[PATCH] xfs: Regression test for vulnerable directory integrity check

[PATCH] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

If a malicious XFS contains a block+ format directory wherein the
directory inode's core.mode is corrupted, and there are subdirectories
of the corrupted directory, an attempt to traverse up the directory
tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.

Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/448.out |  2 ++
 tests/xfs/group   |  1 +
 3 files changed, 93 insertions(+)
 create mode 100755 tests/xfs/448
 create mode 100644 tests/xfs/448.out

diff --git a/tests/xfs/448 b/tests/xfs/448
new file mode 100755
index 0000000..bc151a4
--- /dev/null
+++ b/tests/xfs/448
@@ -0,0 +1,90 @@
+#! /bin/bash
+# FS QA Test No. 448
+#
+# Regression test for commit:
+# 46c5973 ("xfs: harden directory integrity checks some more")
+#
+# If a malicious XFS contains a block+ format directory wherein
+# the directory inode's core.mode is corrupted, and there are
+# subdirectories of the corrupted directory, an attempt to traverse
+# up the directory tree by running xfs_scrub will crash the
+# kernel in __xfs_dir3_data_check.
+#
+# Notice:
+# we should have non fatal asserts configured, because assert
+# failures triggered by the intentional corrupt would crash system.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
+# Author: Xiao Yang <yangx.jy@cn.fujitsu.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename "$0"`
+seqres="$RESULT_DIR/$seq"
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1    # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch
+_require_scrub
+_require_scratch_nocheck
+# Corrupt XFS on purpose, and skip if assert failures would crash system.
+_require_no_xfs_bug_on_assert
+
+rm -f "$seqres.full"
+
+# Format and mount
+_scratch_mkfs > $seqres.full 2>&1 || _fail "mkfs failed"
+_scratch_mount
+
+# Create a block+(e.g. leaf) format directory
+dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
+__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
+dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
+
+# Corrupt the directory inode's core.mode
+_scratch_unmount
+setmode="0100755"
+_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
+getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
+[ "$getmode" != "$setmode" ] && _notrun "failed to set core.mode"
+
+# Check a mounted XFS (online)
+_scratch_mount
+$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT >> $seqres.full 2>&1
+
+echo "Silence is golden"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/448.out b/tests/xfs/448.out
new file mode 100644
index 0000000..b6f0a53
--- /dev/null
+++ b/tests/xfs/448.out
@@ -0,0 +1,2 @@
+QA output created by 448
+Silence is golden
diff --git a/tests/xfs/group b/tests/xfs/group
index 51326d9..dd39d08 100644
--- a/tests/xfs/group
+++ b/tests/xfs/group
@@ -445,3 +445,4 @@
 445 auto quick filestreams
 446 auto quick
 447 auto mount
+448 auto quick fuzzers
-- 
1.8.3.1

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Darrick J. Wong]

On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
> If a malicious XFS contains a block+ format directory wherein the
> directory inode's core.mode is corrupted, and there are subdirectories
> of the corrupted directory, an attempt to traverse up the directory
> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> 
> Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
> ---
>  tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/448.out |  2 ++
>  tests/xfs/group   |  1 +
>  3 files changed, 93 insertions(+)
>  create mode 100755 tests/xfs/448
>  create mode 100644 tests/xfs/448.out
> 
> diff --git a/tests/xfs/448 b/tests/xfs/448
> new file mode 100755
> index 0000000..bc151a4
> --- /dev/null
> +++ b/tests/xfs/448
> @@ -0,0 +1,90 @@
> +#! /bin/bash
> +# FS QA Test No. 448
> +#
> +# Regression test for commit:
> +# 46c5973 ("xfs: harden directory integrity checks some more")
> +#
> +# If a malicious XFS contains a block+ format directory wherein
> +# the directory inode's core.mode is corrupted, and there are
> +# subdirectories of the corrupted directory, an attempt to traverse
> +# up the directory tree by running xfs_scrub will crash the
> +# kernel in __xfs_dir3_data_check.
> +#
> +# Notice:
> +# we should have non fatal asserts configured, because assert
> +# failures triggered by the intentional corrupt would crash system.
> +#
> +#-----------------------------------------------------------------------
> +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
> +# Author: Xiao Yang <yangx.jy@cn.fujitsu.com>
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write the Free Software Foundation,
> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> +#-----------------------------------------------------------------------
> +
> +seq=`basename "$0"`
> +seqres="$RESULT_DIR/$seq"
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1    # failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	rm -rf $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +. ./common/populate
> +. ./common/fuzzy
> +
> +# real QA test starts here
> +_supported_os Linux
> +_supported_fs xfs
> +_require_scratch
> +_require_scrub
> +_require_scratch_nocheck
> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> +_require_no_xfs_bug_on_assert
> +
> +rm -f "$seqres.full"
> +
> +# Format and mount
> +_scratch_mkfs > $seqres.full 2>&1 || _fail "mkfs failed"
> +_scratch_mount
> +
> +# Create a block+(e.g. leaf) format directory
> +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> +
> +# Corrupt the directory inode's core.mode
> +_scratch_unmount
> +setmode="0100755"
> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> +[ "$getmode" != "$setmode" ] && _notrun "failed to set core.mode"

When does the set fail?  And isn't that a _fail()ure?

> +
> +# Check a mounted XFS (online)
> +_scratch_mount
> +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT >> $seqres.full 2>&1

I don't think you want to rely on xfs_scrub at this point if you can
avoid it--scrub is totally experimental and can be deconfigured from the
kernel.  Can you poke the directory using regular commands (like ls) to
trigger the assert?

--D

> +echo "Silence is golden"
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> new file mode 100644
> index 0000000..b6f0a53
> --- /dev/null
> +++ b/tests/xfs/448.out
> @@ -0,0 +1,2 @@
> +QA output created by 448
> +Silence is golden
> diff --git a/tests/xfs/group b/tests/xfs/group
> index 51326d9..dd39d08 100644
> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -445,3 +445,4 @@
>  445 auto quick filestreams
>  446 auto quick
>  447 auto mount
> +448 auto quick fuzzers
> -- 
> 1.8.3.1
> 
> 
> 

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

On 2018/05/25 12:37, Darrick J. Wong wrote:
> On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
>> If a malicious XFS contains a block+ format directory wherein the
>> directory inode's core.mode is corrupted, and there are subdirectories
>> of the corrupted directory, an attempt to traverse up the directory
>> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
>>
>> Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
>> ---
>>   tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>   tests/xfs/448.out |  2 ++
>>   tests/xfs/group   |  1 +
>>   3 files changed, 93 insertions(+)
>>   create mode 100755 tests/xfs/448
>>   create mode 100644 tests/xfs/448.out
>>
>> diff --git a/tests/xfs/448 b/tests/xfs/448
>> new file mode 100755
>> index 0000000..bc151a4
>> --- /dev/null
>> +++ b/tests/xfs/448
>> @@ -0,0 +1,90 @@
>> +#! /bin/bash
>> +# FS QA Test No. 448
>> +#
>> +# Regression test for commit:
>> +# 46c5973 ("xfs: harden directory integrity checks some more")
>> +#
>> +# If a malicious XFS contains a block+ format directory wherein
>> +# the directory inode's core.mode is corrupted, and there are
>> +# subdirectories of the corrupted directory, an attempt to traverse
>> +# up the directory tree by running xfs_scrub will crash the
>> +# kernel in __xfs_dir3_data_check.
>> +#
>> +# Notice:
>> +# we should have non fatal asserts configured, because assert
>> +# failures triggered by the intentional corrupt would crash system.
>> +#
>> +#-----------------------------------------------------------------------
>> +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
>> +# Author: Xiao Yang<yangx.jy@cn.fujitsu.com>
>> +#
>> +# This program is free software; you can redistribute it and/or
>> +# modify it under the terms of the GNU General Public License as
>> +# published by the Free Software Foundation.
>> +#
>> +# This program is distributed in the hope that it would be useful,
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> +# GNU General Public License for more details.
>> +#
>> +# You should have received a copy of the GNU General Public License
>> +# along with this program; if not, write the Free Software Foundation,
>> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
>> +#-----------------------------------------------------------------------
>> +
>> +seq=`basename "$0"`
>> +seqres="$RESULT_DIR/$seq"
>> +echo "QA output created by $seq"
>> +
>> +here=`pwd`
>> +tmp=/tmp/$$
>> +status=1    # failure is the default!
>> +trap "_cleanup; exit \$status" 0 1 2 3 15
>> +
>> +_cleanup()
>> +{
>> +	rm -rf $tmp.*
>> +}
>> +
>> +# get standard environment, filters and checks
>> +. ./common/rc
>> +. ./common/filter
>> +. ./common/populate
>> +. ./common/fuzzy
>> +
>> +# real QA test starts here
>> +_supported_os Linux
>> +_supported_fs xfs
>> +_require_scratch
>> +_require_scrub
>> +_require_scratch_nocheck
>> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
>> +_require_no_xfs_bug_on_assert
>> +
>> +rm -f "$seqres.full"
>> +
>> +# Format and mount
>> +_scratch_mkfs>  $seqres.full 2>&1 || _fail "mkfs failed"
>> +_scratch_mount
>> +
>> +# Create a block+(e.g. leaf) format directory
>> +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
>> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
>> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
>> +
>> +# Corrupt the directory inode's core.mode
>> +_scratch_unmount
>> +setmode="0100755"
>> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>  $seqres.full
>> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
>> +[ "$getmode" != "$setmode" ]&&  _notrun "failed to set core.mode"
> When does the set fail?  And isn't that a _fail()ure?
Hi Darrick,

The set never failed on my enviroment, and i just ensure set succeeded.
Do you want to remove the check?
>> +
>> +# Check a mounted XFS (online)
>> +_scratch_mount
>> +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT>>  $seqres.full 2>&1
> I don't think you want to rely on xfs_scrub at this point if you can
> avoid it--scrub is totally experimental and can be deconfigured from the
> kernel.  Can you poke the directory using regular commands (like ls) to
> trigger the assert?
I tried and failed to trigger the assert by some regular commands(ls, 
stat, etc.).
If you have some ideas, could you tell me how to trigger the assert by 
using regular commands?

