[8/9] xfs: fuzz every field of every structure

Commit Message

Darrick J. Wong Nov. 5, 2016, 12:18 a.m. UTC

Previously, our XFS fuzzing efforts were limited to using the xfs_db
blocktrash command to scribble garbage all over a block.  This is
pretty easy to discover; it would be far more interesting if we could
fuzz individual fields looking for unhandled corner cases.  Since we
now have an online scrub tool, use it to check for our targeted
corruptions prior to the usual steps of writing to the FS, taking it
offline, repairing, and re-checking.

These tests use the new xfs_db 'fuzz' command to test corner case
handling of every field.  The 'print' command tells us which fields
are available, and the fuzz command can write zeroes or ones to the
field; set the high, middle, or low bit; add or subtract numbers; or
randomize the field.  We loop through all fields and all fuzz verbs to
see if we can trip up the kernel.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 common/fuzzy        |   49 ++++++++++++++++++++++++++++++------
 common/populate     |   10 ++++---
 common/rc           |   15 +++++++++++
 tests/ext4/1300     |   60 ++++++++++++++++++++++++++++++++++++++++++++
 tests/ext4/1300.out |    3 ++
 tests/ext4/group    |    1 +
 tests/xfs/1300      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1300.out  |    3 ++
 tests/xfs/1301      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1301.out  |    4 +++
 tests/xfs/1302      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1302.out  |    4 +++
 tests/xfs/1303      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1303.out  |    4 +++
 tests/xfs/1304      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1304.out  |    4 +++
 tests/xfs/1305      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1305.out  |    4 +++
 tests/xfs/1306      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1306.out  |    4 +++
 tests/xfs/1307      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1307.out  |    4 +++
 tests/xfs/1308      |   62 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1308.out  |    4 +++
 tests/xfs/1309      |   63 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1309.out  |    4 +++
 tests/xfs/1310      |   63 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1310.out  |    4 +++
 tests/xfs/1311      |   63 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1311.out  |    4 +++
 tests/xfs/1312      |   64 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1312.out  |    4 +++
 tests/xfs/1313      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1313.out  |    5 ++++
 tests/xfs/1314      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1314.out  |    5 ++++
 tests/xfs/1315      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1315.out  |    5 ++++
 tests/xfs/1316      |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1316.out  |    5 ++++
 tests/xfs/1317      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1317.out  |    5 ++++
 tests/xfs/1318      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1318.out  |    5 ++++
 tests/xfs/1319      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1319.out  |    5 ++++
 tests/xfs/1320      |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1320.out  |    5 ++++
 tests/xfs/1321      |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1321.out  |    5 ++++
 tests/xfs/1322      |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1322.out  |    5 ++++
 tests/xfs/1323      |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1323.out  |    5 ++++
 tests/xfs/1324      |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1324.out  |    5 ++++
 tests/xfs/1325      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1325.out  |    5 ++++
 tests/xfs/1326      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1326.out  |    5 ++++
 tests/xfs/1327      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1327.out  |    5 ++++
 tests/xfs/1328      |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1328.out  |    5 ++++
 tests/xfs/1329      |   63 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1329.out  |    4 +++
 tests/xfs/1330      |   61 +++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/1330.out  |    4 +++
 tests/xfs/group     |   31 +++++++++++++++++++++++
 69 files changed, 2313 insertions(+), 13 deletions(-)
 create mode 100755 tests/ext4/1300
 create mode 100644 tests/ext4/1300.out
 create mode 100755 tests/xfs/1300
 create mode 100644 tests/xfs/1300.out
 create mode 100755 tests/xfs/1301
 create mode 100644 tests/xfs/1301.out
 create mode 100755 tests/xfs/1302
 create mode 100644 tests/xfs/1302.out
 create mode 100755 tests/xfs/1303
 create mode 100644 tests/xfs/1303.out
 create mode 100755 tests/xfs/1304
 create mode 100644 tests/xfs/1304.out
 create mode 100755 tests/xfs/1305
 create mode 100644 tests/xfs/1305.out
 create mode 100755 tests/xfs/1306
 create mode 100644 tests/xfs/1306.out
 create mode 100755 tests/xfs/1307
 create mode 100644 tests/xfs/1307.out
 create mode 100755 tests/xfs/1308
 create mode 100644 tests/xfs/1308.out
 create mode 100755 tests/xfs/1309
 create mode 100644 tests/xfs/1309.out
 create mode 100755 tests/xfs/1310
 create mode 100644 tests/xfs/1310.out
 create mode 100755 tests/xfs/1311
 create mode 100644 tests/xfs/1311.out
 create mode 100755 tests/xfs/1312
 create mode 100644 tests/xfs/1312.out
 create mode 100755 tests/xfs/1313
 create mode 100644 tests/xfs/1313.out
 create mode 100755 tests/xfs/1314
 create mode 100644 tests/xfs/1314.out
 create mode 100755 tests/xfs/1315
 create mode 100644 tests/xfs/1315.out
 create mode 100755 tests/xfs/1316
 create mode 100644 tests/xfs/1316.out
 create mode 100755 tests/xfs/1317
 create mode 100644 tests/xfs/1317.out
 create mode 100755 tests/xfs/1318
 create mode 100644 tests/xfs/1318.out
 create mode 100755 tests/xfs/1319
 create mode 100644 tests/xfs/1319.out
 create mode 100755 tests/xfs/1320
 create mode 100644 tests/xfs/1320.out
 create mode 100755 tests/xfs/1321
 create mode 100644 tests/xfs/1321.out
 create mode 100755 tests/xfs/1322
 create mode 100644 tests/xfs/1322.out
 create mode 100755 tests/xfs/1323
 create mode 100644 tests/xfs/1323.out
 create mode 100755 tests/xfs/1324
 create mode 100644 tests/xfs/1324.out
 create mode 100755 tests/xfs/1325
 create mode 100644 tests/xfs/1325.out
 create mode 100755 tests/xfs/1326
 create mode 100644 tests/xfs/1326.out
 create mode 100755 tests/xfs/1327
 create mode 100644 tests/xfs/1327.out
 create mode 100755 tests/xfs/1328
 create mode 100644 tests/xfs/1328.out
 create mode 100755 tests/xfs/1329
 create mode 100644 tests/xfs/1329.out
 create mode 100755 tests/xfs/1330
 create mode 100644 tests/xfs/1330.out



--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Eryu Guan Nov. 9, 2016, 8:09 a.m. UTC | #1

On Fri, Nov 04, 2016 at 05:18:00PM -0700, Darrick J. Wong wrote:
> Previously, our XFS fuzzing efforts were limited to using the xfs_db
> blocktrash command to scribble garbage all over a block.  This is
> pretty easy to discover; it would be far more interesting if we could
> fuzz individual fields looking for unhandled corner cases.  Since we
> now have an online scrub tool, use it to check for our targeted
> corruptions prior to the usual steps of writing to the FS, taking it
> offline, repairing, and re-checking.
> 
> These tests use the new xfs_db 'fuzz' command to test corner case
> handling of every field.  The 'print' command tells us which fields
> are available, and the fuzz command can write zeroes or ones to the
> field; set the high, middle, or low bit; add or subtract numbers; or
> randomize the field.  We loop through all fields and all fuzz verbs to
> see if we can trip up the kernel.
> 
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

The first test gave me a kernel crash :) xfs/1300 crashed your kernel
djwong-devel branch. I appended the console log at the end of this mail
if you have interest to see it.

And another xfs/1300 run gave me this failure message:

    +/mnt/testarea/scratch: Kernel lacks GETFSMAP; scrub will be less efficient. (xfs.c line 661)
    +/mnt/testarea/scratch: Kernel cannot help scrub metadata; scrub will be incomplete. (xfs.c line 661)
    +/mnt/testarea/scratch: Kernel cannot help scrub inodes; scrub will be incomplete. (xfs.c line 661)
    +/mnt/testarea/scratch: Kernel cannot help scrub extent map; scrub will be less efficient. (xfs.c line 661)

Is this known issue or something should be filtered out in the test?

And ext4/1300 generated large .out.bad file (51M), containing something
like:

+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101381632/2469888/4096) ends past end of filesystem at 31457280. (generic.c line 272)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) starts past end of filesystem at 31457280. (generic.c line 264)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) ends past end of filesystem at 31457280. (generic.c line 272)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) starts past end of filesystem at 31457280. (generic.c line 264)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) ends past end of filesystem at 31457280. (generic.c line 272)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) starts past end of filesystem at 31457280. (generic.c line 264)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) ends past end of filesystem at 31457280. (generic.c line 272)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) starts past end of filesystem at 31457280. (generic.c line 264)
+/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) ends past end of filesystem at 31457280. (generic.c line 272)

Seems like scrub found something wrong (real problems) and became very
noisy?

More comments inline below.

> ---
>  common/fuzzy        |   49 ++++++++++++++++++++++++++++++------
>  common/populate     |   10 ++++---
>  common/rc           |   15 +++++++++++
>  tests/ext4/1300     |   60 ++++++++++++++++++++++++++++++++++++++++++++
[snip]
> 
> diff --git a/common/fuzzy b/common/fuzzy
> index 6af47f1..dbff744 100644
> --- a/common/fuzzy
> +++ b/common/fuzzy
> @@ -85,32 +85,47 @@ _scratch_scrub() {
>  # Filter the xfs_db print command's field debug information
>  # into field name and type.
>  __filter_xfs_db_print_fields() {
> +	filter="$1"
> +	if [ -z "${filter}" ] || [ "${filter}" = "nofilter" ]; then
> +		filter='^'
> +	fi
>  	grep ' = ' | while read key equals value; do
> -		fuzzkey="$(echo "${key}" | sed -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
> -		if [[ "${value}" == "["* ]]; then
> +		# Filter out any keys with an array index >= 10, and
> +		# collapse any array range ("[1-195]") to the first item.
> +		fuzzkey="$(echo "${key}" | sed -e '/\([a-z]*\)\[\([0-9][0-9]\+\)\].*/d' -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
> +		if [ -z "${fuzzkey}" ]; then
> +			continue
> +		elif [[ "${value}" == "["* ]]; then
>  			echo "${value}" | sed -e 's/^.//g' -e 's/.$//g' -e 's/,/\n/g' | while read subfield; do
>  				echo "${fuzzkey}.${subfield}"
>  			done
>  		else
>  			echo "${fuzzkey}"
>  		fi
> -	done
> +	done | egrep "${filter}"
>  }
>  
>  # Navigate to some part of the filesystem and print the field info.
> +# The first argument is an egrep filter for the fields
> +# The rest of the arguments are xfs_db commands to locate the metadata.
>  _scratch_xfs_list_metadata_fields() {
> +	filter="$1"
> +	shift
>  	if [ -n "${SCRATCH_XFS_LIST_METADATA_FIELDS}" ]; then
> -		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | sed -e 's/ /\n/g'
> +		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | \
> +			sed -e 's/ /\n/g' | __filter_xfs_db_print_fields "${filter}"
>  		return;
>  	fi
>  
>  	(for arg in "$@"; do
>  		echo "${arg}"
>  	done
> -	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields
> +	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields "${filter}"
>  }
>  
>  # Get a metadata field
> +# The first arg is the field name
> +# The rest of the arguments are xfs_db commands to find the metadata.
>  _scratch_xfs_get_metadata_field() {
>  	key="$1"
>  	shift
> @@ -124,6 +139,9 @@ _scratch_xfs_get_metadata_field() {
>  }
>  
>  # Set a metadata field
> +# The first arg is the field name
> +# The second arg is the new value
> +# The rest of the arguments are xfs_db commands to find the metadata.
>  _scratch_xfs_set_metadata_field() {
>  	key="$1"
>  	value="$2"
> @@ -136,6 +154,9 @@ _scratch_xfs_set_metadata_field() {
>  }
>  
>  # Fuzz a metadata field
> +# The first arg is the field name
> +# The second arg is the xfs_db fuzz verb
> +# The rest of the arguments are xfs_db commands to find the metadata.
>  _scratch_xfs_fuzz_metadata_field() {
>  	key="$1"
>  	value="$2"
> @@ -263,12 +284,24 @@ _scratch_xfs_list_fuzz_verbs() {
>  		sed -e 's/[,.]//g' -e 's/Verbs: //g' -e 's/ /\n/g'
>  }
>  
> -# Fuzz the fields of some piece of metadata
> -_scratch_xfs_fuzz_fields() {
> -	_scratch_xfs_list_metadata_fields "$@" | while read field; do
> +# Fuzz some of the fields of some piece of metadata
> +# The first argument is an egrep filter
> +# The rest of the arguments are xfs_db commands to locate the metadata.
> +_scratch_xfs_fuzz_some_fields() {
> +	filter="$1"
> +	shift
> +	echo "Fields we propose to fuzz: $@"
> +	_scratch_xfs_list_metadata_fields "${filter}" "$@"
> +	_scratch_xfs_list_metadata_fields "${filter}" "$@" | while read field; do
>  		_scratch_xfs_list_fuzz_verbs | while read fuzzverb; do
>  			__scratch_xfs_fuzz_mdrestore
>  			__scratch_xfs_fuzz_field_test "${field}" "${fuzzverb}" "$@"
>  		done
>  	done
>  }
> +
> +# Fuzz all of the fields of some piece of metadata
> +# All arguments are xfs_db commands to locate the metadata.
> +_scratch_xfs_fuzz_fields() {
> +	_scratch_xfs_fuzz_some_fields '' "$@"
> +}

