From: Dmitry Monakhov <dmonakhov@openvz.org>
To: fstests@vger.kernel.org
Cc: linux-ext4@vger.kernel.org, root <root@ts105.qa.sw.ru>
Subject: [PATCH 2/2] add aio/dio regression test race between write and fcntl V5
Date: Thu, 23 Oct 2014 15:08:38 +0400 [thread overview]
Message-ID: <1414062518-30942-2-git-send-email-dmonakhov@openvz.org> (raw)
In-Reply-To: <1414062518-30942-1-git-send-email-dmonakhov@openvz.org>
From: root <root@ts105.qa.sw.ru>
Original report: https://lkml.org/lkml/2014/10/8/545
perform AIO-DIO and fcntl(F_SETFL) concurently
Unaligned AIO likely result in synchronization which makes racewindow wider.
changes from v4
fix incorrect timer initialization
changes from v3
rebase to current xfstests HEAD
changes from v2->v3
- Copyright fixes according to Dave's comments
changes from v1->v2
- Properly reuse aio context
Reviewed-by: Eryu Guan <eguan@redhat.com>
---
src/aio-dio-regress/aio-dio-fcntl-race.c | 150 ++++++++++++++++++++++++++++++
tests/generic/036 | 51 ++++++++++
tests/generic/036.out | 2 +
tests/generic/group | 1 +
4 files changed, 204 insertions(+), 0 deletions(-)
create mode 100644 src/aio-dio-regress/aio-dio-fcntl-race.c
create mode 100755 tests/generic/036
create mode 100644 tests/generic/036.out
diff --git a/src/aio-dio-regress/aio-dio-fcntl-race.c b/src/aio-dio-regress/aio-dio-fcntl-race.c
new file mode 100644
index 0000000..cdf9773
--- /dev/null
+++ b/src/aio-dio-regress/aio-dio-fcntl-race.c
@@ -0,0 +1,150 @@
+/*
+ * Perform aio writes to file and toggle O_DIRECT flag concurrently
+ * this may trigger race between file->f_flags read and modification
+ * unuligned aio allow to makes race window wider.
+ * Regression test for https://lkml.org/lkml/2014/10/8/545 CVE-2014-8086
+ * Patch proposed: http://www.spinics.net/lists/linux-ext4/msg45683.html
+ *
+ * Copyright (c) 2014 Dmitry Monakhov. All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <libaio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define BUF_SIZE 512
+#define LOOP_SECONDS 10
+
+
+static int do_aio_loop(int fd, void *buf)
+{
+ int err, ret;
+ struct io_context *ctx = NULL;
+ struct io_event ev;
+ struct iocb iocb, *iocbs[] = { &iocb };
+ struct timeval start, now, delta = { 0, 0 };
+
+ ret = 0;
+ err = io_setup(1, &ctx);
+ if (err) {
+ fprintf(stderr, "error %s during %s\n",
+ strerror(-err), "io_setup" );
+ return 1;
+ }
+ gettimeofday(&start, NULL);
+ while (1) {
+ io_prep_pwrite(&iocb, fd, buf, BUF_SIZE, BUF_SIZE);
+ err = io_submit(ctx, 1, iocbs);
+ if (err != 1) {
+ fprintf(stderr, "error %s during %s\n",
+ strerror(-err),
+ "io_submit");
+ ret = 1;
+ break;
+ }
+ err = io_getevents(ctx, 1, 1, &ev, NULL);
+ if (err != 1) {
+ fprintf(stderr, "error %s during %s\n",
+ strerror(-err),
+ "io_getevents");
+ ret = 1;
+ break;
+ }
+ gettimeofday(&now, NULL);
+ timersub(&now, &start, &delta);
+ if (delta.tv_sec >= LOOP_SECONDS)
+ break;
+ }
+ io_destroy(ctx);
+ return ret;
+}
+
+int main(int argc, char **argv)
+{
+ int flags, fd;
+ int pid1, pid2 = 0;
+ int ret1, ret = 0;
+
+ if (argc != 2){
+ printf("Usage %s fname\n", argv[0]);
+ return 1;
+ }
+ fd = open(argv[1], O_CREAT | O_TRUNC | O_RDWR, 0600);
+ if (fd < 0)
+ return 1;
+
+ pid1 = fork();
+ if (pid1 < 0)
+ return 1;
+
+ if (pid1 == 0) {
+ struct timeval start, now, delta = { 0, 0 };
+
+ gettimeofday(&start, NULL);
+
+ /* child: toggle O_DIRECT*/
+ flags = fcntl(fd, F_GETFL);
+ while (1) {
+ ret = fcntl(fd, F_SETFL, flags | O_DIRECT);
+ if (ret)
+ return ret;
+ ret = fcntl(fd, F_SETFL, flags);
+ if (ret)
+ return ret;
+
+ gettimeofday(&now, NULL);
+ timersub(&now, &start, &delta);
+ if (delta.tv_sec >= LOOP_SECONDS)
+ break;
+ }
+ } else {
+ /* parent: AIO */
+ void *buf;
+ posix_memalign(&buf, BUF_SIZE, BUF_SIZE);
+ /* Two tasks which performs unaligned aio will be serialized
+ which maks race window wider */
+ pid2 = fork();
+ if (pid2 < 0)
+ goto out;
+ else if (pid2 > 0)
+ printf("All tasks are spawned\n");
+
+ ret = do_aio_loop(fd, buf);
+ }
+out:
+ /* Parent wait for all others */
+ if (pid2 > 0){
+ waitpid(pid1, &ret1, 0);
+ if (!ret)
+ ret = ret1;
+ waitpid(pid2, &ret1, 0);
+ } else {
+ waitpid(pid1, &ret1, 0);
+ }
+ if (!ret)
+ ret = ret1;
+
+ return ret;
+}
diff --git a/tests/generic/036 b/tests/generic/036
new file mode 100755
index 0000000..0615dad
--- /dev/null
+++ b/tests/generic/036
@@ -0,0 +1,51 @@
+#! /bin/bash
+# FS QA Test No. 036
+#
+# CVE-2014-8086
+# Run aio-dio-fcntl-race - test aio write race with O_DIRECT toggle
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2014 Dmitry Monakhov. All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ cd /
+ rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+
+_supported_fs generic
+_supported_os Linux
+_require_test
+
+_run_aiodio aio-dio-fcntl-race
+
+exit $status
diff --git a/tests/generic/036.out b/tests/generic/036.out
new file mode 100644
index 0000000..59719d6
--- /dev/null
+++ b/tests/generic/036.out
@@ -0,0 +1,2 @@
+QA output created by 036
+All tasks are spawned
diff --git a/tests/generic/group b/tests/generic/group
index 9c82a6f..d6629a8 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -38,6 +38,7 @@
033 auto quick rw
034 auto quick metadata log
035 auto quick
+036 auto aio rw stress
053 acl repair auto quick
062 attr udf auto quick
068 other auto freeze dangerous stress
--
1.7.1
next prev parent reply other threads:[~2014-10-23 11:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-23 11:08 [PATCH 1/2] xfstests: update 'new' script v3 Dmitry Monakhov
2014-10-23 11:08 ` Dmitry Monakhov [this message]
2014-11-10 1:58 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1414062518-30942-2-git-send-email-dmonakhov@openvz.org \
--to=dmonakhov@openvz.org \
--cc=fstests@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=root@ts105.qa.sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.