Message ID | 20200822114132.61227-1-houtao1@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2,1/2] generic: add test for race between listxattr and setxatr | expand |
On Sat, Aug 22, 2020 at 07:41:32PM +0800, Hou Tao wrote: > Add reproducer for a bug on ubifs where listxattr() copies > the newly created xattr names regardless of the remaining > buffer size, fails the assertion of used buffer size, > and may corrupt buffer memory. > > Signed-off-by: Hou Tao <houtao1@huawei.com> > --- > v2: accommodate f2fs by reducing the number of created xattrs for f2fs Thanks for the test and revision! Is there a fix available for the ubifs bug? If so would you please mention the kernel commit ID in commit log as well? Chao, would you please help check the update regarding to f2fs? Thanks! Eryu > > tests/generic/998 | 67 +++++++++++++++++++++++++++++++++++++++++++ > tests/generic/998.out | 2 ++ > tests/generic/group | 1 + > 3 files changed, 70 insertions(+) > create mode 100644 tests/generic/998 > create mode 100644 tests/generic/998.out > > diff --git a/tests/generic/998 b/tests/generic/998 > new file mode 100644 > index 00000000..26a5b620 > --- /dev/null > +++ b/tests/generic/998 > @@ -0,0 +1,67 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Huawei. All Rights Reserved. > +# > +# FS QA Test 998 > +# > +# Test race between listxattr() and setxattr(). It reproduces a bug > +# on UBIFS where listxattr() copies the newly created xattr names > +# regardless of the remaining buffer size, fails the assertion of > +# used buffer size, and may corrupt buffer memory. > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + rm -f $TEST_DIR/$seq > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/attr > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > +_supported_fs generic > +_supported_os Linux > +_require_attrs > + > +target=$TEST_DIR/$seq > +touch $target > + > +# start a background listxattr > +runfile="$tmp.listxattr" > +touch $runfile > +while [ -e $runfile ]; do > + ${GETFATTR_PROG} $target >/dev/null 2>&1 > +done & > + > +# add new xattr continuously > +largename=`for i in $(seq 0 128); do echo -n a; done` > +cnt=100 > +# f2fs has limited spaces for xattr > +[ $FSTYP == "f2fs" ] && cnt=30 > +for i in $(seq 1 $cnt); do > + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target > +done > + > +rm -f $runfile > +wait > /dev/null 2>&1 > +rm -f $target > + > +echo Silence is golden > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/998.out b/tests/generic/998.out > new file mode 100644 > index 00000000..d2679ae0 > --- /dev/null > +++ b/tests/generic/998.out > @@ -0,0 +1,2 @@ > +QA output created by 998 > +Silence is golden > diff --git a/tests/generic/group b/tests/generic/group > index d9ab9a31..62697ac5 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -605,3 +605,4 @@ > 600 auto quick quota > 601 auto quick quota > 602 auto quick encrypt > +998 auto quick attr > -- > 2.25.0.4.g0ad7144999
On 2020/8/31 0:23, Eryu Guan wrote: > On Sat, Aug 22, 2020 at 07:41:32PM +0800, Hou Tao wrote: >> Add reproducer for a bug on ubifs where listxattr() copies >> the newly created xattr names regardless of the remaining >> buffer size, fails the assertion of used buffer size, >> and may corrupt buffer memory. >> >> Signed-off-by: Hou Tao <houtao1@huawei.com> >> --- >> v2: accommodate f2fs by reducing the number of created xattrs for f2fs > > Thanks for the test and revision! Is there a fix available for the ubifs > bug? If so would you please mention the kernel commit ID in commit log > as well? > > Chao, would you please help check the update regarding to f2fs? Thanks! Hi, all, Sorry for the delay. I've ran the test, it looks fine to f2fs, and also parameter value 'cnt=30' is just touch upper boundary of xattr space size. :) Reviewed-by: Chao Yu <yuchao0@huawei.com> Thanks, > > Eryu > >> >> tests/generic/998 | 67 +++++++++++++++++++++++++++++++++++++++++++ >> tests/generic/998.out | 2 ++ >> tests/generic/group | 1 + >> 3 files changed, 70 insertions(+) >> create mode 100644 tests/generic/998 >> create