I think all the fuzz update here should be folded to patch 7/9.

> diff --git a/common/populate b/common/populate
> index 15d68fc..7d103f0 100644
> --- a/common/populate
> +++ b/common/populate
> @@ -180,13 +180,13 @@ _scratch_xfs_populate() {
>  	# FMT_EXTENTS with a remote less-than-a-block value
>  	echo "+ attr extents with a remote less-than-a-block value"
>  	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K"
> -	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 3k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> +	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 $((blksz - 300))" "${SCRATCH_MNT}/attrvalfile" > /dev/null
>  	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K" < "${SCRATCH_MNT}/attrvalfile"
>  
>  	# FMT_EXTENTS with a remote block-size value
>  	echo "+ attr extents with a remote one-block value"
>  	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K"
> -	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 4k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> +	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 ${blksz}" "${SCRATCH_MNT}/attrvalfile" > /dev/null
>  	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K" < "${SCRATCH_MNT}/attrvalfile"
>  	rm -rf "${SCRATCH_MNT}/attrvalfile"
>  
> @@ -482,8 +482,8 @@ _scratch_xfs_populate_check() {
>  	__populate_check_xfs_aformat "${btree_attr}" "btree"
>  	__populate_check_xfs_agbtree_height "bno"
>  	__populate_check_xfs_agbtree_height "cnt"
> -	test -n $is_rmapbt && __populate_check_xfs_agbtree_height "rmap"
> -	test -n $is_reflink && __populate_check_xfs_agbtree_height "refcnt"
> +	test $is_rmapbt -ne 0 && __populate_check_xfs_agbtree_height "rmap"
> +	test $is_reflink -ne 0 && __populate_check_xfs_agbtree_height "refcnt"
>  }

And these folded to patch 1/9?

>  
>  # Check data fork format of ext4 file
> @@ -609,7 +609,7 @@ _scratch_populate_cached() {
>  	rm -rf "$(find "${POPULATE_METADUMP}" -mtime +2 2>/dev/null)"
>  
>  	# Throw away cached image if it doesn't match our spec.
> -	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS ${MKFS_OPTIONS} ARGS $@"
> +	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS $(_scratch_mkfs_options) ARGS $@"
>  	cmp -s "${POPULATE_METADUMP_DESCR}" <(echo "${meta_descr}") || rm -rf "${POPULATE_METADUMP}"
>  
>  	# Do we have a cached image?

This to patch 6/9?

Because we usually don't introduce something in patch 1 and fix them in
patch 2, I think :)

> diff --git a/common/rc b/common/rc
> index d904582..ec1f5de 100644
> --- a/common/rc
> +++ b/common/rc
> @@ -1870,6 +1870,21 @@ _require_xfs_finobt()
>  	_scratch_unmount
>  }
>  
> +# Do we have a fre
> +_require_scratch_finobt()
> +{
> +	_require_scratch
> +
> +	if [ $FSTYP != "xfs" ]; then
> +		_notrun "finobt not supported by scratch filesystem type: $FSTYP"
> +		return
> +	fi
> +	_scratch_mkfs > /dev/null
> +	_scratch_mount
> +	xfs_info $SCRATCH_MNT | grep -q 'finobt=1' || _notrun "finobt not supported by scratch filesystem type: $FSTYP"
> +	_scratch_unmount
> +}
> +
>  # this test requires xfs sysfs attribute support
>  #
>  _require_xfs_sysfs()
> diff --git a/tests/ext4/1300 b/tests/ext4/1300
> new file mode 100755
> index 0000000..3f8135e
> --- /dev/null
> +++ b/tests/ext4/1300

[all the tests look fine to me, snip]

> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -333,3 +333,34 @@
>  345 auto quick clone
>  346 auto quick clone
>  347 auto quick clone
> +1300 dangerous_fuzzers scrub

ext4/1300 is "auto quick scrub", I think xfs/1300 should be in auto
group too?

Thanks,
Eryu

P.S. console log of xfs/1300 crash

[165877.766244] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
[165877.774197] IP: [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
[165877.781162] PGD 179c1b067 [165877.783784] PUD 14d994067
PMD 0 [165877.787130]
[165877.788722] Oops: 0000 [#1] SMP
[165877.791951] Modules linked in: dm_delay dm_zero btrfs xor raid6_pq dm_thin_pool dm_persistent_data dm_bio_prison dm_snapshot dm_bufio loop dm_flakey xfs libcrc32c binfmt_misc ip6t_rpfilter ipt_REJECT nf_reject_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_mangle ip6table_security ip6table_raw iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter coretemp kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw iTCO_wdt gf128mul glue_helper ipmi_devintf cdc_ether iTCO_vendor_support ablk_helper cryptd usbnet i2c_i801 lpc_ich mii pcspkr i2c_smbus sg i7core_edac mfd_core ipmi_si edac_core ipmi_msghandler shpchp ioatdma dca acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 jbd2 mbcache sr_mod sd_mod cdrom mgag200 i2c_algo_bit drm_kms_helper
  syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_generic pata_acpi drm ata_piix libata crc32c_intel megaraid_sas serio_raw i2c_core bnx2 dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_debug]
[165877.898708] CPU: 5 PID: 26242 Comm: xfs_scrub Tainted: G        W       4.9.0-rc3.djwong+ #16
[165877.907308] Hardware name: IBM System x3550 M3 -[7944OEJ]-/90Y4784     , BIOS -[D6E150CUS-1.11]- 02/08/2011
[165877.917124] task: ffff88017a286a40 task.stack: ffffc9000cca0000
[165877.923126] RIP: 0010:[<ffffffffa0680c13>]  [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
[165877.932503] RSP: 0018:ffffc9000cca3ad0  EFLAGS: 00010246
[165877.937898] RAX: 0000000000000000 RBX: fffffffffffffffe RCX: 0000000000000017
[165877.945111] RDX: 0000000000000000 RSI: ffffc9000cca3ce8 RDI: 0000000000001123
[165877.952328] RBP: ffffc9000cca3b20 R08: 0000000000000003 R09: 0000000000000014
[165877.959544] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880278f59680
[165877.966759] R13: ffffc9000cca3ba8 R14: ffffc9000cca3ce8 R15: 0000000000000000
[165877.973976] FS:  00007f3d099f9700(0000) GS:ffff88017bb00000(0000) knlGS:0000000000000000
[165877.982143] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[165877.987969] CR2: 0000000000000038 CR3: 000000016ad2d000 CR4: 00000000000006e0
[165877.995185] Stack:
[165877.997286]  ffff880278f59680 0000000000000000 ffff880220cc5c00 ffff880265190780
[165878.004840]  ffff880101a67800 ffffc9000cca3ba8 ffff880278f59680 ffff88025a9e6000
[165878.012396]  ffffc9000cca3ce8 0000000000000000 ffffc9000cca3b58 ffffffffa0681a61
[165878.019950] Call Trace:
[165878.022551]  [<ffffffffa0681a61>] __xfs_scrub_setup_inode.isra.63+0x81/0x280 [xfs]
[165878.030236]  [<ffffffffa0681c70>] xfs_scrub_setup_inode+0x10/0x20 [xfs]
[165878.036963]  [<ffffffffa068f57f>] xfs_scrub_metadata+0x2ff/0x450 [xfs]
[165878.043607]  [<ffffffffa066aa1d>] xfs_ioc_scrub_metadata+0x4d/0x80 [xfs]
[165878.050424]  [<ffffffffa066d029>] xfs_file_ioctl+0x9c9/0xb10 [xfs]
[165878.056689]  [<ffffffff8110692f>] ? get_futex_key+0x1df/0x360
[165878.062516]  [<ffffffff81106b31>] ? futex_wake+0x81/0x150
[165878.068003]  [<ffffffff812189c6>] do_vfs_ioctl+0x96/0x5b0
[165878.073482]  [<ffffffff81218f59>] SyS_ioctl+0x79/0x90
[165878.078621]  [<ffffffff81003997>] do_syscall_64+0x67/0x180
[165878.084191]  [<ffffffff816a6c2b>] entry_SYSCALL64_slow_path+0x25/0x25
[165878.090714] Code: 8b 14 24 49 8b 75 00 85 c0 41 89 c7 44 0f b6 82 93 00 00 00 44 0f b6 8a 94 00 00 00 0f b6 8a 53 02 00 00 49 8b 55 08 48 8b 7e 08 <4c> 8b 62 38 75 38 48 8b 7d d0 8b 46 10 39 87 98 03 00 00 74 21
[165878.110930] RIP  [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
[165878.117938]  RSP <ffffc9000cca3ad0>
[165878.121512] CR2: 0000000000000038
[165878.129219] ---[ end trace d23e56c58f53ccb9 ]---
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Darrick J. Wong Nov. 9, 2016, 8:52 a.m. UTC | #2

On Wed, Nov 09, 2016 at 04:09:24PM +0800, Eryu Guan wrote:
> On Fri, Nov 04, 2016 at 05:18:00PM -0700, Darrick J. Wong wrote:
> > Previously, our XFS fuzzing efforts were limited to using the xfs_db
> > blocktrash command to scribble garbage all over a block.  This is
> > pretty easy to discover; it would be far more interesting if we could
> > fuzz individual fields looking for unhandled corner cases.  Since we
> > now have an online scrub tool, use it to check for our targeted
> > corruptions prior to the usual steps of writing to the FS, taking it
> > offline, repairing, and re-checking.
> > 
> > These tests use the new xfs_db 'fuzz' command to test corner case
> > handling of every field.  The 'print' command tells us which fields
> > are available, and the fuzz command can write zeroes or ones to the
> > field; set the high, middle, or low bit; add or subtract numbers; or
> > randomize the field.  We loop through all fields and all fuzz verbs to
> > see if we can trip up the kernel.
> > 
> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> 
> The first test gave me a kernel crash :) xfs/1300 crashed your kernel
> djwong-devel branch. I appended the console log at the end of this mail
> if you have interest to see it.
> 
> And another xfs/1300 run gave me this failure message:
> 
>     +/mnt/testarea/scratch: Kernel lacks GETFSMAP; scrub will be less efficient. (xfs.c line 661)
>     +/mnt/testarea/scratch: Kernel cannot help scrub metadata; scrub will be incomplete. (xfs.c line 661)
>     +/mnt/testarea/scratch: Kernel cannot help scrub inodes; scrub will be incomplete. (xfs.c line 661)
>     +/mnt/testarea/scratch: Kernel cannot help scrub extent map; scrub will be less efficient. (xfs.c line 661)
> 
> Is this known issue or something should be filtered out in the test?

