blob: 41b54d932d5b9ff443b0219ec4744aef605b8771 [file] [log] [blame]
#! /bin/bash
# FS QA Test 445
#
# Test the XFS filestreams allocator for use-after-free inode access. The
# filestreams allocator uses the MRU and historically kept around unreferenced
# inode pointers in each element. These pointers could outlive the inodes they
# referred to and thus lead to access of freed or reused memory when the MRU
# element was reaped. Test for this problem by performing filestream allocations
# against short-lived parent directory inodes.
#
# Note that some form of kernel debug mechanism for use-after-free detection
# (i.e., KASAN) is required for this test to reproduce the original problem.
# This is because XFS uses a kmem cache for xfs_inode objects which means that
# the backing pages for freed inodes may still reside in the cache with the
# freed inodes in a partially initialized state.
#
#-----------------------------------------------------------------------
# Copyright (c) 2018 Red Hat, Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#-----------------------------------------------------------------------
#
seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"
here=`pwd`
tmp=/tmp/$$
status=1 # failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15
_cleanup()
{
cd /
rm -f $tmp.*
}
# get standard environment, filters and checks
. ./common/rc
. ./common/filter
. ./common/filestreams
# remove previous $seqres.full before test
rm -f $seqres.full
# real QA test starts here
drop_caches()
{
while [ true ]; do
echo 2 > /proc/sys/vm/drop_caches
sleep 1
done
}
# Modify as appropriate.
_supported_fs generic
_supported_os Linux
_require_scratch_size $((2*1024*1024)) # kb
# check for filestreams
_check_filestreams_support || _notrun "filestreams not available"
# use small AGs for frequent stream switching
_scratch_mkfs_xfs -d agsize=20m,size=2g >> $seqres.full 2>&1 ||
_fail "mkfs failed"
_scratch_mount "-o filestreams"
# start background inode reclaim
drop_caches &
pid=$!
# Stress the filestreams allocator via continuous allocation to a file under
# different parent dirs. Remove the old dirs as the file is moved so the MRU
# references point to an unlinked inode by the time they are removed. If the
# old dir inodes are reclaimed and associated memory reused, MRU cleanup can
# access the inode after it's been freed.
dir=$SCRATCH_MNT
for i in $(seq 0 90); do
mkdir -p $dir/$i
$XFS_IO_PROG -fc "falloc $(($i * 20))m 20m" $dir/$i/file
mkdir -p $dir/$((i + 1))
mv $dir/$i/file $dir/$((i + 1))/file
rmdir $dir/$i
# throttle to ensure this loop sees several cache reclaims
sleep 0.1
done
kill $pid 2> /dev/null
wait $pid 2> /dev/null
echo Silence is golden
# success, all done
status=0
exit