mode 100644 tests/generic/998.out >> >> diff --git a/tests/generic/998 b/tests/generic/998 >> new file mode 100644 >> index 00000000..26a5b620 >> --- /dev/null >> +++ b/tests/generic/998 >> @@ -0,0 +1,67 @@ >> +#! /bin/bash >> +# SPDX-License-Identifier: GPL-2.0 >> +# Copyright (c) 2020 Huawei. All Rights Reserved. >> +# >> +# FS QA Test 998 >> +# >> +# Test race between listxattr() and setxattr(). It reproduces a bug >> +# on UBIFS where listxattr() copies the newly created xattr names >> +# regardless of the remaining buffer size, fails the assertion of >> +# used buffer size, and may corrupt buffer memory. >> +# >> +seq=`basename $0` >> +seqres=$RESULT_DIR/$seq >> +echo "QA output created by $seq" >> + >> +here=`pwd` >> +tmp=/tmp/$$ >> +status=1 # failure is the default! >> +trap "_cleanup; exit \$status" 0 1 2 3 15 >> + >> +_cleanup() >> +{ >> + cd / >> + rm -f $tmp.* >> + rm -f $TEST_DIR/$seq >> +} >> + >> +# get standard environment, filters and checks >> +. ./common/rc >> +. ./common/attr >> + >> +# remove previous $seqres.full before test >> +rm -f $seqres.full >> + >> +# real QA test starts here >> +_supported_fs generic >> +_supported_os Linux >> +_require_attrs >> + >> +target=$TEST_DIR/$seq >> +touch $target >> + >> +# start a background listxattr >> +runfile="$tmp.listxattr" >> +touch $runfile >> +while [ -e $runfile ]; do >> + ${GETFATTR_PROG} $target >/dev/null 2>&1 >> +done & >> + >> +# add new xattr continuously >> +largename=`for i in $(seq 0 128); do echo -n a; done` >> +cnt=100 >> +# f2fs has limited spaces for xattr >> +[ $FSTYP == "f2fs" ] && cnt=30 >> +for i in $(seq 1 $cnt); do >> + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target >> +done >> + >> +rm -f $runfile >> +wait > /dev/null 2>&1 >> +rm -f $target >> + >> +echo Silence is golden >> + >> +# success, all done >> +status=0 >> +exit >> diff --git a/tests/generic/998.out b/tests/generic/998.out >> new file mode 100644 >> index 00000000..d2679ae0 >> --- /dev/null >> +++ b/tests/generic/998.out >> @@ -0,0 +1,2 @@ >> +QA output created by 998 >> +Silence is golden >> diff --git a/tests/generic/group b/tests/generic/group >> index d9ab9a31..62697ac5 100644 >> --- a/tests/generic/group >> +++ b/tests/generic/group >> @@ -605,3 +605,4 @@ >> 600 auto quick quota >> 601 auto quick quota >> 602 auto quick encrypt >> +998 auto quick attr >> -- >> 2.25.0.4.g0ad7144999 > . >
Hi, On 2020/8/31 0:23, Eryu Guan wrote: > On Sat, Aug 22, 2020 at 07:41:32PM +0800, Hou Tao wrote: >> Add reproducer for a bug on ubifs where listxattr() copies >> the newly created xattr names regardless of the remaining >> buffer size, fails the assertion of used buffer size, >> and may corrupt buffer memory. >> >> Signed-off-by: Hou Tao <houtao1@huawei.com> >> --- >> v2: accommodate f2fs by reducing the number of created xattrs for f2fs > > Thanks for the test and revision! Is there a fix available for the ubifs > bug? If so would you please mention the kernel commit ID in commit log > as well? > The fixes [1] have not been reviewed yet, so we may need to hold on until the fixes get merged ? [1]: https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com/ Regards, Tao > Chao, would you please help check the update regarding to f2fs? Thanks! > > Eryu > >> >> tests/generic/998 | 67 +++++++++++++++++++++++++++++++++++++++++++ >> tests/generic/998.out | 2 ++ >> tests/generic/group | 1 + >> 3 files changed, 70 insertions(+) >> create mode 100644 tests/generic/998 >> create mode 100644 tests/generic/998.out >> >> diff --git a/tests/generic/998 b/tests/generic/998 >> new file mode 100644 >> index 00000000..26a5b620 >> --- /dev/null >> +++ b/tests/generic/998 >> @@ -0,0 +1,67 @@ >> +#! /bin/bash >> +# SPDX-License-Identifier: GPL-2.0 >> +# Copyright (c) 2020 Huawei. All Rights Reserved. >> +# >> +# FS QA Test 998 >> +# >> +# Test race between listxattr() and setxattr(). It reproduces a bug >> +# on UBIFS where listxattr() copies the newly created xattr names >> +# regardless of the remaining buffer size, fails the assertion of >> +# used buffer size, and may corrupt buffer memory. >> +# >> +seq=`basename $0` >> +seqres=$RESULT_DIR/$seq >> +echo "QA output created by $seq" >> + >> +here=`pwd` >> +tmp=/tmp/$$ >> +status=1 # failure is the default! >> +trap "_cleanup; exit \$status" 0 1 2 3 15 >> + >> +_cleanup() >> +{ >> + cd / >> + rm -f $tmp.