That's strange, the djwong-devel branch should have getfsmap & scrub in it...

...are you running the djwong-devel kernel and xfsprogs code?  The scrub
ioctl structure has shifted some over the past few months, though GETFSMAP
hasn't changed in ages.

Wait, "another xfs/1300 run" ... so after the first crash, did you go
back to a vanilla kernel without all my crazypatches? :)

> And ext4/1300 generated large .out.bad file (51M), containing something
> like:
> 
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101381632/2469888/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> 
> Seems like scrub found something wrong (real problems) and became very
> noisy?

Hmm that's even stranger.  I'll try to reproduce tomorrow.

> More comments inline below.
> 
> > ---
> >  common/fuzzy        |   49 ++++++++++++++++++++++++++++++------
> >  common/populate     |   10 ++++---
> >  common/rc           |   15 +++++++++++
> >  tests/ext4/1300     |   60 ++++++++++++++++++++++++++++++++++++++++++++
> [snip]
> > 
> > diff --git a/common/fuzzy b/common/fuzzy
> > index 6af47f1..dbff744 100644
> > --- a/common/fuzzy
> > +++ b/common/fuzzy
> > @@ -85,32 +85,47 @@ _scratch_scrub() {
> >  # Filter the xfs_db print command's field debug information
> >  # into field name and type.
> >  __filter_xfs_db_print_fields() {
> > +	filter="$1"
> > +	if [ -z "${filter}" ] || [ "${filter}" = "nofilter" ]; then
> > +		filter='^'
> > +	fi
> >  	grep ' = ' | while read key equals value; do
> > -		fuzzkey="$(echo "${key}" | sed -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
> > -		if [[ "${value}" == "["* ]]; then
> > +		# Filter out any keys with an array index >= 10, and
> > +		# collapse any array range ("[1-195]") to the first item.
> > +		fuzzkey="$(echo "${key}" | sed -e '/\([a-z]*\)\[\([0-9][0-9]\+\)\].*/d' -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
> > +		if [ -z "${fuzzkey}" ]; then
> > +			continue
> > +		elif [[ "${value}" == "["* ]]; then
> >  			echo "${value}" | sed -e 's/^.//g' -e 's/.$//g' -e 's/,/\n/g' | while read subfield; do
> >  				echo "${fuzzkey}.${subfield}"
> >  			done
> >  		else
> >  			echo "${fuzzkey}"
> >  		fi
> > -	done
> > +	done | egrep "${filter}"
> >  }
> >  
> >  # Navigate to some part of the filesystem and print the field info.
> > +# The first argument is an egrep filter for the fields
> > +# The rest of the arguments are xfs_db commands to locate the metadata.
> >  _scratch_xfs_list_metadata_fields() {
> > +	filter="$1"
> > +	shift
> >  	if [ -n "${SCRATCH_XFS_LIST_METADATA_FIELDS}" ]; then
> > -		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | sed -e 's/ /\n/g'
> > +		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | \
> > +			sed -e 's/ /\n/g' | __filter_xfs_db_print_fields "${filter}"
> >  		return;
> >  	fi
> >  
> >  	(for arg in "$@"; do
> >  		echo "${arg}"
> >  	done
> > -	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields
> > +	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields "${filter}"
> >  }
> >  
> >  # Get a metadata field
> > +# The first arg is the field name
> > +# The rest of the arguments are xfs_db commands to find the metadata.
> >  _scratch_xfs_get_metadata_field() {
> >  	key="$1"
> >  	shift
> > @@ -124,6 +139,9 @@ _scratch_xfs_get_metadata_field() {
> >  }
> >  
> >  # Set a metadata field
> > +# The first arg is the field name
> > +# The second arg is the new value
> > +# The rest of the arguments are xfs_db commands to find the metadata.
> >  _scratch_xfs_set_metadata_field() {
> >  	key="$1"
> >  	value="$2"
> > @@ -136,6 +154,9 @@ _scratch_xfs_set_metadata_field() {
> >  }
> >  
> >  # Fuzz a metadata field
> > +# The first arg is the field name
> > +# The second arg is the xfs_db fuzz verb
> > +# The rest of the arguments are xfs_db commands to find the metadata.
> >  _scratch_xfs_fuzz_metadata_field() {
> >  	key="$1"
> >  	value="$2"
> > @@ -263,12 +284,24 @@ _scratch_xfs_list_fuzz_verbs() {
> >  		sed -e 's/[,.]//g' -e 's/Verbs: //g' -e 's/ /\n/g'
> >  }
> >  
> > -# Fuzz the fields of some piece of metadata
> > -_scratch_xfs_fuzz_fields() {
> > -	_scratch_xfs_list_metadata_fields "$@" | while read field; do
> > +# Fuzz some of the fields of some piece of metadata
> > +# The first argument is an egrep filter
> > +# The rest of the arguments are xfs_db commands to locate the metadata.
> > +_scratch_xfs_fuzz_some_fields() {
> > +	filter="$1"
> > +	shift
> > +	echo "Fields we propose to fuzz: $@"
> > +	_scratch_xfs_list_metadata_fields "${filter}" "$@"
> > +	_scratch_xfs_list_metadata_fields "${filter}" "$@" | while read field; do
> >  		_scratch_xfs_list_fuzz_verbs | while read fuzzverb; do
> >  			__scratch_xfs_fuzz_mdrestore
> >  			__scratch_xfs_fuzz_field_test "${field}" "${fuzzverb}" "$@"
> >  		done
> >  	done
> >  }
> > +
> > +# Fuzz all of the fields of some piece of metadata
> > +# All arguments are xfs_db commands to locate the metadata.
> > +_scratch_xfs_fuzz_fields() {
> > +	_scratch_xfs_fuzz_some_fields '' "$@"
> > +}
> 
> I think all the fuzz update here should be folded to patch 7/9.

(I'll look at the patch fixes in a separate reply tomorrow.)

> > diff --git a/common/populate b/common/populate
> > index 15d68fc..7d103f0 100644
> > --- a/common/populate
> > +++ b/common/populate
> > @@ -180,13 +180,13 @@ _scratch_xfs_populate() {
> >  	# FMT_EXTENTS with a remote less-than-a-block value
> >  	echo "+ attr extents with a remote less-than-a-block value"
> >  	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K"
> > -	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 3k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> > +	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 $((blksz - 300))" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> >  	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K" < "${SCRATCH_MNT}/attrvalfile"
> >  
> >  	# FMT_EXTENTS with a remote block-size value
> >  	echo "+ attr extents with a remote one-block value"
> >  	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K"
> > -	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 4k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> > +	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 ${blksz}" "${SCRATCH_MNT}/attrvalfile" > /dev/null
> >  	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K" < "${SCRATCH_MNT}/attrvalfile"
> >  	rm -rf "${SCRATCH_MNT}/attrvalfile"
> >  
> > @@ -482,8 +482,8 @@ _scratch_xfs_populate_check() {
> >  	__populate_check_xfs_aformat "${btree_attr}" "btree"
> >  	__populate_check_xfs_agbtree_height "bno"
> >  	__populate_check_xfs_agbtree_height "cnt"
> > -	test -n $is_rmapbt && __populate_check_xfs_agbtree_height "rmap"
> > -	test -n $is_reflink && __populate_check_xfs_agbtree_height "refcnt"
> > +	test $is_rmapbt -ne 0 && __populate_check_xfs_agbtree_height "rmap"
> > +	test $is_reflink -ne 0 && __populate_check_xfs_agbtree_height "refcnt"
> >  }
> 
> And these folded to patch 1/9?
> 
> >  
> >  # Check data fork format of ext4 file
> > @@ -609,7 +609,7 @@ _scratch_populate_cached() {
> >  	rm -rf "$(find "${POPULATE_METADUMP}" -mtime +2 2>/dev/null)"
> >  
> >  	# Throw away cached image if it doesn't match our spec.
> > -	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS ${MKFS_OPTIONS} ARGS $@"
> > +	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS $(_scratch_mkfs_options) ARGS $@"
> >  	cmp -s "${POPULATE_METADUMP_DESCR}" <(echo "${meta_descr}") || rm -rf "${POPULATE_METADUMP}"
> >  
> >  	# Do we have a cached image?
> 
> This to patch 6/9?
> 
> Because we usually don't introduce something in patch 1 and fix them in
> patch 2, I think :)

Generally, yes. :)

> > diff --git a/common/rc b/common/rc
> > index d904582..ec1f5de 100644
> > --- a/common/rc
> > +++ b/common/rc
> > @@ -1870,6 +1870,21 @@ _require_xfs_finobt()
> >  	_scratch_unmount
> >  }
> >  
> > +# Do we have a fre
> > +_require_scratch_finobt()
> > +{
> > +	_require_scratch
> > +
> > +	if [ $FSTYP != "xfs" ]; then
> > +		_notrun "finobt not supported by scratch filesystem type: $FSTYP"
> > +		return
> > +	fi
> > +	_scratch_mkfs > /dev/null
> > +	_scratch_mount
> > +	xfs_info $SCRATCH_MNT | grep -q 'finobt=1' || _notrun "finobt not supported by scratch filesystem type: $FSTYP"
> > +	_scratch_unmount
> > +}
> > +
> >  # this test requires xfs sysfs attribute support
> >  #
> >  _require_xfs_sysfs()
> > diff --git a/tests/ext4/1300 b/tests/ext4/1300
> > new file mode 100755
> > index 0000000..3f8135e
> > --- /dev/null
> > +++ b/tests/ext4/1300
> 
> [all the tests look fine to me, snip]
> 
> > --- a/tests/xfs/group
> > +++ b/tests/xfs/group
> > @@ -333,3 +333,34 @@
> >  345 auto quick clone
> >  346 auto quick clone
> >  347 auto quick clone
> > +1300 dangerous_fuzzers scrub
> 
> ext4/1300 is "auto quick scrub", I think xfs/1300 should be in auto
> group too?
> 
> Thanks,
> Eryu
> 
> P.S. console log of xfs/1300 crash
> 
> [165877.766244] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
> [165877.774197] IP: [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
> [165877.781162] PGD 179c1b067 [165877.783784] PUD 14d994067

Ohhh... I suspect this happens when xfs_scrub_op_ok tries to use sc->tp 
after some error happens, which we can't do because this function is
used in the process of initializing sc.