Thanks,
Xiao Yang
> --D
>
>> +echo "Silence is golden"
>> +
>> +# success, all done
>> +status=0
>> +exit
>> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
>> new file mode 100644
>> index 0000000..b6f0a53
>> --- /dev/null
>> +++ b/tests/xfs/448.out
>> @@ -0,0 +1,2 @@
>> +QA output created by 448
>> +Silence is golden
>> diff --git a/tests/xfs/group b/tests/xfs/group
>> index 51326d9..dd39d08 100644
>> --- a/tests/xfs/group
>> +++ b/tests/xfs/group
>> @@ -445,3 +445,4 @@
>>   445 auto quick filestreams
>>   446 auto quick
>>   447 auto mount
>> +448 auto quick fuzzers
>> -- 
>> 1.8.3.1
>>
>>
>>
>
> .
>

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Darrick J. Wong]

On Fri, May 25, 2018 at 02:33:38PM +0800, Xiao Yang wrote:
> On 2018/05/25 12:37, Darrick J. Wong wrote:
> > On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
> > > If a malicious XFS contains a block+ format directory wherein the
> > > directory inode's core.mode is corrupted, and there are subdirectories
> > > of the corrupted directory, an attempt to traverse up the directory
> > > tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> > > 
> > > Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
> > > ---
> > >   tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >   tests/xfs/448.out |  2 ++
> > >   tests/xfs/group   |  1 +
> > >   3 files changed, 93 insertions(+)
> > >   create mode 100755 tests/xfs/448
> > >   create mode 100644 tests/xfs/448.out
> > > 
> > > diff --git a/tests/xfs/448 b/tests/xfs/448
> > > new file mode 100755
> > > index 0000000..bc151a4
> > > --- /dev/null
> > > +++ b/tests/xfs/448
> > > @@ -0,0 +1,90 @@
> > > +#! /bin/bash
> > > +# FS QA Test No. 448
> > > +#
> > > +# Regression test for commit:
> > > +# 46c5973 ("xfs: harden directory integrity checks some more")
> > > +#
> > > +# If a malicious XFS contains a block+ format directory wherein
> > > +# the directory inode's core.mode is corrupted, and there are
> > > +# subdirectories of the corrupted directory, an attempt to traverse
> > > +# up the directory tree by running xfs_scrub will crash the
> > > +# kernel in __xfs_dir3_data_check.
> > > +#
> > > +# Notice:
> > > +# we should have non fatal asserts configured, because assert
> > > +# failures triggered by the intentional corrupt would crash system.
> > > +#
> > > +#-----------------------------------------------------------------------
> > > +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
> > > +# Author: Xiao Yang<yangx.jy@cn.fujitsu.com>
> > > +#
> > > +# This program is free software; you can redistribute it and/or
> > > +# modify it under the terms of the GNU General Public License as
> > > +# published by the Free Software Foundation.
> > > +#
> > > +# This program is distributed in the hope that it would be useful,
> > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > +# GNU General Public License for more details.
> > > +#
> > > +# You should have received a copy of the GNU General Public License
> > > +# along with this program; if not, write the Free Software Foundation,
> > > +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> > > +#-----------------------------------------------------------------------
> > > +
> > > +seq=`basename "$0"`
> > > +seqres="$RESULT_DIR/$seq"
> > > +echo "QA output created by $seq"
> > > +
> > > +here=`pwd`
> > > +tmp=/tmp/$$
> > > +status=1    # failure is the default!
> > > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > > +
> > > +_cleanup()
> > > +{
> > > +	rm -rf $tmp.*
> > > +}
> > > +
> > > +# get standard environment, filters and checks
> > > +. ./common/rc
> > > +. ./common/filter
> > > +. ./common/populate
> > > +. ./common/fuzzy
> > > +
> > > +# real QA test starts here
> > > +_supported_os Linux
> > > +_supported_fs xfs
> > > +_require_scratch
> > > +_require_scrub
> > > +_require_scratch_nocheck
> > > +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> > > +_require_no_xfs_bug_on_assert
> > > +
> > > +rm -f "$seqres.full"
> > > +
> > > +# Format and mount
> > > +_scratch_mkfs>  $seqres.full 2>&1 || _fail "mkfs failed"
> > > +_scratch_mount
> > > +
> > > +# Create a block+(e.g. leaf) format directory
> > > +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
> > > +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
> > > +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> > > +
> > > +# Corrupt the directory inode's core.mode
> > > +_scratch_unmount
> > > +setmode="0100755"
> > > +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>  $seqres.full
> > > +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> > > +[ "$getmode" != "$setmode" ]&&  _notrun "failed to set core.mode"
> > When does the set fail?  And isn't that a _fail()ure?
> Hi Darrick,
> 
> The set never failed on my enviroment, and i just ensure set succeeded.
> Do you want to remove the check?

No, it's usually a good idea to make sure that the debugger actually did
the thing we told it to.  I was simply curious if this occurred on a
regular basis.

> > > +
> > > +# Check a mounted XFS (online)
> > > +_scratch_mount
> > > +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT>>  $seqres.full 2>&1
> > I don't think you want to rely on xfs_scrub at this point if you can
> > avoid it--scrub is totally experimental and can be deconfigured from the
> > kernel.  Can you poke the directory using regular commands (like ls) to
> > trigger the assert?
> I tried and failed to trigger the assert by some regular commands(ls, stat,
> etc.).
> If you have some ideas, could you tell me how to trigger the assert by using
> regular commands?

Ah, ok.  I'd have thought that "find $SCRATCH_MNT -type f -print0 | xargs
-0 cat > /dev/null" would've triggered the assert, but I don't have any
better suggestions.

--D

> Thanks,
> Xiao Yang
> > --D
> > 
> > > +echo "Silence is golden"
> > > +
> > > +# success, all done
> > > +status=0
> > > +exit
> > > diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> > > new file mode 100644
> > > index 0000000..b6f0a53
> > > --- /dev/null
> > > +++ b/tests/xfs/448.out
> > > @@ -0,0 +1,2 @@
> > > +QA output created by 448
> > > +Silence is golden
> > > diff --git a/tests/xfs/group b/tests/xfs/group
> > > index 51326d9..dd39d08 100644
> > > --- a/tests/xfs/group
> > > +++ b/tests/xfs/group
> > > @@ -445,3 +445,4 @@
> > >   445 auto quick filestreams
> > >   446 auto quick
> > >   447 auto mount
> > > +448 auto quick fuzzers
> > > -- 
> > > 1.8.3.1
> > > 
> > > 
> > > 
> > 
> > .
> > 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

Hi Eryu,

Do you have any better ways to trigger the assert?

