All tasks are spawned\n");
+
+		ret = do_aio_loop(fd, buf);
+	}
+out:
+	/* Parent wait for all others */
+	if (pid2 > 0){
+		waitpid(pid1, &ret1, 0);
+		if (!ret)
+			ret = ret1;
+		waitpid(pid2, &ret1, 0);
+	} else {
+		waitpid(pid1, &ret1, 0);
+	}
+	if (!ret)
+		ret = ret1;
+
+	return ret;
+}
diff --git a/tests/generic/036 b/tests/generic/036
new file mode 100755
index 0000000..d8cf20d
--- /dev/null
+++ b/tests/generic/036
@@ -0,0 +1,50 @@
+#! /bin/bash
+# FS QA Test No. 036
+#
+# Run aio-dio-fcntl-race - test aio write race with O_DIRECT toggle
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2014 Dmitry Monakhov.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+    cd /
+    rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+
+_supported_fs generic
+_supported_os Linux
+_require_test
+
+_run_aiodio aio-dio-fcntl-race
+
+exit $status
diff --git a/tests/generic/036.out b/tests/generic/036.out
new file mode 100644
index 0000000..59719d6
--- /dev/null
+++ b/tests/generic/036.out
@@ -0,0 +1,2 @@
+QA output created by 036
+All tasks are spawned
diff --git a/tests/generic/group b/tests/generic/group
index 9c82a6f..d6629a8 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -38,6 +38,7 @@
 033 auto quick rw
 034 auto quick metadata log
 035 auto quick
+036 auto aio rw stress
 053 acl repair auto quick
 062 attr udf auto quick
 068 other auto freeze dangerous stress