Gonna go cry in my beer for a day or two or something,

--D

> PMD 0 [165877.787130]
> [165877.788722] Oops: 0000 [#1] SMP
> [165877.791951] Modules linked in: dm_delay dm_zero btrfs xor raid6_pq dm_thin_pool dm_persistent_data dm_bio_prison dm_snapshot dm_bufio loop dm_flakey xfs libcrc32c binfmt_misc ip6t_rpfilter ipt_REJECT nf_reject_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_mangle ip6table_security ip6table_raw iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter coretemp kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw iTCO_wdt gf128mul glue_helper ipmi_devintf cdc_ether iTCO_vendor_support ablk_helper cryptd usbnet i2c_i801 lpc_ich mii pcspkr i2c_smbus sg i7core_edac mfd_core ipmi_si edac_core ipmi_msghandler shpchp ioatdma dca acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 jbd2 mbcache sr_mod sd_mod cdrom mgag200 i2c_algo_bit drm_kms_help
 e!
>  r syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_generic pata_acpi drm ata_piix libata crc32c_intel megaraid_sas serio_raw i2c_core bnx2 dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_debug]
> [165877.898708] CPU: 5 PID: 26242 Comm: xfs_scrub Tainted: G        W       4.9.0-rc3.djwong+ #16
> [165877.907308] Hardware name: IBM System x3550 M3 -[7944OEJ]-/90Y4784     , BIOS -[D6E150CUS-1.11]- 02/08/2011
> [165877.917124] task: ffff88017a286a40 task.stack: ffffc9000cca0000
> [165877.923126] RIP: 0010:[<ffffffffa0680c13>]  [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
> [165877.932503] RSP: 0018:ffffc9000cca3ad0  EFLAGS: 00010246
> [165877.937898] RAX: 0000000000000000 RBX: fffffffffffffffe RCX: 0000000000000017
> [165877.945111] RDX: 0000000000000000 RSI: ffffc9000cca3ce8 RDI: 0000000000001123
> [165877.952328] RBP: ffffc9000cca3b20 R08: 0000000000000003 R09: 0000000000000014
> [165877.959544] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880278f59680
> [165877.966759] R13: ffffc9000cca3ba8 R14: ffffc9000cca3ce8 R15: 0000000000000000
> [165877.973976] FS:  00007f3d099f9700(0000) GS:ffff88017bb00000(0000) knlGS:0000000000000000
> [165877.982143] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [165877.987969] CR2: 0000000000000038 CR3: 000000016ad2d000 CR4: 00000000000006e0
> [165877.995185] Stack:
> [165877.997286]  ffff880278f59680 0000000000000000 ffff880220cc5c00 ffff880265190780
> [165878.004840]  ffff880101a67800 ffffc9000cca3ba8 ffff880278f59680 ffff88025a9e6000
> [165878.012396]  ffffc9000cca3ce8 0000000000000000 ffffc9000cca3b58 ffffffffa0681a61
> [165878.019950] Call Trace:
> [165878.022551]  [<ffffffffa0681a61>] __xfs_scrub_setup_inode.isra.63+0x81/0x280 [xfs]
> [165878.030236]  [<ffffffffa0681c70>] xfs_scrub_setup_inode+0x10/0x20 [xfs]
> [165878.036963]  [<ffffffffa068f57f>] xfs_scrub_metadata+0x2ff/0x450 [xfs]
> [165878.043607]  [<ffffffffa066aa1d>] xfs_ioc_scrub_metadata+0x4d/0x80 [xfs]
> [165878.050424]  [<ffffffffa066d029>] xfs_file_ioctl+0x9c9/0xb10 [xfs]
> [165878.056689]  [<ffffffff8110692f>] ? get_futex_key+0x1df/0x360
> [165878.062516]  [<ffffffff81106b31>] ? futex_wake+0x81/0x150
> [165878.068003]  [<ffffffff812189c6>] do_vfs_ioctl+0x96/0x5b0
> [165878.073482]  [<ffffffff81218f59>] SyS_ioctl+0x79/0x90
> [165878.078621]  [<ffffffff81003997>] do_syscall_64+0x67/0x180
> [165878.084191]  [<ffffffff816a6c2b>] entry_SYSCALL64_slow_path+0x25/0x25
> [165878.090714] Code: 8b 14 24 49 8b 75 00 85 c0 41 89 c7 44 0f b6 82 93 00 00 00 44 0f b6 8a 94 00 00 00 0f b6 8a 53 02 00 00 49 8b 55 08 48 8b 7e 08 <4c> 8b 62 38 75 38 48 8b 7d d0 8b 46 10 39 87 98 03 00 00 74 21
> [165878.110930] RIP  [<ffffffffa0680c13>] xfs_scrub_get_inode+0xc3/0x1c0 [xfs]
> [165878.117938]  RSP <ffffc9000cca3ad0>
> [165878.121512] CR2: 0000000000000038
> [165878.129219] ---[ end trace d23e56c58f53ccb9 ]---
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eryu Guan Nov. 9, 2016, 9:13 a.m. UTC | #3

On Wed, Nov 09, 2016 at 12:52:36AM -0800, Darrick J. Wong wrote:
> On Wed, Nov 09, 2016 at 04:09:24PM +0800, Eryu Guan wrote:
> > On Fri, Nov 04, 2016 at 05:18:00PM -0700, Darrick J. Wong wrote:
> > > Previously, our XFS fuzzing efforts were limited to using the xfs_db
> > > blocktrash command to scribble garbage all over a block.  This is
> > > pretty easy to discover; it would be far more interesting if we could
> > > fuzz individual fields looking for unhandled corner cases.  Since we
> > > now have an online scrub tool, use it to check for our targeted
> > > corruptions prior to the usual steps of writing to the FS, taking it
> > > offline, repairing, and re-checking.
> > > 
> > > These tests use the new xfs_db 'fuzz' command to test corner case
> > > handling of every field.  The 'print' command tells us which fields
> > > are available, and the fuzz command can write zeroes or ones to the
> > > field; set the high, middle, or low bit; add or subtract numbers; or
> > > randomize the field.  We loop through all fields and all fuzz verbs to
> > > see if we can trip up the kernel.
> > > 
> > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > 
> > The first test gave me a kernel crash :) xfs/1300 crashed your kernel
> > djwong-devel branch. I appended the console log at the end of this mail
> > if you have interest to see it.
> > 
> > And another xfs/1300 run gave me this failure message:
> > 
> >     +/mnt/testarea/scratch: Kernel lacks GETFSMAP; scrub will be less efficient. (xfs.c line 661)
> >     +/mnt/testarea/scratch: Kernel cannot help scrub metadata; scrub will be incomplete. (xfs.c line 661)
> >     +/mnt/testarea/scratch: Kernel cannot help scrub inodes; scrub will be incomplete. (xfs.c line 661)
> >     +/mnt/testarea/scratch: Kernel cannot help scrub extent map; scrub will be less efficient. (xfs.c line 661)
> > 
> > Is this known issue or something should be filtered out in the test?
> 
> That's strange, the djwong-devel branch should have getfsmap & scrub in it...
> 
> ...are you running the djwong-devel kernel and xfsprogs code?  The scrub
> ioctl structure has shifted some over the past few months, though GETFSMAP
> hasn't changed in ages.
> 
> Wait, "another xfs/1300 run" ... so after the first crash, did you go
> back to a vanilla kernel without all my crazypatches? :)

Ahh, you're right! It booted into 4.9-rc4 vanilla kernel, sorry about
that.. But xfs/1300 crashed djwong-devel for the second time in my
second try, seems the crash is reliable reproduced, with reflink
enabled.

> 
> > And ext4/1300 generated large .out.bad file (51M), containing something
> > like:
> > 
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101381632/2469888/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > 
> > Seems like scrub found something wrong (real problems) and became very
> > noisy?
> 
> Hmm that's even stranger.  I'll try to reproduce tomorrow.

So this ext4 noise came from the vanilla kernel too, retested with
djwong-devel kernel & userspace ext4/1300 passed without problems. Sorry
for my noise..

Thanks,
Eryu
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Darrick J. Wong Nov. 9, 2016, 9:25 a.m. UTC | #4

On Wed, Nov 09, 2016 at 05:13:44PM +0800, Eryu Guan wrote:
> On Wed, Nov 09, 2016 at 12:52:36AM -0800, Darrick J. Wong wrote:
> > On Wed, Nov 09, 2016 at 04:09:24PM +0800, Eryu Guan wrote:
> > > On Fri, Nov 04, 2016 at 05:18:00PM -0700, Darrick J. Wong wrote:
> > > > Previously, our XFS fuzzing efforts were limited to using the xfs_db
> > > > blocktrash command to scribble garbage all over a block.  This is
> > > > pretty easy to discover; it would be far more interesting if we could
> > > > fuzz individual fields looking for unhandled corner cases.  Since we
> > > > now have an online scrub tool, use it to check for our targeted
> > > > corruptions prior to the usual steps of writing to the FS, taking it
> > > > offline, repairing, and re-checking.
> > > > 
> > > > These tests use the new xfs_db 'fuzz' command to test corner case
> > > > handling of every field.  The 'print' command tells us which fields
> > > > are available, and the fuzz command can write zeroes or ones to the
> > > > field; set the high, middle, or low bit; add or subtract numbers; or
> > > > randomize the field.  We loop through all fields and all fuzz verbs to
> > > > see if we can trip up the kernel.
> > > > 
> > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > > 
> > > The first test gave me a kernel crash :) xfs/1300 crashed your kernel
> > > djwong-devel branch. I appended the console log at the end of this mail
> > > if you have interest to see it.
> > > 
> > > And another xfs/1300 run gave me this failure message:
> > > 
> > >     +/mnt/testarea/scratch: Kernel lacks GETFSMAP; scrub will be less efficient. (xfs.c line 661)
> > >     +/mnt/testarea/scratch: Kernel cannot help scrub metadata; scrub will be incomplete. (xfs.c line 661)
> > >     +/mnt/testarea/scratch: Kernel cannot help scrub inodes; scrub will be incomplete. (xfs.c line 661)
> > >     +/mnt/testarea/scratch: Kernel cannot help scrub extent map; scrub will be less efficient. (xfs.c line 661)
> > > 
> > > Is this known issue or something should be filtered out in the test?
> > 
> > That's strange, the djwong-devel branch should have getfsmap & scrub in it...
> > 
> > ...are you running the djwong-devel kernel and xfsprogs code?  The scrub
> > ioctl structure has shifted some over the past few months, though GETFSMAP
> > hasn't changed in ages.
> > 
> > Wait, "another xfs/1300 run" ... so after the first crash, did you go
> > back to a vanilla kernel without all my crazypatches? :)
> 
> Ahh, you're right! It booted into 4.9-rc4 vanilla kernel, sorry about
> that.. But xfs/1300 crashed djwong-devel for the second time in my
> second try, seems the crash is reliable reproduced, with reflink
> enabled.