On 2018/05/30 1:53, Darrick J. Wong wrote:
> On Fri, May 25, 2018 at 02:33:38PM +0800, Xiao Yang wrote:
>> On 2018/05/25 12:37, Darrick J. Wong wrote:
>>> On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
>>>> If a malicious XFS contains a block+ format directory wherein the
>>>> directory inode's core.mode is corrupted, and there are subdirectories
>>>> of the corrupted directory, an attempt to traverse up the directory
>>>> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
>>>>
>>>> Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
>>>> ---
>>>>    tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>    tests/xfs/448.out |  2 ++
>>>>    tests/xfs/group   |  1 +
>>>>    3 files changed, 93 insertions(+)
>>>>    create mode 100755 tests/xfs/448
>>>>    create mode 100644 tests/xfs/448.out
>>>>
>>>> diff --git a/tests/xfs/448 b/tests/xfs/448
>>>> new file mode 100755
>>>> index 0000000..bc151a4
>>>> --- /dev/null
>>>> +++ b/tests/xfs/448
>>>> @@ -0,0 +1,90 @@
>>>> +#! /bin/bash
>>>> +# FS QA Test No. 448
>>>> +#
>>>> +# Regression test for commit:
>>>> +# 46c5973 ("xfs: harden directory integrity checks some more")
>>>> +#
>>>> +# If a malicious XFS contains a block+ format directory wherein
>>>> +# the directory inode's core.mode is corrupted, and there are
>>>> +# subdirectories of the corrupted directory, an attempt to traverse
>>>> +# up the directory tree by running xfs_scrub will crash the
>>>> +# kernel in __xfs_dir3_data_check.
>>>> +#
>>>> +# Notice:
>>>> +# we should have non fatal asserts configured, because assert
>>>> +# failures triggered by the intentional corrupt would crash system.
>>>> +#
>>>> +#-----------------------------------------------------------------------
>>>> +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
>>>> +# Author: Xiao Yang<yangx.jy@cn.fujitsu.com>
>>>> +#
>>>> +# This program is free software; you can redistribute it and/or
>>>> +# modify it under the terms of the GNU General Public License as
>>>> +# published by the Free Software Foundation.
>>>> +#
>>>> +# This program is distributed in the hope that it would be useful,
>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>>>> +# GNU General Public License for more details.
>>>> +#
>>>> +# You should have received a copy of the GNU General Public License
>>>> +# along with this program; if not, write the Free Software Foundation,
>>>> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
>>>> +#-----------------------------------------------------------------------
>>>> +
>>>> +seq=`basename "$0"`
>>>> +seqres="$RESULT_DIR/$seq"
>>>> +echo "QA output created by $seq"
>>>> +
>>>> +here=`pwd`
>>>> +tmp=/tmp/$$
>>>> +status=1    # failure is the default!
>>>> +trap "_cleanup; exit \$status" 0 1 2 3 15
>>>> +
>>>> +_cleanup()
>>>> +{
>>>> +	rm -rf $tmp.*
>>>> +}
>>>> +
>>>> +# get standard environment, filters and checks
>>>> +. ./common/rc
>>>> +. ./common/filter
>>>> +. ./common/populate
>>>> +. ./common/fuzzy
>>>> +
>>>> +# real QA test starts here
>>>> +_supported_os Linux
>>>> +_supported_fs xfs
>>>> +_require_scratch
>>>> +_require_scrub
>>>> +_require_scratch_nocheck
>>>> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
>>>> +_require_no_xfs_bug_on_assert
>>>> +
>>>> +rm -f "$seqres.full"
>>>> +
>>>> +# Format and mount
>>>> +_scratch_mkfs>   $seqres.full 2>&1 || _fail "mkfs failed"
>>>> +_scratch_mount
>>>> +
>>>> +# Create a block+(e.g. leaf) format directory
>>>> +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
>>>> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
>>>> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
>>>> +
>>>> +# Corrupt the directory inode's core.mode
>>>> +_scratch_unmount
>>>> +setmode="0100755"
>>>> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>   $seqres.full
>>>> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
>>>> +[ "$getmode" != "$setmode" ]&&   _notrun "failed to set core.mode"
>>> When does the set fail?  And isn't that a _fail()ure?
>> Hi Darrick,
>>
>> The set never failed on my enviroment, and i just ensure set succeeded.
>> Do you want to remove the check?
> No, it's usually a good idea to make sure that the debugger actually did
> the thing we told it to.  I was simply curious if this occurred on a
> regular basis.
Hi Darrick,

OK,  keep it.
>>>> +
>>>> +# Check a mounted XFS (online)
>>>> +_scratch_mount
>>>> +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT>>   $seqres.full 2>&1
>>> I don't think you want to rely on xfs_scrub at this point if you can
>>> avoid it--scrub is totally experimental and can be deconfigured from the
>>> kernel.  Can you poke the directory using regular commands (like ls) to
>>> trigger the assert?
>> I tried and failed to trigger the assert by some regular commands(ls, stat,
>> etc.).
>> If you have some ideas, could you tell me how to trigger the assert by using
>> regular commands?
> Ah, ok.  I'd have thought that "find $SCRATCH_MNT -type f -print0 | xargs
> -0 cat>  /dev/null" would've triggered the assert, but I don't have any
> better suggestions.
I tried the find command, but failed to trigger the assert.
If nobody has a better way, can we still use xfs_scrub command in the test?

Thanks,
Xiao Yang
> --D
>
>> Thanks,
>> Xiao Yang
>>> --D
>>>
>>>> +echo "Silence is golden"
>>>> +
>>>> +# success, all done
>>>> +status=0
>>>> +exit
>>>> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
>>>> new file mode 100644
>>>> index 0000000..b6f0a53
>>>> --- /dev/null
>>>> +++ b/tests/xfs/448.out
>>>> @@ -0,0 +1,2 @@
>>>> +QA output created by 448
>>>> +Silence is golden
>>>> diff --git a/tests/xfs/group b/tests/xfs/group
>>>> index 51326d9..dd39d08 100644
>>>> --- a/tests/xfs/group
>>>> +++ b/tests/xfs/group
>>>> @@ -445,3 +445,4 @@
>>>>    445 auto quick filestreams
>>>>    446 auto quick
>>>>    447 auto mount
>>>> +448 auto quick fuzzers
>>>> -- 
>>>> 1.8.3.1
>>>>
>>>>
>>>>
>>> .
>>>
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe fstests" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> .
>

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Darrick J. Wong]

On Wed, May 30, 2018 at 12:04:42PM +0800, Xiao Yang wrote:
> Hi Eryu,
> 
> Do you have any better ways to trigger the assert?
> 
> On 2018/05/30 1:53, Darrick J. Wong wrote:
> > On Fri, May 25, 2018 at 02:33:38PM +0800, Xiao Yang wrote:
> > > On 2018/05/25 12:37, Darrick J. Wong wrote:
> > > > On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
> > > > > If a malicious XFS contains a block+ format directory wherein the
> > > > > directory inode's core.mode is corrupted, and there are subdirectories
> > > > > of the corrupted directory, an attempt to traverse up the directory
> > > > > tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> > > > > 
> > > > > Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
> > > > > ---
> > > > >    tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > >    tests/xfs/448.out |  2 ++
> > > > >    tests/xfs/group   |  1 +
> > > > >    3 files changed, 93 insertions(+)
> > > > >    create mode 100755 tests/xfs/448
> > > > >    create mode 100644 tests/xfs/448.out
> > > > > 
> > > > > diff --git a/tests/xfs/448 b/tests/xfs/448
> > > > > new file mode 100755
> > > > > index 0000000..bc151a4
> > > > > --- /dev/null
> > > > > +++ b/tests/xfs/448
> > > > > @@ -0,0 +1,90 @@
> > > > > +#! /bin/bash
> > > > > +# FS QA Test No. 448
> > > > > +#
> > > > > +# Regression test for commit:
> > > > > +# 46c5973 ("xfs: harden directory integrity checks some more")
> > > > > +#
> > > > > +# If a malicious XFS contains a block+ format directory wherein
> > > > > +# the directory inode's core.mode is corrupted, and there are
> > > > > +# subdirectories of the corrupted directory, an attempt to traverse
> > > > > +# up the directory tree by running xfs_scrub will crash the
> > > > > +# kernel in __xfs_dir3_data_check.
> > > > > +#
> > > > > +# Notice:
> > > > > +# we should have non fatal asserts configured, because assert
> > > > > +# failures triggered by the intentional corrupt would crash system.
> > > > > +#
> > > > > +#-----------------------------------------------------------------------
> > > > > +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
> > > > > +# Author: Xiao Yang<yangx.jy@cn.fujitsu.com>
> > > > > +#
> > > > > +# This program is free software; you can redistribute it and/or
> > > > > +# modify it under the terms of the GNU General Public License as
> > > > > +# published by the Free Software Foundation.
> > > > > +#
> > > > > +# This program is distributed in the hope that it would be useful,
> > > > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > > > +# GNU General Public License for more details.
> > > > > +#
> > > > > +# You should have received a copy of the GNU General Public License
> > > > > +# along with this program; if not, write the Free Software Foundation,
> > > > > +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> > > > > +#-----------------------------------------------------------------------
> > > > > +
> > > > > +seq=`basename "$0"`
> > > > > +seqres="$RESULT_DIR/$seq"
> > > > > +echo "QA output created by $seq"
> > > > > +
> > > > > +here=`pwd`
> > > > > +tmp=/tmp/$$
> > > > > +status=1    # failure is the default!
> > > > > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > > > > +
> > > > > +_cleanup()
> > > > > +{
> > > > > +	rm -rf $tmp.*
> > > > > +}
> > > > > +
> > > > > +# get standard environment, filters and checks
> > > > > +. ./common/rc
> > > > > +. ./common/filter
> > > > > +. ./common/populate
> > > > > +. ./common/fuzzy
> > > > > +
> > > > > +# real QA test starts here
> > > > > +_supported_os Linux
> > > > > +_supported_fs xfs
> > > > > +_require_scratch
> > > > > +_require_scrub
> > > > > +_require_scratch_nocheck
> > > > > +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> > > > > +_require_no_xfs_bug_on_assert
> > > > > +
> > > > > +rm -f "$seqres.full"
> > > > > +
> > > > > +# Format and mount
> > > > > +_scratch_mkfs>   $seqres.full 2>&1 || _fail "mkfs failed"
> > > > > +_scratch_mount
> > > > > +
> > > > > +# Create a block+(e.g. leaf) format directory
> > > > > +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
> > > > > +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
> > > > > +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> > > > > +
> > > > > +# Corrupt the directory inode's core.mode
> > > > > +_scratch_unmount
> > > > > +setmode="0100755"
> > > > > +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>   $seqres.full
> > > > > +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> > > > > +[ "$getmode" != "$setmode" ]&&   _notrun "failed to set core.mode"
> > > > When does the set fail?  And isn't that a _fail()ure?
> > > Hi Darrick,
> > > 
> > > The set never failed on my enviroment, and i just ensure set succeeded.
> > > Do you want to remove the check?
> > No, it's usually a good idea to make sure that the debugger actually did
> > the thing we told it to.  I was simply curious if this occurred on a
> > regular basis.
> Hi Darrick,
> 
> OK,  keep it.
> > > > > +
> > > > > +# Check a mounted XFS (online)
> > > > > +_scratch_mount
> > > > > +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT>>   $seqres.full 2>&1
> > > > I don't think you want to rely on xfs_scrub at this point if you can
> > > > avoid it--scrub is totally experimental and can be deconfigured from the
> > > > kernel.  Can you poke the directory using regular commands (like ls) to
> > > > trigger the assert?
> > > I tried and failed to trigger the assert by some regular commands(ls, stat,
> > > etc.).
> > > If you have some ideas, could you tell me how to trigger the assert by using
> > > regular commands?
> > Ah, ok.  I'd have thought that "find $SCRATCH_MNT -type f -print0 | xargs
> > -0 cat>  /dev/null" would've triggered the assert, but I don't have any
> > better suggestions.
> I tried the find command, but failed to trigger the assert.
> If nobody has a better way, can we still use xfs_scrub command in the test?

