| Message ID | 20200717084447.66402-2-houtao1@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | add tests for race between xattr read and write | expand |
Hi Tao, On 2020/7/17 16:44, Hou Tao wrote: > Add reproducer for a bug on ubifs where listxattr() copies > the newly created xattr names regardless of the remaining > buffer size, fails the assertion of used buffer size, > and may corrupt buffer memory. > > Signed-off-by: Hou Tao <houtao1@huawei.com> > --- > tests/generic/998 | 64 +++++++++++++++++++++++++++++++++++++++++++ > tests/generic/998.out | 2 ++ > tests/generic/group | 1 + > 3 files changed, 67 insertions(+) > create mode 100644 tests/generic/998 > create mode 100644 tests/generic/998.out > > diff --git a/tests/generic/998 b/tests/generic/998 > new file mode 100644 > index 00000000..b108a969 > --- /dev/null > +++ b/tests/generic/998 > @@ -0,0 +1,64 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Huawei. All Rights Reserved. > +# > +# FS QA Test 998 > +# > +# Test race between listxattr() and setxattr(). It reproduces a bug > +# on UBIFS where listxattr() copies the newly created xattr names > +# regardless of the remaining buffer size, fails the assertion of > +# used buffer size, and may corrupt buffer memory. > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + rm -f $TEST_DIR/$seq > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/attr > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > +_supported_fs generic > +_supported_os Linux > +_require_attrs > + > +target=$TEST_DIR/$seq > +touch $target > + > +# start a background listxattr > +runfile="$tmp.listxattr" > +touch $runfile > +while [ -e $runfile ]; do > + ${GETFATTR_PROG} $target >/dev/null 2>&1 > +done & > + > +# add new xattr continuously > +largename=`for i in $(seq 0 128); do echo -n a; done` > +for i in $(seq 0 99); do > + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target Now, f2fs just supports storing xattr in one 4KB size xattr block + inline space in inode, so this testcase will always fail with f2fs, would you please consider adjusting parameter to cover f2fs case? Thanks, > +done > + > +rm -f $runfile > +wait > /dev/null 2>&1 > +rm -f $target > + > +echo Silence is golden > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/998.out b/tests/generic/998.out > new file mode 100644 > index 00000000..d2679ae0 > --- /dev/null > +++ b/tests/generic/998.out > @@ -0,0 +1,2 @@ > +QA output created by 998 > +Silence is golden > diff --git a/tests/generic/group b/tests/generic/group > index d9ab9a31..62697ac5 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -605,3 +605,4 @@ > 600 auto quick quota > 601 auto quick quota > 602 auto quick encrypt > +998 auto quick attr >
diff --git a/tests/generic/998 b/tests/generic/998 new file mode 100644 index 00000000..b108a969 --- /dev/null +++ b/tests/generic/998 @@ -0,0 +1,64 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2020 Huawei. All Rights Reserved. +# +# FS QA Test 998 +# +# Test race between listxattr() and setxattr(). It reproduces a bug +# on UBIFS where listxattr() copies the newly created xattr names +# regardless of the remaining buffer size, fails the assertion of +# used buffer size, and may corrupt buffer memory. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* + rm -f $TEST_DIR/$seq +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/attr + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_attrs + +target=$TEST_DIR/$seq +touch $target + +# start a background listxattr +runfile="$tmp.listxattr" +touch $runfile +while [ -e $runfile ]; do + ${GETFATTR_PROG} $target >/dev/null 2>&1 +done & + +# add new xattr continuously +largename=`for i in $(seq 0 128); do echo -n a; done` +for i in $(seq 0 99); do + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target +done + +rm -f $runfile +wait > /dev/null 2>&1 +rm -f $target + +echo Silence is golden + +# success, all done +status=0 +exit diff --git a/tests/generic/998.out b/tests/generic/998.out new file mode 100644 index 00000000..d2679ae0 --- /dev/null +++ b/tests/generic/998.out @@ -0,0 +1,2 @@ +QA output created by 998 +Silence is golden diff --git a/tests/generic/group b/tests/generic/group index d9ab9a31..62697ac5 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -605,3 +605,4 @@ 600 auto quick quota 601 auto quick quota 602 auto quick encrypt +998 auto quick attr
Add reproducer for a bug on ubifs where listxattr() copies the newly created xattr names regardless of the remaining buffer size, fails the assertion of used buffer size, and may corrupt buffer memory. Signed-off-by: Hou Tao <houtao1@huawei.com> --- tests/generic/998 | 64 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/998.out | 2 ++ tests/generic/group | 1 + 3 files changed, 67 insertions(+) create mode 100644 tests/generic/998 create mode 100644 tests/generic/998.out