xfs/051: test buffer use after free race on I/O failure in XFS log recovery
authorBrian Foster <bfoster@redhat.com>
Mon, 8 Sep 2014 12:51:39 +0000 (22:51 +1000)
committerDave Chinner <david@fromorbit.com>
Mon, 8 Sep 2014 12:51:39 +0000 (22:51 +1000)
commitcef47130ad17ff3a0c3cbdbd80d5dbc5f06cc876
tree3edd0b4244dc6c5480cef312b25c5927ace3cc6f
parent7746b99a525e2781cfb556aff4ff081cec5caa54
xfs/051: test buffer use after free race on I/O failure in XFS log recovery

A buffer use after free race was discovered in the XFS log recovery
codepath if I/O failures occur during recovery. The I/O submission path
can abort the mount and release the only reference held on some buffers
before I/O completion processing (e.g., async workqueue processing)
might have completed. Badness ensues if the I/O completion path
subsequently attempts to access said buffers.

The test manufactures the race by forcing all writes to fail (via
dm-flakey) after a fixed period of time. A delay is inserted into the
mount codepath to synchronize write failures with log recovery.

Credit for discovery of the race and definition of the reproducible test
case goes to Alex Lyakas.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reported-by: Alex Lyakas <alex@zadarastorage.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
tests/xfs/051 [new file with mode: 0755]
tests/xfs/051.out [new file with mode: 0644]
tests/xfs/group