Sure.  To be fair, scrub had a silly bug in it that made this easy to
trip over + test for. :)

Though you might consider the simpler:

$XFS_IO_PROG -c 'scrub parent' /path/to/the/child/file

since we're not going to change xfs_io unless we absolutely have to.

--D

> Thanks,
> Xiao Yang
> > --D
> > 
> > > Thanks,
> > > Xiao Yang
> > > > --D
> > > > 
> > > > > +echo "Silence is golden"
> > > > > +
> > > > > +# success, all done
> > > > > +status=0
> > > > > +exit
> > > > > diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> > > > > new file mode 100644
> > > > > index 0000000..b6f0a53
> > > > > --- /dev/null
> > > > > +++ b/tests/xfs/448.out
> > > > > @@ -0,0 +1,2 @@
> > > > > +QA output created by 448
> > > > > +Silence is golden
> > > > > diff --git a/tests/xfs/group b/tests/xfs/group
> > > > > index 51326d9..dd39d08 100644
> > > > > --- a/tests/xfs/group
> > > > > +++ b/tests/xfs/group
> > > > > @@ -445,3 +445,4 @@
> > > > >    445 auto quick filestreams
> > > > >    446 auto quick
> > > > >    447 auto mount
> > > > > +448 auto quick fuzzers
> > > > > -- 
> > > > > 1.8.3.1
> > > > > 
> > > > > 
> > > > > 
> > > > .
> > > > 
> > > 
> > > 
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe fstests" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> > .
> > 
> 
> 
> 

Re: [PATCH] xfs: Regression test for vulnerable directory integrity check

[Eryu Guan]

On Wed, May 30, 2018 at 12:04:42PM +0800, Xiao Yang wrote:
> Hi Eryu,
> 
> Do you have any better ways to trigger the assert?

Sorry, I've no better ideas here..

> 
> On 2018/05/30 1:53, Darrick J. Wong wrote:
> > On Fri, May 25, 2018 at 02:33:38PM +0800, Xiao Yang wrote:
> > > On 2018/05/25 12:37, Darrick J. Wong wrote:
> > > > On Thu, May 24, 2018 at 05:32:12PM +0800, Xiao Yang wrote:
> > > > > If a malicious XFS contains a block+ format directory wherein the
> > > > > directory inode's core.mode is corrupted, and there are subdirectories
> > > > > of the corrupted directory, an attempt to traverse up the directory
> > > > > tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> > > > > 
> > > > > Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
> > > > > ---
> > > > >    tests/xfs/448     | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > >    tests/xfs/448.out |  2 ++
> > > > >    tests/xfs/group   |  1 +
> > > > >    3 files changed, 93 insertions(+)
> > > > >    create mode 100755 tests/xfs/448
> > > > >    create mode 100644 tests/xfs/448.out
> > > > > 
> > > > > diff --git a/tests/xfs/448 b/tests/xfs/448
> > > > > new file mode 100755
> > > > > index 0000000..bc151a4
> > > > > --- /dev/null
> > > > > +++ b/tests/xfs/448
> > > > > @@ -0,0 +1,90 @@
> > > > > +#! /bin/bash
> > > > > +# FS QA Test No. 448
> > > > > +#
> > > > > +# Regression test for commit:
> > > > > +# 46c5973 ("xfs: harden directory integrity checks some more")

It'd be better to reference the commit with 12-digits commit id.

> > > > > +#
> > > > > +# If a malicious XFS contains a block+ format directory wherein
> > > > > +# the directory inode's core.mode is corrupted, and there are
> > > > > +# subdirectories of the corrupted directory, an attempt to traverse
> > > > > +# up the directory tree by running xfs_scrub will crash the
> > > > > +# kernel in __xfs_dir3_data_check.
> > > > > +#
> > > > > +# Notice:
> > > > > +# we should have non fatal asserts configured, because assert
> > > > > +# failures triggered by the intentional corrupt would crash system.
> > > > > +#
> > > > > +#-----------------------------------------------------------------------
> > > > > +# Copyright (c) 2018 FUJITSU.  All Rights Reserved.
> > > > > +# Author: Xiao Yang<yangx.jy@cn.fujitsu.com>

Author not needed.

> > > > > +#
> > > > > +# This program is free software; you can redistribute it and/or
> > > > > +# modify it under the terms of the GNU General Public License as
> > > > > +# published by the Free Software Foundation.
> > > > > +#
> > > > > +# This program is distributed in the hope that it would be useful,
> > > > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > > > +# GNU General Public License for more details.
> > > > > +#
> > > > > +# You should have received a copy of the GNU General Public License
> > > > > +# along with this program; if not, write the Free Software Foundation,
> > > > > +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> > > > > +#-----------------------------------------------------------------------
> > > > > +
> > > > > +seq=`basename "$0"`
> > > > > +seqres="$RESULT_DIR/$seq"
> > > > > +echo "QA output created by $seq"
> > > > > +
> > > > > +here=`pwd`
> > > > > +tmp=/tmp/$$
> > > > > +status=1    # failure is the default!
> > > > > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > > > > +
> > > > > +_cleanup()
> > > > > +{
> > > > > +	rm -rf $tmp.*

Please follow the 'new' template in _cleanup(), and add any cleanup
steps specific to the test.

> > > > > +}
> > > > > +
> > > > > +# get standard environment, filters and checks
> > > > > +. ./common/rc
> > > > > +. ./common/filter
> > > > > +. ./common/populate
> > > > > +. ./common/fuzzy
> > > > > +
> > > > > +# real QA test starts here
> > > > > +_supported_os Linux
> > > > > +_supported_fs xfs
> > > > > +_require_scratch

_require_scratch_nocheck below is sufficient.

> > > > > +_require_scrub
> > > > > +_require_scratch_nocheck
> > > > > +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> > > > > +_require_no_xfs_bug_on_assert
> > > > > +
> > > > > +rm -f "$seqres.full"
> > > > > +
> > > > > +# Format and mount
> > > > > +_scratch_mkfs>   $seqres.full 2>&1 || _fail "mkfs failed"
> > > > > +_scratch_mount
> > > > > +
> > > > > +# Create a block+(e.g. leaf) format directory
> > > > > +dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"

I think we can update _filter_mkfs to print out bsize for naming section
too and get the size by sourcing filter output, e.g.

_scratch_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
...
# get directory block size
. $tmp.mkfs
...

> > > > > +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
> > > > > +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> > > > > +
> > > > > +# Corrupt the directory inode's core.mode
> > > > > +_scratch_unmount
> > > > > +setmode="0100755"
> > > > > +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>   $seqres.full
> > > > > +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> > > > > +[ "$getmode" != "$setmode" ]&&   _notrun "failed to set core.mode"
> > > > When does the set fail?  And isn't that a _fail()ure?

Yeah, looks like a _fail to me.

Thanks,
Eryu

> > > Hi Darrick,
> > > 
> > > The set never failed on my enviroment, and i just ensure set succeeded.
> > > Do you want to remove the check?
> > No, it's usually a good idea to make sure that the debugger actually did
> > the thing we told it to.  I was simply curious if this occurred on a
> > regular basis.
> Hi Darrick,
> 
> OK,  keep it.
> > > > > +
> > > > > +# Check a mounted XFS (online)
> > > > > +_scratch_mount
> > > > > +$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT>>   $seqres.full 2>&1
> > > > I don't think you want to rely on xfs_scrub at this point if you can
> > > > avoid it--scrub is totally experimental and can be deconfigured from the
> > > > kernel.  Can you poke the directory using regular commands (like ls) to
> > > > trigger the assert?
> > > I tried and failed to trigger the assert by some regular commands(ls, stat,
> > > etc.).
> > > If you have some ideas, could you tell me how to trigger the assert by using
> > > regular commands?
> > Ah, ok.  I'd have thought that "find $SCRATCH_MNT -type f -print0 | xargs
> > -0 cat>  /dev/null" would've triggered the assert, but I don't have any
> > better suggestions.
> I tried the find command, but failed to trigger the assert.
> If nobody has a better way, can we still use xfs_scrub command in the test?
> 
> Thanks,
> Xiao Yang
> > --D
> > 
> > > Thanks,
> > > Xiao Yang
> > > > --D
> > > > 
> > > > > +echo "Silence is golden"
> > > > > +
> > > > > +# success, all done
> > > > > +status=0
> > > > > +exit
> > > > > diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> > > > > new file mode 100644
> > > > > index 0000000..b6f0a53
> > > > > --- /dev/null
> > > > > +++ b/tests/xfs/448.out
> > > > > @@ -0,0 +1,2 @@
> > > > > +QA output created by 448
> > > > > +Silence is golden
> > > > > diff --git a/tests/xfs/group b/tests/xfs/group
> > > > > index 51326d9..dd39d08 100644
> > > > > --- a/tests/xfs/group
> > > > > +++ b/tests/xfs/group
> > > > > @@ -445,3 +445,4 @@
> > > > >    445 auto quick filestreams
> > > > >    446 auto quick
> > > > >    447 auto mount
> > > > > +448 auto quick fuzzers
> > > > > -- 
> > > > > 1.8.3.1
> > > > > 
> > > > > 
> > > > > 
> > > > .
> > > > 
> > > 
> > > 
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe fstests" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> > .
> > 
> 
> 
> 

[PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

If a malicious XFS contains a block+ format directory wherein the
directory inode's core.mode is corrupted, and there are subdirectories
of the corrupted directory, an attempt to traverse up the directory
tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.

Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/448.out |  2 ++
 tests/xfs/group   |  1 +
 3 files changed, 99 insertions(+)
 create mode 100755 tests/xfs/448
 create mode 100644 tests/xfs/448.out

diff --git a/tests/xfs/448 b/tests/xfs/448
new file mode 100755
index 0000000..9ea9295
--- /dev/null
+++ b/tests/xfs/448
@@ -0,0 +1,96 @@
+#! /bin/bash
+# FS QA Test No. 448
+#
+# Regression test for commit:
+# 46c59736d809 ("xfs: harden directory integrity checks some more")
+#
+# If a malicious XFS contains a block+ format directory wherein
+# the directory inode's core.mode is corrupted, and there are
+# subdirectories of the corrupted directory, an attempt to traverse
+# up the directory tree by running xfs_scrub will crash the
+# kernel in __xfs_dir3_data_check.
+#
+# Notice:
+# we should have non fatal asserts configured, because assert
+# failures triggered by the intentional corrupt would crash system.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename "$0"`
+seqres="$RESULT_DIR/$seq"
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1    # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_nocheck
+_require_xfs_io_command "scrub"
+# Corrupt XFS on purpose, and skip if assert failures would crash system.
+_require_no_xfs_bug_on_assert
+
+rm -f "$seqres.full"
+
+# Format and mount
+_scratch_mkfs | _filter_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
+_scratch_mount
+
+# Get directory block size
+. $tmp.mkfs
+
+# Create a block+(e.g. leaf) format directory
+__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
+
+# Get the block+ directory inode and a subdirectory inode of it
+subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
+dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
+
+# Get the subdirectory's generation number
+_scratch_unmount
+subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
+
+# Corrupt the directory inode's core.mode
+setmode="0100755"
+_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
+getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
+[ "$getmode" != "$setmode" ] && _fail "failed to set core.mode"
+
+# Scrub parent directory in subdirectory (online)
+_scratch_mount
+$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT} >> $seqres.full
+
+echo "Silence is golden"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/448.out b/tests/xfs/448.out
new file mode 100644
index 0000000..b6f0a53
--- /dev/null
+++ b/tests/xfs/448.out
@@ -0,0 +1,2 @@
+QA output created by 448
+Silence is golden
diff --git a/tests/xfs/group b/tests/xfs/group
index 51326d9..dd39d08 100644
--- a/tests/xfs/group
+++ b/tests/xfs/group
@@ -445,3 +445,4 @@
 445 auto quick filestreams
 446 auto quick
 447 auto mount
+448 auto quick fuzzers
-- 
1.8.3.1

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Darrick J. Wong]

On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
> If a malicious XFS contains a block+ format directory wherein the
> directory inode's core.mode is corrupted, and there are subdirectories
> of the corrupted directory, an attempt to traverse up the directory
> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> 
> Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>

Looks good,
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

--D

> ---
>  tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/448.out |  2 ++
>  tests/xfs/group   |  1 +
>  3 files changed, 99 insertions(+)
>  create mode 100755 tests/xfs/448
>  create mode 100644 tests/xfs/448.out
> 
> diff --git a/tests/xfs/448 b/tests/xfs/448
> new file mode 100755
> index 0000000..9ea9295
> --- /dev/null
> +++ b/tests/xfs/448
> @@ -0,0 +1,96 @@
> +#! /bin/bash
> +# FS QA Test No. 448
> +#
> +# Regression test for commit:
> +# 46c59736d809 ("xfs: harden directory integrity checks some more")
> +#
> +# If a malicious XFS contains a block+ format directory wherein
> +# the directory inode's core.mode is corrupted, and there are
> +# subdirectories of the corrupted directory, an attempt to traverse
> +# up the directory tree by running xfs_scrub will crash the
> +# kernel in __xfs_dir3_data_check.
> +#
> +# Notice:
> +# we should have non fatal asserts configured, because assert
> +# failures triggered by the intentional corrupt would crash system.
> +#
> +#-----------------------------------------------------------------------
> +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write the Free Software Foundation,
> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> +#-----------------------------------------------------------------------
> +
> +seq=`basename "$0"`
> +seqres="$RESULT_DIR/$seq"
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1    # failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -rf $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +. ./common/populate
> +
> +# real QA test starts here
> +_supported_os Linux
> +_supported_fs xfs
> +_require_scratch_nocheck
> +_require_xfs_io_command "scrub"
> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> +_require_no_xfs_bug_on_assert
> +
> +rm -f "$seqres.full"
> +
> +# Format and mount
> +_scratch_mkfs | _filter_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
> +_scratch_mount
> +
> +# Get directory block size
> +. $tmp.mkfs
> +
> +# Create a block+(e.g. leaf) format directory
> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
> +
> +# Get the block+ directory inode and a subdirectory inode of it
> +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> +
> +# Get the subdirectory's generation number
> +_scratch_unmount
> +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
> +
> +# Corrupt the directory inode's core.mode
> +setmode="0100755"
> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> +[ "$getmode" != "$setmode" ] && _fail "failed to set core.mode"
> +
> +# Scrub parent directory in subdirectory (online)
> +_scratch_mount
> +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT} >> $seqres.full
> +
> +echo "Silence is golden"
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> new file mode 100644
> index 0000000..b6f0a53
> --- /dev/null
> +++ b/tests/xfs/448.out
> @@ -0,0 +1,2 @@
> +QA output created by 448
> +Silence is golden
> diff --git a/tests/xfs/group b/tests/xfs/group
> index 51326d9..dd39d08 100644
> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -445,3 +445,4 @@
>  445 auto quick filestreams
>  446 auto quick
>  447 auto mount
> +448 auto quick fuzzers
> -- 
> 1.8.3.1
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Eryu Guan]

On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
> If a malicious XFS contains a block+ format directory wherein the
> directory inode's core.mode is corrupted, and there are subdirectories
> of the corrupted directory, an attempt to traverse up the directory
> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> 
> Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>

Thanks for the update!

> ---
>  tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/448.out |  2 ++
>  tests/xfs/group   |  1 +
>  3 files changed, 99 insertions(+)
>  create mode 100755 tests/xfs/448
>  create mode 100644 tests/xfs/448.out
> 
> diff --git a/tests/xfs/448 b/tests/xfs/448
> new file mode 100755
> index 0000000..9ea9295
> --- /dev/null
> +++ b/tests/xfs/448
> @@ -0,0 +1,96 @@
> +#! /bin/bash
> +# FS QA Test No. 448
> +#
> +# Regression test for commit:
> +# 46c59736d809 ("xfs: harden directory integrity checks some more")

But I couldn't triger the test failre (kernel crash?) with this commit
reverted, with either v1 nor v2 patch. I was testing with 4.17-rc5 based
kernel, could you please take a look?

> +#
> +# If a malicious XFS contains a block+ format directory wherein
> +# the directory inode's core.mode is corrupted, and there are
> +# subdirectories of the corrupted directory, an attempt to traverse
> +# up the directory tree by running xfs_scrub will crash the
> +# kernel in __xfs_dir3_data_check.
> +#
> +# Notice:
> +# we should have non fatal asserts configured, because assert
> +# failures triggered by the intentional corrupt would crash system.
> +#
> +#-----------------------------------------------------------------------
> +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write the Free Software Foundation,
> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> +#-----------------------------------------------------------------------
> +
> +seq=`basename "$0"`
> +seqres="$RESULT_DIR/$seq"
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1    # failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -rf $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +. ./common/populate
> +
> +# real QA test starts here
> +_supported_os Linux
> +_supported_fs xfs
> +_require_scratch_nocheck
> +_require_xfs_io_command "scrub"
> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> +_require_no_xfs_bug_on_assert
> +
> +rm -f "$seqres.full"
> +
> +# Format and mount
> +_scratch_mkfs | _filter_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
> +_scratch_mount
> +
> +# Get directory block size
> +. $tmp.mkfs
> +
> +# Create a block+(e.g. leaf) format directory
> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
> +
> +# Get the block+ directory inode and a subdirectory inode of it
> +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> +
> +# Get the subdirectory's generation number
> +_scratch_unmount
> +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
> +
> +# Corrupt the directory inode's core.mode
> +setmode="0100755"
> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> +[ "$getmode" != "$setmode" ] && _fail "failed to set core.mode"
> +
> +# Scrub parent directory in subdirectory (online)
> +_scratch_mount
> +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT} >> $seqres.full

And I always see "+scrub: Inappropriate ioctl for device" here with this
v2 patch.