* >> + rm -f $TEST_DIR/$seq >> +} >> + >> +# get standard environment, filters and checks >> +. ./common/rc >> +. ./common/attr >> + >> +# remove previous $seqres.full before test >> +rm -f $seqres.full >> + >> +# real QA test starts here >> +_supported_fs generic >> +_supported_os Linux >> +_require_attrs >> + >> +target=$TEST_DIR/$seq >> +touch $target >> + >> +# start a background listxattr >> +runfile="$tmp.listxattr" >> +touch $runfile >> +while [ -e $runfile ]; do >> + ${GETFATTR_PROG} $target >/dev/null 2>&1 >> +done & >> + >> +# add new xattr continuously >> +largename=`for i in $(seq 0 128); do echo -n a; done` >> +cnt=100 >> +# f2fs has limited spaces for xattr >> +[ $FSTYP == "f2fs" ] && cnt=30 >> +for i in $(seq 1 $cnt); do >> + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target >> +done >> + >> +rm -f $runfile >> +wait > /dev/null 2>&1 >> +rm -f $target >> + >> +echo Silence is golden >> + >> +# success, all done >> +status=0 >> +exit >> diff --git a/tests/generic/998.out b/tests/generic/998.out >> new file mode 100644 >> index 00000000..d2679ae0 >> --- /dev/null >> +++ b/tests/generic/998.out >> @@ -0,0 +1,2 @@ >> +QA output created by 998 >> +Silence is golden >> diff --git a/tests/generic/group b/tests/generic/group >> index d9ab9a31..62697ac5 100644 >> --- a/tests/generic/group >> +++ b/tests/generic/group >> @@ -605,3 +605,4 @@ >> 600 auto quick quota >> 601 auto quick quota >> 602 auto quick encrypt >> +998 auto quick attr >> -- >> 2.25.0.4.g0ad7144999 > . >
On Mon, Aug 31, 2020 at 11:01:05AM +0800, Hou Tao wrote: > Hi, > > On 2020/8/31 0:23, Eryu Guan wrote: > > On Sat, Aug 22, 2020 at 07:41:32PM +0800, Hou Tao wrote: > >> Add reproducer for a bug on ubifs where listxattr() copies > >> the newly created xattr names regardless of the remaining > >> buffer size, fails the assertion of used buffer size, > >> and may corrupt buffer memory. > >> > >> Signed-off-by: Hou Tao <houtao1@huawei.com> > >> --- > >> v2: accommodate f2fs by reducing the number of created xattrs for f2fs > > > > Thanks for the test and revision! Is there a fix available for the ubifs > > bug? If so would you please mention the kernel commit ID in commit log > > as well? > > > The fixes [1] have not been reviewed yet, so we may need to hold on until the fixes get merged ? > > [1]: https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com/ It's better to have the fixes merged first, but we do merge tests before the fixes landed in. But I'd like to see at least some reviews/acks on the fixes first. Thanks, Eryu
On Sat, Aug 22, 2020 at 07:41:32PM +0800, Hou Tao wrote: > Add reproducer for a bug on ubifs where listxattr() copies > the newly created xattr names regardless of the remaining > buffer size, fails the assertion of used buffer size, > and may corrupt buffer memory. > > Signed-off-by: Hou Tao <houtao1@huawei.com> > --- > v2: accommodate f2fs by reducing the number of created xattrs for f2fs > > tests/generic/998 | 67 +++++++++++++++++++++++++++++++++++++++++++ > tests/generic/998.out | 2 ++ > tests/generic/group | 1 + > 3 files changed, 70 insertions(+) > create mode 100644 tests/generic/998 > create mode 100644 tests/generic/998.out > > diff --git a/tests/generic/998 b/tests/generic/998 > new file mode 100644 > index 00000000..26a5b620 > --- /dev/null > +++ b/tests/generic/998 > @@ -0,0 +1,67 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Huawei. All Rights Reserved. > +# > +# FS QA Test 998 > +# > +# Test race between listxattr() and setxattr(). It reproduces a bug > +# on UBIFS where listxattr() copies the newly created xattr names > +# regardless of the remaining buffer size, fails the assertion of > +# used buffer size, and may corrupt buffer memory. > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + rm -f $TEST_DIR/$seq > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/attr > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > +_supported_fs generic > +_supported_os Linux > +_require_attrs > + > +target=$TEST_DIR/$seq > +touch $target > + > +# start a background listxattr > +runfile="$tmp.listxattr" > +touch $runfile > +while [ -e $runfile ]; do > + ${GETFATTR_PROG} $target >/dev/null 2>&1 Er, if the listxattr corrupts the buffer memory, how does this test detect that? Does the kernel crash or something? > +done & > + > +# add new xattr continuously > +largename=`for i in $(seq 0 128); do echo -n a; done` > +cnt=100 > +# f2fs has limited spaces for xattr > +[ $FSTYP == "f2fs" ] && cnt=30 > +for i in $(seq 1 $cnt); do > + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target Seeing as each filesystem has different xattr limits, I wonder if instead of special casing of f2fs we ought to capture the stdout/stderr of SETFATTR_PROG and filter out the ENOSPC message? AFAICT this test isn't trying to check that setting xattrs succeeds, but I'm a little confused on how we detect the corrupted buffer... --D > +done > + > +rm -f $runfile > +wait > /dev/null 2>&1 > +rm -f $target > + > +echo Silence is golden > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/998.out b/tests/generic/998.out > new file mode 100644 > index 00000000..d2679ae0 > --- /dev/null > +++ b/tests/generic/998.out > @@ -0,0 +1,2 @@ > +QA output created by 998 > +Silence is golden > diff --git a/tests/generic/group b/tests/generic/group > index d9ab9a31..62697ac5 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -605,3 +605,4 @@ > 600 auto quick quota > 601 auto quick quota > 602 auto quick encrypt > +998 auto quick attr > -- > 2.25.0.4.g0ad7144999 >
diff --git a/tests/generic/998 b/tests/generic/998 new file mode 100644 index 00000000..26a5b620 --- /dev/null +++ b/tests/generic/998 @@ -0,0 +1,67 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2020 Huawei. All Rights Reserved. +# +# FS QA Test 998 +# +# Test race between listxattr() and setxattr(). It reproduces a bug +# on UBIFS where listxattr() copies the newly created xattr names +# regardless of the remaining buffer size, fails the assertion of +# used buffer size, and may corrupt buffer memory. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* + rm -f $TEST_DIR/$seq +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/attr + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_attrs + +target=$TEST_DIR/$seq +touch $target + +# start a background listxattr +runfile="$tmp.listxattr" +touch $runfile +while [ -e $runfile ]; do + ${GETFATTR_PROG} $target >/dev/null 2>&1 +done & + +# add new xattr continuously +largename=`for i in $(seq 0 128); do echo -n a; done` +cnt=100 +# f2fs has limited spaces for xattr +[ $FSTYP == "f2fs" ] && cnt=30 +for i in $(seq 1 $cnt); do + ${SETFATTR_PROG} -n user.${largename}.$i -v $i $target +done + +rm -f $runfile +wait > /dev/null 2>&1 +rm -f $target + +echo Silence is golden + +# success, all done +status=0 +exit diff --git a/tests/generic/998.out b/tests/generic/998.out new file mode 100644 index 00000000..d2679ae0 --- /dev/null +++ b/tests/generic/998.out @@ -0,0 +1,2 @@ +QA output created by 998 +Silence is golden diff --git a/tests/generic/group b/tests/generic/group index d9ab9a31..62697ac5 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -605,3 +605,4 @@ 600 auto quick quota 601 auto quick quota 602 auto quick encrypt +998 auto quick attr
Add reproducer for a bug on ubifs where listxattr() copies the newly created xattr names regardless of the remaining buffer size, fails the assertion of used buffer size, and may corrupt buffer memory. Signed-off-by: Hou Tao <houtao1@huawei.com> --- v2: accommodate f2fs by reducing the number of created xattrs for f2fs tests/generic/998 | 67 +++++++++++++++++++++++++++++++++++++++++++ tests/generic/998.out | 2 ++ tests/generic/group | 1 + 3 files changed, 70 insertions(+) create mode 100644 tests/generic/998 create mode 100644 tests/generic/998.out