I think if you change the XFS_SCRUB_OP_ERROR_GOTO at line 2237 of
xfs_scrub_get_inode() to "if (error) goto out_err;" that ought to clear it up.

> > > And ext4/1300 generated large .out.bad file (51M), containing something
> > > like:
> > > 
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101381632/2469888/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > 
> > > Seems like scrub found something wrong (real problems) and became very
> > > noisy?
> > 
> > Hmm that's even stranger.  I'll try to reproduce tomorrow.
> 
> So this ext4 noise came from the vanilla kernel too, retested with
> djwong-devel kernel & userspace ext4/1300 passed without problems. Sorry
> for my noise..

But that's even more weird; there haven't been any changes to ext4 that
would explain why this breaks on a vanilla 4.9-rc4 kernel...

--D

> 
> Thanks,
> Eryu
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eryu Guan Nov. 9, 2016, 10:04 a.m. UTC | #5

On Wed, Nov 09, 2016 at 01:25:23AM -0800, Darrick J. Wong wrote:
> On Wed, Nov 09, 2016 at 05:13:44PM +0800, Eryu Guan wrote:
> > On Wed, Nov 09, 2016 at 12:52:36AM -0800, Darrick J. Wong wrote:
> > > On Wed, Nov 09, 2016 at 04:09:24PM +0800, Eryu Guan wrote:
> > > > On Fri, Nov 04, 2016 at 05:18:00PM -0700, Darrick J. Wong wrote:
> > > > > Previously, our XFS fuzzing efforts were limited to using the xfs_db
> > > > > blocktrash command to scribble garbage all over a block.  This is
> > > > > pretty easy to discover; it would be far more interesting if we could
> > > > > fuzz individual fields looking for unhandled corner cases.  Since we
> > > > > now have an online scrub tool, use it to check for our targeted
> > > > > corruptions prior to the usual steps of writing to the FS, taking it
> > > > > offline, repairing, and re-checking.
> > > > > 
> > > > > These tests use the new xfs_db 'fuzz' command to test corner case
> > > > > handling of every field.  The 'print' command tells us which fields
> > > > > are available, and the fuzz command can write zeroes or ones to the
> > > > > field; set the high, middle, or low bit; add or subtract numbers; or
> > > > > randomize the field.  We loop through all fields and all fuzz verbs to
> > > > > see if we can trip up the kernel.
> > > > > 
> > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > > > 
> > > > The first test gave me a kernel crash :) xfs/1300 crashed your kernel
> > > > djwong-devel branch. I appended the console log at the end of this mail
> > > > if you have interest to see it.
> > > > 
> > > > And another xfs/1300 run gave me this failure message:
> > > > 
> > > >     +/mnt/testarea/scratch: Kernel lacks GETFSMAP; scrub will be less efficient. (xfs.c line 661)
> > > >     +/mnt/testarea/scratch: Kernel cannot help scrub metadata; scrub will be incomplete. (xfs.c line 661)
> > > >     +/mnt/testarea/scratch: Kernel cannot help scrub inodes; scrub will be incomplete. (xfs.c line 661)
> > > >     +/mnt/testarea/scratch: Kernel cannot help scrub extent map; scrub will be less efficient. (xfs.c line 661)
> > > > 
> > > > Is this known issue or something should be filtered out in the test?
> > > 
> > > That's strange, the djwong-devel branch should have getfsmap & scrub in it...
> > > 
> > > ...are you running the djwong-devel kernel and xfsprogs code?  The scrub
> > > ioctl structure has shifted some over the past few months, though GETFSMAP
> > > hasn't changed in ages.
> > > 
> > > Wait, "another xfs/1300 run" ... so after the first crash, did you go
> > > back to a vanilla kernel without all my crazypatches? :)
> > 
> > Ahh, you're right! It booted into 4.9-rc4 vanilla kernel, sorry about
> > that.. But xfs/1300 crashed djwong-devel for the second time in my
> > second try, seems the crash is reliable reproduced, with reflink
> > enabled.
> 
> I think if you change the XFS_SCRUB_OP_ERROR_GOTO at line 2237 of
> xfs_scrub_get_inode() to "if (error) goto out_err;" that ought to clear it up.
> 
> > > > And ext4/1300 generated large .out.bad file (51M), containing something
> > > > like:
> > > > 
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101381632/2469888/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101389824/2478080/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101398016/2486272/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101406208/2494464/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) starts past end of filesystem at 31457280. (generic.c line 264)
> > > > +/mnt/testarea/scratch/test/68/S_IFREG.FMT_ETREE: extent (1101414400/2502656/4096) ends past end of filesystem at 31457280. (generic.c line 272)
> > > > 
> > > > Seems like scrub found something wrong (real problems) and became very
> > > > noisy?
> > > 
> > > Hmm that's even stranger.  I'll try to reproduce tomorrow.
> > 
> > So this ext4 noise came from the vanilla kernel too, retested with
> > djwong-devel kernel & userspace ext4/1300 passed without problems. Sorry
> > for my noise..
> 
> But that's even more weird; there haven't been any changes to ext4 that
> would explain why this breaks on a vanilla 4.9-rc4 kernel...

Puzzle resolved, I somehow switched back to mainline xfsprogs or some
other wrong xfsprogs version after booted into 4.9-rc4 vanilla kernel.
After updating xfsprogs to djwong-devel, ext4/1300 showed no problem on
4.9-rc4 kernel too.

Sorry again for the mess!

Eryu
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/common/fuzzy b/common/fuzzy
index 6af47f1..dbff744 100644
--- a/common/fuzzy
+++ b/common/fuzzy
@@ -85,32 +85,47 @@  _scratch_scrub() {
 # Filter the xfs_db print command's field debug information
 # into field name and type.
 __filter_xfs_db_print_fields() {
+	filter="$1"
+	if [ -z "${filter}" ] || [ "${filter}" = "nofilter" ]; then
+		filter='^'
+	fi
 	grep ' = ' | while read key equals value; do
-		fuzzkey="$(echo "${key}" | sed -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
-		if [[ "${value}" == "["* ]]; then
+		# Filter out any keys with an array index >= 10, and
+		# collapse any array range ("[1-195]") to the first item.
+		fuzzkey="$(echo "${key}" | sed -e '/\([a-z]*\)\[\([0-9][0-9]\+\)\].*/d' -e 's/\([a-zA-Z0-9_]*\)\[\([0-9]*\)-[0-9]*\]/\1[\2]/g')"
+		if [ -z "${fuzzkey}" ]; then
+			continue
+		elif [[ "${value}" == "["* ]]; then
 			echo "${value}" | sed -e 's/^.//g' -e 's/.$//g' -e 's/,/\n/g' | while read subfield; do
 				echo "${fuzzkey}.${subfield}"
 			done
 		else
 			echo "${fuzzkey}"
 		fi
-	done
+	done | egrep "${filter}"
 }
 
 # Navigate to some part of the filesystem and print the field info.
+# The first argument is an egrep filter for the fields
+# The rest of the arguments are xfs_db commands to locate the metadata.
 _scratch_xfs_list_metadata_fields() {
+	filter="$1"
+	shift
 	if [ -n "${SCRATCH_XFS_LIST_METADATA_FIELDS}" ]; then
-		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | sed -e 's/ /\n/g'
+		echo "${SCRATCH_XFS_LIST_METADATA_FIELDS}" | \
+			sed -e 's/ /\n/g' | __filter_xfs_db_print_fields "${filter}"
 		return;
 	fi
 
 	(for arg in "$@"; do
 		echo "${arg}"
 	done
-	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields
+	echo "print") | _scratch_xfs_db | __filter_xfs_db_print_fields "${filter}"
 }
 
 # Get a metadata field
+# The first arg is the field name
+# The rest of the arguments are xfs_db commands to find the metadata.
 _scratch_xfs_get_metadata_field() {
 	key="$1"
 	shift
@@ -124,6 +139,9 @@  _scratch_xfs_get_metadata_field() {
 }
 
 # Set a metadata field
+# The first arg is the field name
+# The second arg is the new value
+# The rest of the arguments are xfs_db commands to find the metadata.
 _scratch_xfs_set_metadata_field() {
 	key="$1"
 	value="$2"
@@ -136,6 +154,9 @@  _scratch_xfs_set_metadata_field() {
 }
 
 # Fuzz a metadata field
+# The first arg is the field name
+# The second arg is the xfs_db fuzz verb
+# The rest of the arguments are xfs_db commands to find the metadata.
 _scratch_xfs_fuzz_metadata_field() {
 	key="$1"
 	value="$2"
@@ -263,12 +284,24 @@  _scratch_xfs_list_fuzz_verbs() {
 		sed -e 's/[,.]//g' -e 's/Verbs: //g' -e 's/ /\n/g'
 }
 
-# Fuzz the fields of some piece of metadata
-_scratch_xfs_fuzz_fields() {
-	_scratch_xfs_list_metadata_fields "$@" | while read field; do
+# Fuzz some of the fields of some piece of metadata
+# The first argument is an egrep filter
+# The rest of the arguments are xfs_db commands to locate the metadata.
+_scratch_xfs_fuzz_some_fields() {
+	filter="$1"
+	shift
+	echo "Fields we propose to fuzz: $@"
+	_scratch_xfs_list_metadata_fields "${filter}" "$@"
+	_scratch_xfs_list_metadata_fields "${filter}" "$@" | while read field; do
 		_scratch_xfs_list_fuzz_verbs | while read fuzzverb; do
 			__scratch_xfs_fuzz_mdrestore
 			__scratch_xfs_fuzz_field_test "${field}" "${fuzzverb}" "$@"
 		done
 	done
 }
+
+# Fuzz all of the fields of some piece of metadata
+# All arguments are xfs_db commands to locate the metadata.
+_scratch_xfs_fuzz_fields() {
+	_scratch_xfs_fuzz_some_fields '' "$@"
+}
diff --git a/common/populate b/common/populate
index 15d68fc..7d103f0 100644
--- a/common/populate
+++ b/common/populate
@@ -180,13 +180,13 @@  _scratch_xfs_populate() {
 	# FMT_EXTENTS with a remote less-than-a-block value
 	echo "+ attr extents with a remote less-than-a-block value"
 	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K"
-	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 3k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
+	$XFS_IO_PROG -f -c "pwrite -S 0x43 0 $((blksz - 300))" "${SCRATCH_MNT}/attrvalfile" > /dev/null
 	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE3K" < "${SCRATCH_MNT}/attrvalfile"
 
 	# FMT_EXTENTS with a remote block-size value
 	echo "+ attr extents with a remote one-block value"
 	touch "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K"
-	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 4k" "${SCRATCH_MNT}/attrvalfile" > /dev/null
+	$XFS_IO_PROG -f -c "pwrite -S 0x44 0 ${blksz}" "${SCRATCH_MNT}/attrvalfile" > /dev/null
 	attr -q -s user.remotebtreeattrname "${SCRATCH_MNT}/ATTR.FMT_EXTENTS_REMOTE4K" < "${SCRATCH_MNT}/attrvalfile"
 	rm -rf "${SCRATCH_MNT}/attrvalfile"
 