Thanks,
Eryu

> +
> +echo "Silence is golden"
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> new file mode 100644
> index 0000000..b6f0a53
> --- /dev/null
> +++ b/tests/xfs/448.out
> @@ -0,0 +1,2 @@
> +QA output created by 448
> +Silence is golden
> diff --git a/tests/xfs/group b/tests/xfs/group
> index 51326d9..dd39d08 100644
> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -445,3 +445,4 @@
>  445 auto quick filestreams
>  446 auto quick
>  447 auto mount
> +448 auto quick fuzzers
> -- 
> 1.8.3.1
> 
> 
> 

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Darrick J. Wong]

On Sun, Jun 03, 2018 at 09:37:18PM +0800, Eryu Guan wrote:
> On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
> > If a malicious XFS contains a block+ format directory wherein the
> > directory inode's core.mode is corrupted, and there are subdirectories
> > of the corrupted directory, an attempt to traverse up the directory
> > tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> > 
> > Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
> 
> Thanks for the update!
> 
> > ---
> >  tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  tests/xfs/448.out |  2 ++
> >  tests/xfs/group   |  1 +
> >  3 files changed, 99 insertions(+)
> >  create mode 100755 tests/xfs/448
> >  create mode 100644 tests/xfs/448.out
> > 
> > diff --git a/tests/xfs/448 b/tests/xfs/448
> > new file mode 100755
> > index 0000000..9ea9295
> > --- /dev/null
> > +++ b/tests/xfs/448
> > @@ -0,0 +1,96 @@
> > +#! /bin/bash
> > +# FS QA Test No. 448
> > +#
> > +# Regression test for commit:
> > +# 46c59736d809 ("xfs: harden directory integrity checks some more")
> 
> But I couldn't triger the test failre (kernel crash?) with this commit
> reverted, with either v1 nor v2 patch. I was testing with 4.17-rc5 based
> kernel, could you please take a look?
> 
> > +#
> > +# If a malicious XFS contains a block+ format directory wherein
> > +# the directory inode's core.mode is corrupted, and there are
> > +# subdirectories of the corrupted directory, an attempt to traverse
> > +# up the directory tree by running xfs_scrub will crash the
> > +# kernel in __xfs_dir3_data_check.
> > +#
> > +# Notice:
> > +# we should have non fatal asserts configured, because assert
> > +# failures triggered by the intentional corrupt would crash system.
> > +#
> > +#-----------------------------------------------------------------------
> > +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of the GNU General Public License as
> > +# published by the Free Software Foundation.
> > +#
> > +# This program is distributed in the hope that it would be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program; if not, write the Free Software Foundation,
> > +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> > +#-----------------------------------------------------------------------
> > +
> > +seq=`basename "$0"`
> > +seqres="$RESULT_DIR/$seq"
> > +echo "QA output created by $seq"
> > +
> > +here=`pwd`
> > +tmp=/tmp/$$
> > +status=1    # failure is the default!
> > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > +
> > +_cleanup()
> > +{
> > +	cd /
> > +	rm -rf $tmp.*
> > +}
> > +
> > +# get standard environment, filters and checks
> > +. ./common/rc
> > +. ./common/filter
> > +. ./common/populate
> > +
> > +# real QA test starts here
> > +_supported_os Linux
> > +_supported_fs xfs
> > +_require_scratch_nocheck
> > +_require_xfs_io_command "scrub"
> > +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> > +_require_no_xfs_bug_on_assert
> > +
> > +rm -f "$seqres.full"
> > +
> > +# Format and mount
> > +_scratch_mkfs | _filter_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
> > +_scratch_mount
> > +
> > +# Get directory block size
> > +. $tmp.mkfs
> > +
> > +# Create a block+(e.g. leaf) format directory
> > +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
> > +
> > +# Get the block+ directory inode and a subdirectory inode of it
> > +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
> > +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> > +
> > +# Get the subdirectory's generation number
> > +_scratch_unmount
> > +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
> > +
> > +# Corrupt the directory inode's core.mode
> > +setmode="0100755"
> > +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
> > +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> > +[ "$getmode" != "$setmode" ] && _fail "failed to set core.mode"
> > +
> > +# Scrub parent directory in subdirectory (online)
> > +_scratch_mount
> > +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT} >> $seqres.full
> 
> And I always see "+scrub: Inappropriate ioctl for device" here with this
> v2 patch.

Your kernel probably needs CONFIG_XFS_ONLINE_SCRUB=y

This test probably needs:

. ./config/fuzzy
_supports_xfs_scrub || _fail "scrub not supported"

(or make a _requires_xfs_scrub_enabled helper to encapsulate that?)

--D

> 
> Thanks,
> Eryu
> 
> > +
> > +echo "Silence is golden"
> > +
> > +# success, all done
> > +status=0
> > +exit
> > diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> > new file mode 100644
> > index 0000000..b6f0a53
> > --- /dev/null
> > +++ b/tests/xfs/448.out
> > @@ -0,0 +1,2 @@
> > +QA output created by 448
> > +Silence is golden
> > diff --git a/tests/xfs/group b/tests/xfs/group
> > index 51326d9..dd39d08 100644
> > --- a/tests/xfs/group
> > +++ b/tests/xfs/group
> > @@ -445,3 +445,4 @@
> >  445 auto quick filestreams
> >  446 auto quick
> >  447 auto mount
> > +448 auto quick fuzzers
> > -- 
> > 1.8.3.1
> > 
> > 
> > 

[PATCH] common/rc: Fix _require_xfs_io_command for scrub probe

[Xiao Yang]

Currently, xfs_io scrub command doesn't allow the probe function
to have any parameter, so we remove the invalid parameter.

Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 common/rc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/rc b/common/rc
index 9273ff7..dadbed4 100644
--- a/common/rc
+++ b/common/rc
@@ -2148,7 +2148,7 @@ _require_xfs_io_command()
 		param_checked=1
 		;;
 	"scrub"|"repair")
-		testio=`$XFS_IO_PROG -x -c "$command probe 0" $TEST_DIR 2>&1`
+		testio=`$XFS_IO_PROG -x -c "$command probe" $TEST_DIR 2>&1`
 		echo $testio | grep -q "Inappropriate ioctl" && \
 			_notrun "xfs_io $command support is missing"
 		;;
-- 
1.8.3.1

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Eryu Guan]

On Sun, Jun 03, 2018 at 03:56:55PM -0700, Darrick J. Wong wrote:
> On Sun, Jun 03, 2018 at 09:37:18PM +0800, Eryu Guan wrote:
> > On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
> > > If a malicious XFS contains a block+ format directory wherein the
> > > directory inode's core.mode is corrupted, and there are subdirectories
> > > of the corrupted directory, an attempt to traverse up the directory
> > > tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
> > > 
> > > Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
> > 
> > Thanks for the update!
> > 
> > > ---
> > >  tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >  tests/xfs/448.out |  2 ++
> > >  tests/xfs/group   |  1 +
> > >  3 files changed, 99 insertions(+)
> > >  create mode 100755 tests/xfs/448
> > >  create mode 100644 tests/xfs/448.out
> > > 
> > > diff --git a/tests/xfs/448 b/tests/xfs/448
> > > new file mode 100755
> > > index 0000000..9ea9295
> > > --- /dev/null
> > > +++ b/tests/xfs/448
> > > @@ -0,0 +1,96 @@
> > > +#! /bin/bash
> > > +# FS QA Test No. 448
> > > +#
> > > +# Regression test for commit:
> > > +# 46c59736d809 ("xfs: harden directory integrity checks some more")
> > 
> > But I couldn't triger the test failre (kernel crash?) with this commit
> > reverted, with either v1 nor v2 patch. I was testing with 4.17-rc5 based
> > kernel, could you please take a look?
> > 
> > > +#
> > > +# If a malicious XFS contains a block+ format directory wherein
> > > +# the directory inode's core.mode is corrupted, and there are
> > > +# subdirectories of the corrupted directory, an attempt to traverse
> > > +# up the directory tree by running xfs_scrub will crash the
> > > +# kernel in __xfs_dir3_data_check.
> > > +#
> > > +# Notice:
> > > +# we should have non fatal asserts configured, because assert
> > > +# failures triggered by the intentional corrupt would crash system.
> > > +#
> > > +#-----------------------------------------------------------------------
> > > +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
> > > +#
> > > +# This program is free software; you can redistribute it and/or
> > > +# modify it under the terms of the GNU General Public License as
> > > +# published by the Free Software Foundation.
> > > +#
> > > +# This program is distributed in the hope that it would be useful,
> > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > +# GNU General Public License for more details.
> > > +#
> > > +# You should have received a copy of the GNU General Public License
> > > +# along with this program; if not, write the Free Software Foundation,
> > > +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> > > +#-----------------------------------------------------------------------
> > > +
> > > +seq=`basename "$0"`
> > > +seqres="$RESULT_DIR/$seq"
> > > +echo "QA output created by $seq"
> > > +
> > > +here=`pwd`
> > > +tmp=/tmp/$$
> > > +status=1    # failure is the default!
> > > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > > +
> > > +_cleanup()
> > > +{
> > > +	cd /
> > > +	rm -rf $tmp.*
> > > +}
> > > +
> > > +# get standard environment, filters and checks
> > > +. ./common/rc
> > > +. ./common/filter
> > > +. ./common/populate
> > > +
> > > +# real QA test starts here
> > > +_supported_os Linux
> > > +_supported_fs xfs
> > > +_require_scratch_nocheck
> > > +_require_xfs_io_command "scrub"
> > > +# Corrupt XFS on purpose, and skip if assert failures would crash system.
> > > +_require_no_xfs_bug_on_assert
> > > +
> > > +rm -f "$seqres.full"
> > > +
> > > +# Format and mount
> > > +_scratch_mkfs | _filter_mkfs > $seqres.full 2> $tmp.mkfs || _fail "mkfs failed"
> > > +_scratch_mount
> > > +
> > > +# Get directory block size
> > > +. $tmp.mkfs
> > > +
> > > +# Create a block+(e.g. leaf) format directory
> > > +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
> > > +
> > > +# Get the block+ directory inode and a subdirectory inode of it
> > > +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
> > > +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
> > > +
> > > +# Get the subdirectory's generation number
> > > +_scratch_unmount
> > > +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
> > > +
> > > +# Corrupt the directory inode's core.mode
> > > +setmode="0100755"
> > > +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
> > > +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
> > > +[ "$getmode" != "$setmode" ] && _fail "failed to set core.mode"
> > > +
> > > +# Scrub parent directory in subdirectory (online)
> > > +_scratch_mount
> > > +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT} >> $seqres.full
> > 
> > And I always see "+scrub: Inappropriate ioctl for device" here with this
> > v2 patch.
> 
> Your kernel probably needs CONFIG_XFS_ONLINE_SCRUB=y

