From patchwork Thu Oct 12 11:36:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian Foster X-Patchwork-Id: 10001685 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7211D60325 for ; Thu, 12 Oct 2017 11:36:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 63E0528D2F for ; Thu, 12 Oct 2017 11:36:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 588BC28D7E; Thu, 12 Oct 2017 11:36:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B732528D2F for ; Thu, 12 Oct 2017 11:36:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752138AbdJLLg3 (ORCPT ); Thu, 12 Oct 2017 07:36:29 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47574 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751492AbdJLLg2 (ORCPT ); Thu, 12 Oct 2017 07:36:28 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 79B457F403; Thu, 12 Oct 2017 11:36:28 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 79B457F403 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=bfoster@redhat.com Received: from bfoster.bfoster (dhcp-41-20.bos.redhat.com [10.18.41.20]) by smtp.corp.redhat.com (Postfix) with ESMTP id 43EC151C73; Thu, 12 Oct 2017 11:36:28 +0000 (UTC) Received: by bfoster.bfoster (Postfix, from userid 1000) id 2F9ED1213A7; Thu, 12 Oct 2017 07:36:27 -0400 (EDT) From: Brian Foster To: fstests@vger.kernel.org Cc: linux-xfs@vger.kernel.org Subject: [PATCH] tests/xfs: test for NULL xattr buffer problem during unlink Date: Thu, 12 Oct 2017 07:36:27 -0400 Message-Id: <20171012113627.39452-1-bfoster@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 12 Oct 2017 11:36:28 +0000 (UTC) Sender: fstests-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP XFS had a bug that resulted in an unexpected NULL buffer during unlink of an inode with a multi-level attr fork tree. This occurred due to a stale reference to content in a released/reclaimed buffer. Use the XFS buffer LRU reference count error injection tag to recreate the conditions for the bug. Create a file with a multi-level attr fork tree and then unlink it with buffer caching disabled. Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong --- Note that this test depends on a pending[1] XFS error injection tag. Brian [1] https://marc.info/?l=linux-xfs&m=150765408521029&w=2 tests/xfs/999 | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/xfs/999.out | 2 ++ tests/xfs/group | 1 + 3 files changed, 90 insertions(+) create mode 100755 tests/xfs/999 create mode 100644 tests/xfs/999.out diff --git a/tests/xfs/999 b/tests/xfs/999 new file mode 100755 index 0000000..261b83f --- /dev/null +++ b/tests/xfs/999 @@ -0,0 +1,87 @@ +#! /bin/bash +# FS QA Test 999 +# +# Regression test for an XFS NULL xattr buffer problem during unlink. XFS had a +# bug where the attr fork walk during file removal could go off the rails due to +# a stale reference to content of a released buffer. Memory pressure could cause +# this reference to point to free or reused memory and cause subsequent +# attribute fork lookups to fail, return a NULL buffer and possibly crash. +# +# This test emulates this behavior using an error injection knob to explicitly +# disable buffer LRU caching. This forces the attr walk to execute under +# conditions where each buffer is immediately freed on release. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Red Hat, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/attr +. ./common/inject + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here + +# Modify as appropriate. +_supported_fs generic +_supported_os Linux +_require_xfs_io_error_injection buf_lru_ref +_require_scratch +_require_attrs + +_scratch_mkfs > $seqres.full 2>&1 +_scratch_mount || _fail "mount failure" + +file=$SCRATCH_MNT/testfile + +# create a bunch of xattrs to form a multi-level attr tree +touch $file +for i in $(seq 0 499); do + $SETFATTR_PROG -n trusted.user.$i -v 0 $file +done + +# cycle the mount to clear any buffer references +_scratch_cycle_mount || _fail "cycle mount failure" + +# disable the lru cache and unlink the file +_scratch_inject_error buf_lru_ref 1 +rm -f $file +_scratch_inject_error buf_lru_ref 0 + +echo Silence is golden + +# success, all done +status=0 +exit diff --git a/tests/xfs/999.out b/tests/xfs/999.out new file mode 100644 index 0000000..3b276ca --- /dev/null +++ b/tests/xfs/999.out @@ -0,0 +1,2 @@ +QA output created by 999 +Silence is golden diff --git a/tests/xfs/group b/tests/xfs/group index 25bb8b3..f0c15f7 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -430,3 +430,4 @@ 430 dangerous_fuzzers dangerous_scrub dangerous_online_repair 431 auto quick dangerous 432 auto quick dir metadata +999 auto quick attr