@@ -482,8 +482,8 @@  _scratch_xfs_populate_check() {
 	__populate_check_xfs_aformat "${btree_attr}" "btree"
 	__populate_check_xfs_agbtree_height "bno"
 	__populate_check_xfs_agbtree_height "cnt"
-	test -n $is_rmapbt && __populate_check_xfs_agbtree_height "rmap"
-	test -n $is_reflink && __populate_check_xfs_agbtree_height "refcnt"
+	test $is_rmapbt -ne 0 && __populate_check_xfs_agbtree_height "rmap"
+	test $is_reflink -ne 0 && __populate_check_xfs_agbtree_height "refcnt"
 }
 
 # Check data fork format of ext4 file
@@ -609,7 +609,7 @@  _scratch_populate_cached() {
 	rm -rf "$(find "${POPULATE_METADUMP}" -mtime +2 2>/dev/null)"
 
 	# Throw away cached image if it doesn't match our spec.
-	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS ${MKFS_OPTIONS} ARGS $@"
+	meta_descr="FSTYP ${FSTYP} MKFS_OPTIONS $(_scratch_mkfs_options) ARGS $@"
 	cmp -s "${POPULATE_METADUMP_DESCR}" <(echo "${meta_descr}") || rm -rf "${POPULATE_METADUMP}"
 
 	# Do we have a cached image?
diff --git a/common/rc b/common/rc
index d904582..ec1f5de 100644
--- a/common/rc
+++ b/common/rc
@@ -1870,6 +1870,21 @@  _require_xfs_finobt()
 	_scratch_unmount
 }
 