Yeah, I didn't have XFS_ONLINE_SCRUB enabled..

> 
> This test probably needs:
> 
> . ./config/fuzzy
> _supports_xfs_scrub || _fail "scrub not supported"
> 
> (or make a _requires_xfs_scrub_enabled helper to encapsulate that?)

I thought it was already handled by "_require_xfs_io_command 'scrub'",
(And I think it should be).

I noticed that in _require_xfs_io_command we do

$XFS_IO_PROG -x -c "$command probe 0" $TEST_DIR

which results in:
[root@fedoravm xfstests]# xfs_io -c "scrub probe 0 " /mnt/scratch/
No parameters allowed.

but in _supports_xfs_scrub we do

$XFS_IO_PROG -c "scrub probe" "$mountpoint"

which results in:
[root@fedoravm xfstests]# xfs_io -c "scrub probe " /mnt/scratch/
scrub: Inappropriate ioctl for device

_require_xfs_io_command should be updated?

Thanks,
Eryu
> 
> --D
> 
> > 
> > Thanks,
> > Eryu
> > 
> > > +
> > > +echo "Silence is golden"
> > > +
> > > +# success, all done
> > > +status=0
> > > +exit
> > > diff --git a/tests/xfs/448.out b/tests/xfs/448.out
> > > new file mode 100644
> > > index 0000000..b6f0a53
> > > --- /dev/null
> > > +++ b/tests/xfs/448.out
> > > @@ -0,0 +1,2 @@
> > > +QA output created by 448
> > > +Silence is golden
> > > diff --git a/tests/xfs/group b/tests/xfs/group
> > > index 51326d9..dd39d08 100644
> > > --- a/tests/xfs/group
> > > +++ b/tests/xfs/group
> > > @@ -445,3 +445,4 @@
> > >  445 auto quick filestreams
> > >  446 auto quick
> > >  447 auto mount
> > > +448 auto quick fuzzers
> > > -- 
> > > 1.8.3.1
> > > 
> > > 
> > > 

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

On 2018/06/04 6:56, Darrick J. Wong wrote:
> On Sun, Jun 03, 2018 at 09:37:18PM +0800, Eryu Guan wrote:
>> On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
>>> If a malicious XFS contains a block+ format directory wherein the
>>> directory inode's core.mode is corrupted, and there are subdirectories
>>> of the corrupted directory, an attempt to traverse up the directory
>>> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
>>>
>>> Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
>> Thanks for the update!
>>
>>> ---
>>>   tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>   tests/xfs/448.out |  2 ++
>>>   tests/xfs/group   |  1 +
>>>   3 files changed, 99 insertions(+)
>>>   create mode 100755 tests/xfs/448
>>>   create mode 100644 tests/xfs/448.out
>>>
>>> diff --git a/tests/xfs/448 b/tests/xfs/448
>>> new file mode 100755
>>> index 0000000..9ea9295
>>> --- /dev/null
>>> +++ b/tests/xfs/448
>>> @@ -0,0 +1,96 @@
>>> +#! /bin/bash
>>> +# FS QA Test No. 448
>>> +#
>>> +# Regression test for commit:
>>> +# 46c59736d809 ("xfs: harden directory integrity checks some more")
>> But I couldn't triger the test failre (kernel crash?) with this commit
>> reverted, with either v1 nor v2 patch. I was testing with 4.17-rc5 based
>> kernel, could you please take a look?
>>
>>> +#
>>> +# If a malicious XFS contains a block+ format directory wherein
>>> +# the directory inode's core.mode is corrupted, and there are
>>> +# subdirectories of the corrupted directory, an attempt to traverse
>>> +# up the directory tree by running xfs_scrub will crash the
>>> +# kernel in __xfs_dir3_data_check.
>>> +#
>>> +# Notice:
>>> +# we should have non fatal asserts configured, because assert
>>> +# failures triggered by the intentional corrupt would crash system.
>>> +#
>>> +#-----------------------------------------------------------------------
>>> +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
>>> +#
>>> +# This program is free software; you can redistribute it and/or
>>> +# modify it under the terms of the GNU General Public License as
>>> +# published by the Free Software Foundation.
>>> +#
>>> +# This program is distributed in the hope that it would be useful,
>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>>> +# GNU General Public License for more details.
>>> +#
>>> +# You should have received a copy of the GNU General Public License
>>> +# along with this program; if not, write the Free Software Foundation,
>>> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
>>> +#-----------------------------------------------------------------------
>>> +
>>> +seq=`basename "$0"`
>>> +seqres="$RESULT_DIR/$seq"
>>> +echo "QA output created by $seq"
>>> +
>>> +here=`pwd`
>>> +tmp=/tmp/$$
>>> +status=1    # failure is the default!
>>> +trap "_cleanup; exit \$status" 0 1 2 3 15
>>> +
>>> +_cleanup()
>>> +{
>>> +	cd /
>>> +	rm -rf $tmp.*
>>> +}
>>> +
>>> +# get standard environment, filters and checks
>>> +. ./common/rc
>>> +. ./common/filter
>>> +. ./common/populate
>>> +
>>> +# real QA test starts here
>>> +_supported_os Linux
>>> +_supported_fs xfs
>>> +_require_scratch_nocheck
>>> +_require_xfs_io_command "scrub"
>>> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
>>> +_require_no_xfs_bug_on_assert
>>> +
>>> +rm -f "$seqres.full"
>>> +
>>> +# Format and mount
>>> +_scratch_mkfs | _filter_mkfs>  $seqres.full 2>  $tmp.mkfs || _fail "mkfs failed"
>>> +_scratch_mount
>>> +
>>> +# Get directory block size
>>> +. $tmp.mkfs
>>> +
>>> +# Create a block+(e.g. leaf) format directory
>>> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
>>> +
>>> +# Get the block+ directory inode and a subdirectory inode of it
>>> +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
>>> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
>>> +
>>> +# Get the subdirectory's generation number
>>> +_scratch_unmount
>>> +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
>>> +
>>> +# Corrupt the directory inode's core.mode
>>> +setmode="0100755"
>>> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>  $seqres.full
>>> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
>>> +[ "$getmode" != "$setmode" ]&&  _fail "failed to set core.mode"
>>> +
>>> +# Scrub parent directory in subdirectory (online)
>>> +_scratch_mount
>>> +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT}>>  $seqres.full
>> And I always see "+scrub: Inappropriate ioctl for device" here with this
>> v2 patch.
> Your kernel probably needs CONFIG_XFS_ONLINE_SCRUB=y
Agreed.
Eryu, you probably need to bulid kernel with CONFIG_XFS_ONLINE_SCRUB=y.
> This test probably needs:
>
> . ./config/fuzzy
> _supports_xfs_scrub || _fail "scrub not supported"
>
> (or make a _requires_xfs_scrub_enabled helper to encapsulate that?)
_require_xfs_io_command "scrub" should get NOTRUN if kernel does not 
support scrub ioctls, but an invalid parameter
passed to "scrub probe" hit "No parameters allowed" rather than 
"Inappropriate ioctl for device" unfortunately.
Currently, the xfs_io scrub command doesn't allow the probe function to 
have any parameter, so we need to remove the
invalid parameter in _require_xfs_io_command.

