From patchwork Sat Nov 5 02:00:09 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Sandeen X-Patchwork-Id: 9413567 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 04FE560722 for ; Sat, 5 Nov 2016 02:00:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71F142B2B3 for ; Sat, 5 Nov 2016 02:00:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 468412B2BC; Sat, 5 Nov 2016 02:00:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9DCEE2B2B3 for ; Sat, 5 Nov 2016 02:00:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751389AbcKECAM (ORCPT ); Fri, 4 Nov 2016 22:00:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35796 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750833AbcKECAL (ORCPT ); Fri, 4 Nov 2016 22:00:11 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B9B1CC054901; Sat, 5 Nov 2016 02:00:10 +0000 (UTC) Received: from [IPv6:::1] (ovpn03.gateway.prod.ext.phx2.redhat.com [10.5.9.3]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uA5209Nh031217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Nov 2016 22:00:10 -0400 To: fstests , xfs-oss From: Eric Sandeen Subject: [PATCH] xfs: testcase for kernelspace xfs_fsr extent handling flaw Message-ID: Date: Fri, 4 Nov 2016 21:00:09 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Sat, 05 Nov 2016 02:00:10 +0000 (UTC) Sender: fstests-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This is a testcase for a bug which goes way back; googling "xfs_trans_log_inode NULL pointer dereference" yields sporadic reports over several years. The test sets up several two-extent files with speculative preallocation on them, and then runs xfs_fsr. The kernelside code ignores the preallocation, and therefore sets up the temporary inode incorrectly after the inode fork swap. It is a "dangerous" test because the extent mishandling on the temporary inode causes a null pointer dereference and oops when the inode's i_itemp pointer gets overwritten and we blow up in logging code that tries to use it. Signed-off-by: Eric Sandeen --- -- To unsubscribe from this list: send the line "unsubscribe fstests" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/tests/xfs/118 b/tests/xfs/118 new file mode 100755 index 0000000..d2c9080 --- /dev/null +++ b/tests/xfs/118 @@ -0,0 +1,99 @@ +#! /bin/bash +# FS QA Test 118 +# +# Test xfs_fsr's handling of 2-extent files with preallocation +# +# An error in xfs_swap_extent_forks() incorrectly set up the +# temporary inode's if_extents pointer to inline, leading to +# in-memory corruption when the temporary inode was released +# and torn down; i_itemp and d_ops got overwritten with zeros, +# which led to an oops in xfs_trans_log_inode down the fput path. +# +# Fixed upstream by proper nextents counting using +# ip->i_df.if_bytes not ip->i_d.di_nextents in xfs_swap_extent_forks +# +#----------------------------------------------------------------------- +# Copyright (c) 2016 Red Hat, inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# remove previous $seqres.full before test +rm -f $seqres.full + +_supported_fs xfs +_supported_os IRIX Linux + +_require_scratch +_require_command "$XFS_FSR_PROG" "xfs_fsr" + +# 50M +_scratch_mkfs_sized $((50 * 1024 * 1024)) >> $seqres.full 2>&1 +_scratch_mount + +echo "Silence is golden" + +# Fragment freespace +# The aim is to create a fragmented two-extent file *with* prealloc +# so make the free holes big enough that a 2-extent file will have +# preallocation added. Let's say... 64k free chunks. + +$XFS_IO_PROG -fs -c "falloc 0 40000k" $SCRATCH_MNT/fill >> $seqres.full 2>&1 +sync + +dd if=/dev/zero of=$SCRATCH_MNT/remainder oflag=direct > /dev/null 2>&1 + +# Free up a bunch of 64k chunks +for i in `seq 0 68 40000`; do + $XFS_IO_PROG -fs -c "unresvsp ${i}k 64k" $SCRATCH_MNT/fill +done + +# Create 2-extent files w/ preallocation (via extending writes) +for I in `seq 1 64`; do + $XFS_IO_PROG -f -c "pwrite 0 64k" $SCRATCH_MNT/newfile-$I \ + >> $seqres.full 2>&1 + $XFS_IO_PROG -f -c "pwrite 64k 64k" $SCRATCH_MNT/newfile-$I \ + >> $seqres.full 2>&1 +done +# sync to get extents on disk so fsr sees them +sync + +# Free up some space for defragmentation temp file +rm -f $SCRATCH_MNT/fill + +$XFS_FSR_PROG -vd $SCRATCH_MNT/newfile* >> $seqres.full 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/xfs/118.out b/tests/xfs/118.out new file mode 100644 index 0000000..3daed86 --- /dev/null +++ b/tests/xfs/118.out @@ -0,0 +1,2 @@ +QA output created by 118 +Silence is golden diff --git a/tests/xfs/group b/tests/xfs/group index 3296eb9..0a7a0a8 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -115,6 +115,7 @@ 115 parent attr 116 quota auto quick 117 fuzzers +118 growfs dangerous 119 log v2log auto freeze dangerous 120 fuzzers 121 log auto quick