+# Do we have a fre
+_require_scratch_finobt()
+{
+	_require_scratch
+
+	if [ $FSTYP != "xfs" ]; then
+		_notrun "finobt not supported by scratch filesystem type: $FSTYP"
+		return
+	fi
+	_scratch_mkfs > /dev/null
+	_scratch_mount
+	xfs_info $SCRATCH_MNT | grep -q 'finobt=1' || _notrun "finobt not supported by scratch filesystem type: $FSTYP"
+	_scratch_unmount
+}
+
 # this test requires xfs sysfs attribute support
 #
 _require_xfs_sysfs()
diff --git a/tests/ext4/1300 b/tests/ext4/1300
new file mode 100755
index 0000000..3f8135e
--- /dev/null
+++ b/tests/ext4/1300
@@ -0,0 +1,60 @@ 
+#! /bin/bash
+# FS QA Test No. 1300
+#
+# Populate a ext4 filesystem and ensure that scrub and repair are happy.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs ext4
+_require_scratch
+_require_scrub
+
+echo "Format and populate"
+_scratch_populate_cached > $seqres.full 2>&1
+
+echo "Scrub"
+_scratch_mount >> $seqres.full 2>&1
+_scratch_scrub >> $seqres.full
+
+# success, all done
+status=0
+exit
diff --git a/tests/ext4/1300.out b/tests/ext4/1300.out
new file mode 100644
index 0000000..8aaa3bb
--- /dev/null
+++ b/tests/ext4/1300.out
@@ -0,0 +1,3 @@ 
+QA output created by 1300
+Format and populate
+Scrub
diff --git a/tests/ext4/group b/tests/ext4/group
index 53fe03e..9fbaa76 100644
--- a/tests/ext4/group
+++ b/tests/ext4/group
@@ -34,3 +34,4 @@ 
 306 auto rw resize quick
 307 auto ioctl rw
 308 auto ioctl rw prealloc quick
+1300 auto quick scrub
diff --git a/tests/xfs/1300 b/tests/xfs/1300
new file mode 100755
index 0000000..68befe0
--- /dev/null
+++ b/tests/xfs/1300
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1300
+#
+# Populate a XFS filesystem and ensure that scrub and repair are happy.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+
+_require_scratch
+_require_scrub
+_require_populate_commands
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Scrub"
+_scratch_mount >> $seqres.full 2>&1
+_scratch_scrub >> $seqres.full
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1300.out b/tests/xfs/1300.out
new file mode 100644
index 0000000..8aaa3bb
--- /dev/null
+++ b/tests/xfs/1300.out
@@ -0,0 +1,3 @@ 
+QA output created by 1300
+Format and populate
+Scrub
diff --git a/tests/xfs/1301 b/tests/xfs/1301
new file mode 100755
index 0000000..4e3885c
--- /dev/null
+++ b/tests/xfs/1301
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1301
+#
+# Populate a XFS filesystem and fuzz every superblock field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: sb 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'sb 0' >> $seqres.full
+
+echo "Fuzz superblock"
+_scratch_xfs_fuzz_fields 'sb 0' >> $seqres.full
+echo "Done fuzzing superblock"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1301.out b/tests/xfs/1301.out
new file mode 100644
index 0000000..f804acc
--- /dev/null
+++ b/tests/xfs/1301.out
@@ -0,0 +1,4 @@ 
+QA output created by 1301
+Format and populate
+Fuzz superblock
+Done fuzzing superblock
diff --git a/tests/xfs/1302 b/tests/xfs/1302
new file mode 100755
index 0000000..0f53c47
--- /dev/null
+++ b/tests/xfs/1302
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1302
+#
+# Populate a XFS filesystem and fuzz every AGF field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1302  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' >> $seqres.full
+
+echo "Fuzz AGF"
+_scratch_xfs_fuzz_fields 'agf 0' >> $seqres.full
+echo "Done fuzzing AGF"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1302.out b/tests/xfs/1302.out
new file mode 100644
index 0000000..1e416d5
--- /dev/null
+++ b/tests/xfs/1302.out
@@ -0,0 +1,4 @@ 
+QA output created by 1302
+Format and populate
+Fuzz AGF
+Done fuzzing AGF
diff --git a/tests/xfs/1303 b/tests/xfs/1303
new file mode 100755
index 0000000..19799c0
--- /dev/null
+++ b/tests/xfs/1303
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1303
+#
+# Populate a XFS filesystem and fuzz every AGFL field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agfl 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agfl 0' >> $seqres.full
+
+echo "Fuzz AGFL"
+_scratch_xfs_fuzz_fields 'agfl 0' >> $seqres.full
+echo "Done fuzzing AGFL"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1303.out b/tests/xfs/1303.out
new file mode 100644
index 0000000..ac6c01b
--- /dev/null
+++ b/tests/xfs/1303.out
@@ -0,0 +1,4 @@ 
+QA output created by 1303
+Format and populate
+Fuzz AGFL
+Done fuzzing AGFL
diff --git a/tests/xfs/1304 b/tests/xfs/1304
new file mode 100755
index 0000000..71af7bd
--- /dev/null
+++ b/tests/xfs/1304
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1304
+#
+# Populate a XFS filesystem and fuzz every AGI field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agi 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agi 0' >> $seqres.full
+
+echo "Fuzz AGI"
+_scratch_xfs_fuzz_fields 'agi 0' >> $seqres.full
+echo "Done fuzzing AGI"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1304.out b/tests/xfs/1304.out
new file mode 100644
index 0000000..886157b
--- /dev/null
+++ b/tests/xfs/1304.out
@@ -0,0 +1,4 @@ 
+QA output created by 1304
+Format and populate
+Fuzz AGI
+Done fuzzing AGI
diff --git a/tests/xfs/1305 b/tests/xfs/1305
new file mode 100755
index 0000000..a4c7a68
--- /dev/null
+++ b/tests/xfs/1305
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1305
+#
+# Populate a XFS filesystem and fuzz every bnobt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr bnoroot addr ptrs[1]" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr bnoroot' 'addr ptrs[1]' >> $seqres.full
+
+echo "Fuzz bnobt recs"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr bnoroot' 'addr ptrs[1]' >> $seqres.full
+echo "Done fuzzing bnobt recs"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1305.out b/tests/xfs/1305.out
new file mode 100644
index 0000000..b2108f1
--- /dev/null
+++ b/tests/xfs/1305.out
@@ -0,0 +1,4 @@ 
+QA output created by 1305
+Format and populate
+Fuzz bnobt recs
+Done fuzzing bnobt recs
diff --git a/tests/xfs/1306 b/tests/xfs/1306
new file mode 100755
index 0000000..cb8f5e2
--- /dev/null
+++ b/tests/xfs/1306
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1306
+#
+# Populate a XFS filesystem and fuzz every bnobt key/pointer.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr bnoroot" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr bnoroot' >> $seqres.full
+
+echo "Fuzz bnobt keyptr"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr bnoroot' >> $seqres.full
+echo "Done fuzzing bnobt keyptr"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1306.out b/tests/xfs/1306.out
new file mode 100644
index 0000000..4b1e0c6
--- /dev/null
+++ b/tests/xfs/1306.out
@@ -0,0 +1,4 @@ 
+QA output created by 1306
+Format and populate
+Fuzz bnobt keyptr
+Done fuzzing bnobt keyptr
diff --git a/tests/xfs/1307 b/tests/xfs/1307
new file mode 100755
index 0000000..b25c338
--- /dev/null
+++ b/tests/xfs/1307
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1307
+#
+# Populate a XFS filesystem and fuzz every cntbt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr cntroot addr ptrs[1]" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr cntroot' 'addr ptrs[1]' >> $seqres.full
+
+echo "Fuzz cntbt"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr cntroot' 'addr ptrs[1]' >> $seqres.full
+echo "Done fuzzing cntbt"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1307.out b/tests/xfs/1307.out
new file mode 100644
index 0000000..a7cedf1
--- /dev/null
+++ b/tests/xfs/1307.out
@@ -0,0 +1,4 @@ 
+QA output created by 1307
+Format and populate
+Fuzz cntbt
+Done fuzzing cntbt
diff --git a/tests/xfs/1308 b/tests/xfs/1308
new file mode 100755
index 0000000..5fae1d1
--- /dev/null
+++ b/tests/xfs/1308
@@ -0,0 +1,62 @@ 
+#! /bin/bash
+# FS QA Test No. 1308
+#
+# Populate a XFS filesystem and fuzz every inobt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agi 0 addr root" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agi 0' 'addr root' >> $seqres.full
+
+echo "Fuzz inobt"
+_scratch_xfs_fuzz_fields  'agi 0' 'addr root' >> $seqres.full
+echo "Done fuzzing inobt"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1308.out b/tests/xfs/1308.out
new file mode 100644
index 0000000..cc72bb7
--- /dev/null
+++ b/tests/xfs/1308.out
@@ -0,0 +1,4 @@ 
+QA output created by 1308
+Format and populate
+Fuzz inobt
+Done fuzzing inobt
diff --git a/tests/xfs/1309 b/tests/xfs/1309
new file mode 100755
index 0000000..5aa7992
--- /dev/null
+++ b/tests/xfs/1309
@@ -0,0 +1,63 @@ 
+#! /bin/bash
+# FS QA Test No. 1309
+#
+# Populate a XFS filesystem and fuzz every finobt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_finobt
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agi 0 addr free_root" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agi 0' 'addr free_root' >> $seqres.full
+
+echo "Fuzz finobt"
+_scratch_xfs_fuzz_fields  'agi 0' 'addr free_root' >> $seqres.full
+echo "Done fuzzing finobt"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1309.out b/tests/xfs/1309.out
new file mode 100644
index 0000000..b4084ef
--- /dev/null
+++ b/tests/xfs/1309.out
@@ -0,0 +1,4 @@ 
+QA output created by 1309
+Format and populate
+Fuzz finobt
+Done fuzzing finobt
diff --git a/tests/xfs/1310 b/tests/xfs/1310
new file mode 100755
index 0000000..2756778
--- /dev/null
+++ b/tests/xfs/1310
@@ -0,0 +1,63 @@ 
+#! /bin/bash
+# FS QA Test No. 1310
+#
+# Populate a XFS filesystem and fuzz every rmapbt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_xfs_scratch_rmapbt
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr rmaproot addr ptrs[1]" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr rmaproot' 'addr ptrs[1]' >> $seqres.full
+
+echo "Fuzz rmapbt recs"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr rmaproot' 'addr ptrs[1]' >> $seqres.full
+echo "Done fuzzing rmapbt recs"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1310.out b/tests/xfs/1310.out
new file mode 100644
index 0000000..e784f8b
--- /dev/null
+++ b/tests/xfs/1310.out
@@ -0,0 +1,4 @@ 
+QA output created by 1310
+Format and populate
+Fuzz rmapbt recs
+Done fuzzing rmapbt recs
diff --git a/tests/xfs/1311 b/tests/xfs/1311
new file mode 100755
index 0000000..be9fe54
--- /dev/null
+++ b/tests/xfs/1311
@@ -0,0 +1,63 @@ 
+#! /bin/bash
+# FS QA Test No. 1311
+#
+# Populate a XFS filesystem and fuzz every rmapbt key/pointer field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_xfs_scratch_rmapbt
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr rmaproot" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr rmaproot' >> $seqres.full
+
+echo "Fuzz rmapbt keyptr"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr rmaproot' >> $seqres.full
+echo "Done fuzzing rmapbt keyptr"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1311.out b/tests/xfs/1311.out
new file mode 100644
index 0000000..70150a1
--- /dev/null
+++ b/tests/xfs/1311.out
@@ -0,0 +1,4 @@ 
+QA output created by 1311
+Format and populate
+Fuzz rmapbt keyptr
+Done fuzzing rmapbt keyptr
diff --git a/tests/xfs/1312 b/tests/xfs/1312
new file mode 100755
index 0000000..73ec478
--- /dev/null
+++ b/tests/xfs/1312
@@ -0,0 +1,64 @@ 
+#! /bin/bash
+# FS QA Test No. 1312
+#
+# Populate a XFS filesystem and fuzz every refcountbt field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+. ./common/reflink
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_reflink
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fields we propose to fuzz: agf 0 addr refcntroot" >> $seqres.full
+_scratch_xfs_list_metadata_fields 'agf 0' 'addr refcntroot' >> $seqres.full
+
+echo "Fuzz refcountbt"
+_scratch_xfs_fuzz_fields  'agf 0' 'addr refcntroot' >> $seqres.full
+echo "Done fuzzing refcountbt"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1312.out b/tests/xfs/1312.out
new file mode 100644
index 0000000..ca40b46
--- /dev/null
+++ b/tests/xfs/1312.out
@@ -0,0 +1,4 @@ 
+QA output created by 1312
+Format and populate
+Fuzz refcountbt
+Done fuzzing refcountbt
diff --git a/tests/xfs/1313 b/tests/xfs/1313
new file mode 100755
index 0000000..13da0b3
--- /dev/null
+++ b/tests/xfs/1313
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1313
+#
+# Populate a XFS filesystem and fuzz every btree-format directory inode field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find btree-format dir inode"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_BTREE)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" >> $seqres.full
+
+echo "Fuzz inode"
+_scratch_xfs_fuzz_fields  "inode ${inum}" >> $seqres.full
+echo "Done fuzzing inode"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1313.out b/tests/xfs/1313.out
new file mode 100644
index 0000000..b087a06
--- /dev/null
+++ b/tests/xfs/1313.out
@@ -0,0 +1,5 @@ 
+QA output created by 1313
+Format and populate
+Find btree-format dir inode
+Fuzz inode
+Done fuzzing inode
diff --git a/tests/xfs/1314 b/tests/xfs/1314
new file mode 100755
index 0000000..a9a552c
--- /dev/null
+++ b/tests/xfs/1314
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1314
+#
+# Populate a XFS filesystem and fuzz every extents-format file inode field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find extents-format file inode"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFREG.FMT_EXTENTS)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" >> $seqres.full
+
+echo "Fuzz inode"
+_scratch_xfs_fuzz_fields  "inode ${inum}" >> $seqres.full
+echo "Done fuzzing inode"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1314.out b/tests/xfs/1314.out
new file mode 100644
index 0000000..c5c1a3a
--- /dev/null
+++ b/tests/xfs/1314.out
@@ -0,0 +1,5 @@ 
+QA output created by 1314
+Format and populate
+Find extents-format file inode
+Fuzz inode
+Done fuzzing inode
diff --git a/tests/xfs/1315 b/tests/xfs/1315
new file mode 100755
index 0000000..1df5b5a
--- /dev/null
+++ b/tests/xfs/1315
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1315
+#
+# Populate a XFS filesystem and fuzz every btree-format file inode field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find btree-format file inode"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFREG.FMT_BTREE)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" >> $seqres.full
+
+echo "Fuzz inode"
+_scratch_xfs_fuzz_fields  "inode ${inum}" >> $seqres.full
+echo "Done fuzzing inode"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1315.out b/tests/xfs/1315.out
new file mode 100644
index 0000000..421b645
--- /dev/null
+++ b/tests/xfs/1315.out
@@ -0,0 +1,5 @@ 
+QA output created by 1315
+Format and populate
+Find btree-format file inode
+Fuzz inode
+Done fuzzing inode
diff --git a/tests/xfs/1316 b/tests/xfs/1316
new file mode 100755
index 0000000..564639b
--- /dev/null
+++ b/tests/xfs/1316
@@ -0,0 +1,69 @@ 
+#! /bin/bash
+# FS QA Test No. 1316
+#
+# Populate a XFS filesystem and fuzz every bmbt block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find bmbt block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFREG.FMT_BTREE)
+_scratch_unmount
+
+inode_ver=$(_scratch_xfs_get_metadata_field "core.version" "inode ${inum}")
+
+echo "Fields we propose to fuzz: inode ${inum} addr u${inode_ver}.bmbt.ptrs[1]" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "addr u${inode_ver}.bmbt.ptrs[1]" >> $seqres.full
+
+echo "Fuzz bmbt"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "addr u${inode_ver}.bmbt.ptrs[1]" >> $seqres.full
+echo "Done fuzzing bmbt"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1316.out b/tests/xfs/1316.out