Thanks,
Xiao Yang
> --D
>
>> Thanks,
>> Eryu
>>
>>> +
>>> +echo "Silence is golden"
>>> +
>>> +# success, all done
>>> +status=0
>>> +exit
>>> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
>>> new file mode 100644
>>> index 0000000..b6f0a53
>>> --- /dev/null
>>> +++ b/tests/xfs/448.out
>>> @@ -0,0 +1,2 @@
>>> +QA output created by 448
>>> +Silence is golden
>>> diff --git a/tests/xfs/group b/tests/xfs/group
>>> index 51326d9..dd39d08 100644
>>> --- a/tests/xfs/group
>>> +++ b/tests/xfs/group
>>> @@ -445,3 +445,4 @@
>>>   445 auto quick filestreams
>>>   446 auto quick
>>>   447 auto mount
>>> +448 auto quick fuzzers
>>> -- 
>>> 1.8.3.1
>>>
>>>
>>>
>
> .
>

Re: [PATCH v2] xfs: Regression test for vulnerable directory integrity check

[Xiao Yang]

On 2018/06/04 12:54, Eryu Guan wrote:
> On Sun, Jun 03, 2018 at 03:56:55PM -0700, Darrick J. Wong wrote:
>> On Sun, Jun 03, 2018 at 09:37:18PM +0800, Eryu Guan wrote:
>>> On Wed, May 30, 2018 at 04:53:43PM +0800, Xiao Yang wrote:
>>>> If a malicious XFS contains a block+ format directory wherein the
>>>> directory inode's core.mode is corrupted, and there are subdirectories
>>>> of the corrupted directory, an attempt to traverse up the directory
>>>> tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
>>>>
>>>> Signed-off-by: Xiao Yang<yangx.jy@cn.fujitsu.com>
>>> Thanks for the update!
>>>
>>>> ---
>>>>   tests/xfs/448     | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>   tests/xfs/448.out |  2 ++
>>>>   tests/xfs/group   |  1 +
>>>>   3 files changed, 99 insertions(+)
>>>>   create mode 100755 tests/xfs/448
>>>>   create mode 100644 tests/xfs/448.out
>>>>
>>>> diff --git a/tests/xfs/448 b/tests/xfs/448
>>>> new file mode 100755
>>>> index 0000000..9ea9295
>>>> --- /dev/null
>>>> +++ b/tests/xfs/448
>>>> @@ -0,0 +1,96 @@
>>>> +#! /bin/bash
>>>> +# FS QA Test No. 448
>>>> +#
>>>> +# Regression test for commit:
>>>> +# 46c59736d809 ("xfs: harden directory integrity checks some more")
>>> But I couldn't triger the test failre (kernel crash?) with this commit
>>> reverted, with either v1 nor v2 patch. I was testing with 4.17-rc5 based
>>> kernel, could you please take a look?
>>>
>>>> +#
>>>> +# If a malicious XFS contains a block+ format directory wherein
>>>> +# the directory inode's core.mode is corrupted, and there are
>>>> +# subdirectories of the corrupted directory, an attempt to traverse
>>>> +# up the directory tree by running xfs_scrub will crash the
>>>> +# kernel in __xfs_dir3_data_check.
>>>> +#
>>>> +# Notice:
>>>> +# we should have non fatal asserts configured, because assert
>>>> +# failures triggered by the intentional corrupt would crash system.
>>>> +#
>>>> +#-----------------------------------------------------------------------
>>>> +# Copyright (c) 2018 FUJITSU LIMITED. All Rights Reserved.
>>>> +#
>>>> +# This program is free software; you can redistribute it and/or
>>>> +# modify it under the terms of the GNU General Public License as
>>>> +# published by the Free Software Foundation.
>>>> +#
>>>> +# This program is distributed in the hope that it would be useful,
>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>>>> +# GNU General Public License for more details.
>>>> +#
>>>> +# You should have received a copy of the GNU General Public License
>>>> +# along with this program; if not, write the Free Software Foundation,
>>>> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
>>>> +#-----------------------------------------------------------------------
>>>> +
>>>> +seq=`basename "$0"`
>>>> +seqres="$RESULT_DIR/$seq"
>>>> +echo "QA output created by $seq"
>>>> +
>>>> +here=`pwd`
>>>> +tmp=/tmp/$$
>>>> +status=1    # failure is the default!
>>>> +trap "_cleanup; exit \$status" 0 1 2 3 15
>>>> +
>>>> +_cleanup()
>>>> +{
>>>> +	cd /
>>>> +	rm -rf $tmp.*
>>>> +}
>>>> +
>>>> +# get standard environment, filters and checks
>>>> +. ./common/rc
>>>> +. ./common/filter
>>>> +. ./common/populate
>>>> +
>>>> +# real QA test starts here
>>>> +_supported_os Linux
>>>> +_supported_fs xfs
>>>> +_require_scratch_nocheck
>>>> +_require_xfs_io_command "scrub"
>>>> +# Corrupt XFS on purpose, and skip if assert failures would crash system.
>>>> +_require_no_xfs_bug_on_assert
>>>> +
>>>> +rm -f "$seqres.full"
>>>> +
>>>> +# Format and mount
>>>> +_scratch_mkfs | _filter_mkfs>  $seqres.full 2>  $tmp.mkfs || _fail "mkfs failed"
>>>> +_scratch_mount
>>>> +
>>>> +# Get directory block size
>>>> +. $tmp.mkfs
>>>> +
>>>> +# Create a block+(e.g. leaf) format directory
>>>> +__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dirbsize / 12))"
>>>> +
>>>> +# Get the block+ directory inode and a subdirectory inode of it
>>>> +subdino=$(stat -c "%i" "$(find ${SCRATCH_MNT}/dir_leaf/* -type d | head -1)")
>>>> +dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
>>>> +
>>>> +# Get the subdirectory's generation number
>>>> +_scratch_unmount
>>>> +subdgen=$(_scratch_xfs_get_metadata_field "core.gen" "inode $subdino")
>>>> +
>>>> +# Corrupt the directory inode's core.mode
>>>> +setmode="0100755"
>>>> +_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino">>  $seqres.full
>>>> +getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
>>>> +[ "$getmode" != "$setmode" ]&&  _fail "failed to set core.mode"
>>>> +
>>>> +# Scrub parent directory in subdirectory (online)
>>>> +_scratch_mount
>>>> +$XFS_IO_PROG -x -c "scrub parent $subdino $subdgen" ${SCRATCH_MNT}>>  $seqres.full
>>> And I always see "+scrub: Inappropriate ioctl for device" here with this
>>> v2 patch.
>> Your kernel probably needs CONFIG_XFS_ONLINE_SCRUB=y
> Yeah, I didn't have XFS_ONLINE_SCRUB enabled..
>
>> This test probably needs:
>>
>> . ./config/fuzzy
>> _supports_xfs_scrub || _fail "scrub not supported"
>>
>> (or make a _requires_xfs_scrub_enabled helper to encapsulate that?)
> I thought it was already handled by "_require_xfs_io_command 'scrub'",
> (And I think it should be).
>
> I noticed that in _require_xfs_io_command we do
>
> $XFS_IO_PROG -x -c "$command probe 0" $TEST_DIR
>
> which results in:
> [root@fedoravm xfstests]# xfs_io -c "scrub probe 0 " /mnt/scratch/
> No parameters allowed.
>
> but in _supports_xfs_scrub we do
>
> $XFS_IO_PROG -c "scrub probe" "$mountpoint"
>
> which results in:
> [root@fedoravm xfstests]# xfs_io -c "scrub probe " /mnt/scratch/
> scrub: Inappropriate ioctl for device
>
> _require_xfs_io_command should be updated?
Hi Eryu,

Yes, I think we should update _require_xfs_io_command as commit 9d5ea22 
in xfstests.

Thanks,
Xiao Yang
> Thanks,
> Eryu
>> --D
>>
>>> Thanks,
>>> Eryu
>>>
>>>> +
>>>> +echo "Silence is golden"
>>>> +
>>>> +# success, all done
>>>> +status=0
>>>> +exit
>>>> diff --git a/tests/xfs/448.out b/tests/xfs/448.out
>>>> new file mode 100644
>>>> index 0000000..b6f0a53
>>>> --- /dev/null
>>>> +++ b/tests/xfs/448.out
>>>> @@ -0,0 +1,2 @@
>>>> +QA output created by 448
>>>> +Silence is golden
>>>> diff --git a/tests/xfs/group b/tests/xfs/group
>>>> index 51326d9..dd39d08 100644
>>>> --- a/tests/xfs/group
>>>> +++ b/tests/xfs/group
>>>> @@ -445,3 +445,4 @@
>>>>   445 auto quick filestreams
>>>>   446 auto quick
>>>>   447 auto mount
>>>> +448 auto quick fuzzers
>>>> -- 
>>>> 1.8.3.1
>>>>
>>>>
>>>>
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> .
>

Re: [PATCH] common/rc: Fix _require_xfs_io_command for scrub probe

[Darrick J. Wong]

On Mon, Jun 04, 2018 at 12:50:12PM +0800, Xiao Yang wrote:
> Currently, xfs_io scrub command doesn't allow the probe function
> to have any parameter, so we remove the invalid parameter.
> 
> Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>

Bleh, sorry I've muddied the waters so much on this.  Yes, we changed
the xfs_io 'scrub probe' command not to take any parameters and forgot
to fix this. :/

Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

--D

> ---
>  common/rc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/common/rc b/common/rc
> index 9273ff7..dadbed4 100644
> --- a/common/rc
> +++ b/common/rc
> @@ -2148,7 +2148,7 @@ _require_xfs_io_command()
>  		param_checked=1
>  		;;
>  	"scrub"|"repair")
> -		testio=`$XFS_IO_PROG -x -c "$command probe 0" $TEST_DIR 2>&1`
> +		testio=`$XFS_IO_PROG -x -c "$command probe" $TEST_DIR 2>&1`
>  		echo $testio | grep -q "Inappropriate ioctl" && \
>  			_notrun "xfs_io $command support is missing"
>  		;;
> -- 
> 1.8.3.1
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html