new file mode 100644
index 0000000..1ae75f6
--- /dev/null
+++ b/tests/xfs/1316.out
@@ -0,0 +1,5 @@ 
+QA output created by 1316
+Format and populate
+Find bmbt block
+Fuzz bmbt
+Done fuzzing bmbt
diff --git a/tests/xfs/1317 b/tests/xfs/1317
new file mode 100755
index 0000000..b8205e9
--- /dev/null
+++ b/tests/xfs/1317
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1317
+#
+# Populate a XFS filesystem and fuzz every symlink remote block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find symlink remote block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFLNK.FMT_EXTENTS)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} dblock 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" 'dblock 0' >> $seqres.full
+
+echo "Fuzz symlink remote block"
+_scratch_xfs_fuzz_fields "inode ${inum}" 'dblock 0' >> $seqres.full
+echo "Done fuzzing symlink remote block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1317.out b/tests/xfs/1317.out
new file mode 100644
index 0000000..92affb2
--- /dev/null
+++ b/tests/xfs/1317.out
@@ -0,0 +1,5 @@ 
+QA output created by 1317
+Format and populate
+Find symlink remote block
+Fuzz symlink remote block
+Done fuzzing symlink remote block
diff --git a/tests/xfs/1318 b/tests/xfs/1318
new file mode 100755
index 0000000..b46f333
--- /dev/null
+++ b/tests/xfs/1318
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1318
+#
+# Populate a XFS filesystem and fuzz every inline directory inode field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find inline-format dir inode"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_INLINE)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" >> $seqres.full
+
+echo "Fuzz inline-format dir inode"
+_scratch_xfs_fuzz_fields  "inode ${inum}" >> $seqres.full
+echo "Done fuzzing inline-format dir inode"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1318.out b/tests/xfs/1318.out
new file mode 100644
index 0000000..c12e336
--- /dev/null
+++ b/tests/xfs/1318.out
@@ -0,0 +1,5 @@ 
+QA output created by 1318
+Format and populate
+Find inline-format dir inode
+Fuzz inline-format dir inode
+Done fuzzing inline-format dir inode
diff --git a/tests/xfs/1319 b/tests/xfs/1319
new file mode 100755
index 0000000..a891248
--- /dev/null
+++ b/tests/xfs/1319
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1319
+#
+# Populate a XFS filesystem and fuzz every block-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find data-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_BLOCK)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} dblock 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" 'dblock 0' >> $seqres.full
+
+echo "Fuzz data-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" 'dblock 0' >> $seqres.full
+echo "Done fuzzing data-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1319.out b/tests/xfs/1319.out
new file mode 100644
index 0000000..72ab82a
--- /dev/null
+++ b/tests/xfs/1319.out
@@ -0,0 +1,5 @@ 
+QA output created by 1319
+Format and populate
+Find data-format dir block
+Fuzz data-format dir block
+Done fuzzing data-format dir block
diff --git a/tests/xfs/1320 b/tests/xfs/1320
new file mode 100755
index 0000000..d2321f8
--- /dev/null
+++ b/tests/xfs/1320
@@ -0,0 +1,68 @@ 
+#! /bin/bash
+# FS QA Test No. 1320
+#
+# Populate a XFS filesystem and fuzz every data-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find data-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_LEAF)
+blk_sz=$(get_block_size $SCRATCH_MNT)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} dblock 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "dblock 0" >> $seqres.full
+
+echo "Fuzz data-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "dblock 0" >> $seqres.full
+echo "Done fuzzing data-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1320.out b/tests/xfs/1320.out
new file mode 100644
index 0000000..409a25b
--- /dev/null
+++ b/tests/xfs/1320.out
@@ -0,0 +1,5 @@ 
+QA output created by 1320
+Format and populate
+Find data-format dir block
+Fuzz data-format dir block
+Done fuzzing data-format dir block
diff --git a/tests/xfs/1321 b/tests/xfs/1321
new file mode 100755
index 0000000..ca5474b
--- /dev/null
+++ b/tests/xfs/1321
@@ -0,0 +1,69 @@ 
+#! /bin/bash
+# FS QA Test No. 1321
+#
+# Populate a XFS filesystem and fuzz every leaf1-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find leaf1-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_LEAF)
+blk_sz=$(get_block_size $SCRATCH_MNT)
+_scratch_unmount
+
+leaf_offset=$(( (2 ** 35) / blk_sz))
+echo "Fields we propose to fuzz: inode ${inum} dblock ${leaf_offset}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+
+echo "Fuzz leaf1-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+echo "Done fuzzing leaf1-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1321.out b/tests/xfs/1321.out
new file mode 100644
index 0000000..ef3fa37
--- /dev/null
+++ b/tests/xfs/1321.out
@@ -0,0 +1,5 @@ 
+QA output created by 1321
+Format and populate
+Find leaf1-format dir block
+Fuzz leaf1-format dir block
+Done fuzzing leaf1-format dir block
diff --git a/tests/xfs/1322 b/tests/xfs/1322
new file mode 100755
index 0000000..dff6e67
--- /dev/null
+++ b/tests/xfs/1322
@@ -0,0 +1,69 @@ 
+#! /bin/bash
+# FS QA Test No. 1322
+#
+# Populate a XFS filesystem and fuzz every leafn-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find leafn-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_NODE)
+blk_sz=$(get_block_size $SCRATCH_MNT)
+_scratch_unmount
+
+leaf_offset=$(( ( (2 ** 35) / blk_sz) + 1))
+echo "Fields we propose to fuzz: inode ${inum} dblock ${leaf_offset}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+
+echo "Fuzz leafn-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+echo "Done fuzzing leafn-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1322.out b/tests/xfs/1322.out
new file mode 100644
index 0000000..d1e0c7d
--- /dev/null
+++ b/tests/xfs/1322.out
@@ -0,0 +1,5 @@ 
+QA output created by 1322
+Format and populate
+Find leafn-format dir block
+Fuzz leafn-format dir block
+Done fuzzing leafn-format dir block
diff --git a/tests/xfs/1323 b/tests/xfs/1323
new file mode 100755
index 0000000..51a1b0e
--- /dev/null
+++ b/tests/xfs/1323
@@ -0,0 +1,69 @@ 
+#! /bin/bash
+# FS QA Test No. 1323
+#
+# Populate a XFS filesystem and fuzz every node-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find node-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_NODE)
+blk_sz=$(get_block_size $SCRATCH_MNT)
+_scratch_unmount
+
+leaf_offset=$(( (2 ** 35) / blk_sz ))
+echo "Fields we propose to fuzz: inode ${inum} dblock ${leaf_offset}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+
+echo "Fuzz node-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+echo "Done fuzzing node-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1323.out b/tests/xfs/1323.out
new file mode 100644
index 0000000..2debc5c
--- /dev/null
+++ b/tests/xfs/1323.out
@@ -0,0 +1,5 @@ 
+QA output created by 1323
+Format and populate
+Find node-format dir block
+Fuzz node-format dir block
+Done fuzzing node-format dir block
diff --git a/tests/xfs/1324 b/tests/xfs/1324
new file mode 100755
index 0000000..f968b6d
--- /dev/null
+++ b/tests/xfs/1324
@@ -0,0 +1,69 @@ 
+#! /bin/bash
+# FS QA Test No. 1324
+#
+# Populate a XFS filesystem and fuzz every freeindex-format dir block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find freeindex-format dir block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/S_IFDIR.FMT_NODE)
+blk_sz=$(get_block_size $SCRATCH_MNT)
+_scratch_unmount
+
+leaf_offset=$(( (2 ** 36) / blk_sz ))
+echo "Fields we propose to fuzz: inode ${inum} dblock ${leaf_offset}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+
+echo "Fuzz freeindex-format dir block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "dblock ${leaf_offset}" >> $seqres.full
+echo "Done fuzzing freeindex-format dir block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1324.out b/tests/xfs/1324.out
new file mode 100644
index 0000000..1e373e0
--- /dev/null
+++ b/tests/xfs/1324.out
@@ -0,0 +1,5 @@ 
+QA output created by 1324
+Format and populate
+Find freeindex-format dir block
+Fuzz freeindex-format dir block
+Done fuzzing freeindex-format dir block
diff --git a/tests/xfs/1325 b/tests/xfs/1325
new file mode 100755
index 0000000..239f342
--- /dev/null
+++ b/tests/xfs/1325
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1325
+#
+# Populate a XFS filesystem and fuzz every inline attr inode field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find inline-format attr inode"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/ATTR.FMT_LOCAL)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum}" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" >> $seqres.full
+
+echo "Fuzz inline-format attr inode"
+_scratch_xfs_fuzz_fields  "inode ${inum}" >> $seqres.full
+echo "Done fuzzing inline-format attr inode"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1325.out b/tests/xfs/1325.out
new file mode 100644
index 0000000..5259fe8
--- /dev/null
+++ b/tests/xfs/1325.out
@@ -0,0 +1,5 @@ 
+QA output created by 1325
+Format and populate
+Find inline-format attr inode
+Fuzz inline-format attr inode
+Done fuzzing inline-format attr inode
diff --git a/tests/xfs/1326 b/tests/xfs/1326
new file mode 100755
index 0000000..aa6d683
--- /dev/null
+++ b/tests/xfs/1326
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1326
+#
+# Populate a XFS filesystem and fuzz every leaf-format attr block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find leaf-format attr block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/ATTR.FMT_LEAF)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} ablock 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" 'ablock 0' >> $seqres.full
+
+echo "Fuzz leaf-format attr block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" 'ablock 0' >> $seqres.full
+echo "Done fuzzing leaf-format attr block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1326.out b/tests/xfs/1326.out
new file mode 100644
index 0000000..d10cdb7
--- /dev/null
+++ b/tests/xfs/1326.out
@@ -0,0 +1,5 @@ 
+QA output created by 1326
+Format and populate
+Find leaf-format attr block
+Fuzz leaf-format attr block
+Done fuzzing leaf-format attr block
diff --git a/tests/xfs/1327 b/tests/xfs/1327
new file mode 100755
index 0000000..923c405
--- /dev/null
+++ b/tests/xfs/1327
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1327
+#
+# Populate a XFS filesystem and fuzz every node-format attr block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find node-format attr block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/ATTR.FMT_NODE)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} ablock 0" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "ablock 0" >> $seqres.full
+
+echo "Fuzz node-format attr block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "ablock 0" >> $seqres.full
+echo "Done fuzzing node-format attr block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1327.out b/tests/xfs/1327.out
new file mode 100644
index 0000000..b3a4f1d
--- /dev/null
+++ b/tests/xfs/1327.out
@@ -0,0 +1,5 @@ 
+QA output created by 1327
+Format and populate
+Find node-format attr block
+Fuzz node-format attr block
+Done fuzzing node-format attr block
diff --git a/tests/xfs/1328 b/tests/xfs/1328
new file mode 100755
index 0000000..a4aad22
--- /dev/null
+++ b/tests/xfs/1328
@@ -0,0 +1,67 @@ 
+#! /bin/bash
+# FS QA Test No. 1328
+#
+# Populate a XFS filesystem and fuzz every external attr block field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Find external attr block"
+_scratch_mount
+inum=$(stat -c '%i' $SCRATCH_MNT/ATTR.FMT_EXTENTS_REMOTE3K)
+_scratch_unmount
+
+echo "Fields we propose to fuzz: inode ${inum} ablock 1" >> $seqres.full
+_scratch_xfs_list_metadata_fields "inode ${inum}" "ablock 1" >> $seqres.full
+
+echo "Fuzz external attr block"
+_scratch_xfs_fuzz_fields  "inode ${inum}" "ablock 1" >> $seqres.full
+echo "Done fuzzing external attr block"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1328.out b/tests/xfs/1328.out
new file mode 100644
index 0000000..758f322
--- /dev/null
+++ b/tests/xfs/1328.out
@@ -0,0 +1,5 @@ 
+QA output created by 1328
+Format and populate
+Find external attr block
+Fuzz external attr block
+Done fuzzing external attr block
diff --git a/tests/xfs/1329 b/tests/xfs/1329
new file mode 100755
index 0000000..2e21aeb
--- /dev/null
+++ b/tests/xfs/1329
@@ -0,0 +1,63 @@ 
+#! /bin/bash
+# FS QA Test No. 1329
+#
+# Populate a XFS filesystem and fuzz every rtrmapbt record field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_realtime
+_require_xfs_scratch_rmapbt
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+inode_ver=$(_scratch_xfs_get_metadata_field "core.version" 'sb 0' 'addr rrmapino')
+
+echo "Fuzz rtrmapbt recs"
+_scratch_xfs_fuzz_fields 'sb 0' 'addr rrmapino' "addr u${inode_ver}.rtrmapbt.ptrs[1]" >> $seqres.full
+echo "Done fuzzing rtrmapbt recs"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1329.out b/tests/xfs/1329.out
new file mode 100644
index 0000000..d9d8b89
--- /dev/null
+++ b/tests/xfs/1329.out
@@ -0,0 +1,4 @@ 
+QA output created by 1329
+Format and populate
+Fuzz rtrmapbt recs
+Done fuzzing rtrmapbt recs
diff --git a/tests/xfs/1330 b/tests/xfs/1330
new file mode 100755
index 0000000..3ca44ae
--- /dev/null
+++ b/tests/xfs/1330
@@ -0,0 +1,61 @@ 
+#! /bin/bash
+# FS QA Test No. 1330
+#
+# Populate a XFS filesystem and fuzz every rtrmapbt keyptr field.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1303  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 7 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_realtime
+_require_xfs_scratch_rmapbt
+_require_scratch_xfs_fuzz_fields
+
+echo "Format and populate"
+_scratch_populate_cached nofill > $seqres.full 2>&1
+
+echo "Fuzz rtrmapbt keyptrs"
+_scratch_xfs_fuzz_some_fields '(rtrmapbt)' 'sb 0' 'addr rrmapino' >> $seqres.full
+echo "Done fuzzing rtrmapbt keyptrs"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/1330.out b/tests/xfs/1330.out
new file mode 100644
index 0000000..ce16b43
--- /dev/null
+++ b/tests/xfs/1330.out
@@ -0,0 +1,4 @@ 
+QA output created by 1330
+Format and populate
+Fuzz rtrmapbt keyptrs
+Done fuzzing rtrmapbt keyptrs
diff --git a/tests/xfs/group b/tests/xfs/group
index 3296eb9..2cbd3e6 100644
--- a/tests/xfs/group
+++ b/tests/xfs/group
@@ -333,3 +333,34 @@ 
 345 auto quick clone
 346 auto quick clone
 347 auto quick clone
+1300 dangerous_fuzzers scrub
+1301 dangerous_fuzzers scrub
+1302 dangerous_fuzzers scrub
+1303 dangerous_fuzzers scrub
+1304 dangerous_fuzzers scrub
+1305 dangerous_fuzzers scrub
+1306 dangerous_fuzzers scrub
+1307 dangerous_fuzzers scrub
+1308 dangerous_fuzzers scrub
+1309 dangerous_fuzzers scrub
+1310 dangerous_fuzzers scrub
+1311 dangerous_fuzzers scrub
+1312 dangerous_fuzzers scrub
+1313 dangerous_fuzzers scrub
+1314 dangerous_fuzzers scrub
+1315 dangerous_fuzzers scrub
+1316 dangerous_fuzzers scrub
+1317 dangerous_fuzzers scrub
+1318 dangerous_fuzzers scrub
+1319 dangerous_fuzzers scrub
+1320 dangerous_fuzzers scrub
+1321 dangerous_fuzzers scrub
+1322 dangerous_fuzzers scrub
+1323 dangerous_fuzzers scrub
+1324 dangerous_fuzzers scrub
+1325 dangerous_fuzzers scrub
+1326 dangerous_fuzzers scrub
+1327 dangerous_fuzzers scrub
+1328 dangerous_fuzzers scrub
+1329 dangerous_fuzzers scrub
+1330 dangerous_fuzzers scrub